Joint task force transformation initiative



Yüklə 5,64 Mb.
səhifə162/186
tarix08.01.2019
ölçüsü5,64 Mb.
#93199
1   ...   158   159   160   161   162   163   164   165   ...   186



SI-16 MEMORY PROTECTION


Control: The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.

Supplemental Guidance: Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Related controls: AC-25, SC-3.

Control Enhancements: None.

References: None.

Priority and Baseline Allocation:

P1

LOW Not Selected

MOD SI-16

HIGH SI-16



SI-17 FAIL-SAFE PROCEDURES


Control: The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur].

Supplemental Guidance: Failure conditions include, for example, loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include, for example, alerting operator personnel and providing specific instructions on subsequent steps to take (e.g., do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel). Related controls: CP-12, CP-13, SC-24, SI-13.

Control Enhancements: None.

References: None.

Priority and Baseline Allocation:

P0

LOW Not Selected

MOD Not Selected

HIGH Not Selected





appendix g

information security programs


ORGANIZATION-WIDE INFORMATION SECURITY PROGRAM MANAGEMENT CONTROLS

The Federal Information Security Management Act (FISMA) requires organizations to develop and implement an organization-wide information security program to address information security for the information and information systems that support the operations and assets of the organization, including those provided or managed by another organization, contractor, or other source. The information security program management (PM) controls described in this appendix are typically implemented at the organization level and not directed at individual organizational information systems. The program management controls have been designed to facilitate compliance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. The controls are independent of any FIPS Publication 200 impact levels and therefore, are not directly associated with any of the security control baselines described in Appendix D. The program management controls do, however, complement the security controls in Appendix F and focus on the programmatic, organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs. Tailoring guidance can be applied to the program management controls in a manner similar to how the guidance is applied to security controls in Appendix F. Organizations specify the individual or individuals responsible and accountable for the development, implementation, assessment, authorization, and monitoring of the program management controls. Organizations document program management controls in the information security program plan. The organization-wide information security program plan supplements the individual security plans developed for each organizational information system. Together, the security plans for the individual information systems and the information security program cover the totality of security controls employed by the organization.

In addition to documenting the information security program management controls, the security program plan provides a vehicle for the organization, in a central repository, to document all security controls from Appendix F that have been designated as common controls (i.e., security controls inheritable by organizational information systems).111 The information security program management controls and common controls contained in the information security program plan are implemented, assessed for effectiveness,112 and authorized by a senior organizational official, with the same or similar authority and responsibility for managing risk as the authorization officials for information systems. Plans of action and milestones are developed and maintained for the program management and common controls that are deemed through assessment to be less than effective. Information security program management and common controls are also subject to the same continuous monitoring requirements as security controls employed in individual organizational information systems.



Table G-1 provides a summary of the security controls in the program management family from Appendix G. Organizations can use the recommended priority code designation associated with each program management control to assist in making sequencing decisions for implementation (i.e., a Priority Code 1 [P1] control has a higher priority for implementation than a Priority Code 2 [P2] control; and a Priority Code 2 [P2] control has a higher priority for implementation than a Priority Code 3 [P3] control.

TABLE G-1: PROGRAM MANAGEMENT CONTROLS

CNTL

NO.

control name

priority

initial control baselines

LOW

MOD

HIGH

PM-1

Information Security Program Plan

P1


Deployed organization-wide.

Supporting information security program.

Not associated with security control baselines.

Independent of any system impact level.


PM-2

Senior Information Security Officer

P1

PM-3

Information Security Resources

P1

PM-4

Plan of Action and Milestones Process

P1

PM-5

Information System Inventory

P1

PM-6

Information Security Measures of Performance

P1

PM-7

Enterprise Architecture

P1

PM-8

Critical Infrastructure Plan

P1

PM-9

Risk Management Strategy

P1

PM-10

Security Authorization Process

P1

PM-11

Mission/Business Process Definition

P1

PM-12

Insider Threat Program

P1

PM-13

Information Security Workforce

P1

PM-14

Testing, Training, and Monitoring

P1

PM-15

Contacts with Security Groups and Associations

P3

PM-16

Threat Awareness Program

P1



Cautionary Note

Organizations are required to implement security program management controls to provide a foundation for the organizational information security program. The successful implementation of security controls for organizational information systems depends on the successful implementation of organization-wide program management controls. However, the manner in which organizations implement the program management controls depends on specific organizational characteristics including, for example, the size, complexity, and mission/business requirements of the respective organizations.






Yüklə 5,64 Mb.

Dostları ilə paylaş:
1   ...   158   159   160   161   162   163   164   165   ...   186




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin