Contenuti

• la strutturazione dei controlli in famiglie
• i controlli minimi richiesti (minimum baseline) security controls)
• gli esempi di information security program per tipologia di azienda;
• i security control nell’ambiente esterno
• il processo di assurance dell’efficacia dei security controls
• i commitment e control baseline.

• definizione di u approccio alla gestione dei rischi;
• classificazione dei sistemi sulla base dei Federal Information Processing standard (FIPS) 199;
• personalizzazione delle minimum baseline security controls;
• adozione di controlli ulteriori sulla base dei rischi evidenziati;
• aggiornamento dei controlli come parte del processo continuo di miglioramento.

Classificazione dei controlli

1. AC, Access Control, Technical
2. AT, Awareness and Training, Operational
3. AU, Audit and Accountability, Technical
4. CA, Certification, Accreditation and Security Assessments, Management
5. CM, Configuration Management, Operational
6. CP, Contingency Planning, Operational
7. IA, Identification and Authentication, Technical
8. IR, Incident Response, Operational
9. MA, Maintenance, Operational
10. MP, Media Protection, Operational
11. PE, Physical and Environmental Protection, Operational
12. PL, Planning, Management
13. PS, Personnel Security, Operational
14. RA, Risk Assessment, Management
15. SA, System and Services Acquisition, Management
16. SC, System and Communications Protection, Technical
17. SI, System and Information Integrity, Operational

Indice del documento

• Chapter one introduction
• 1.1 Purpose and applicability
• 1.2 Target audience
• 1.3 Relationship to other security control publications
• 1.4 Organizational responsibilities
• 1.5 Organization of this special publication
• Chapter two the fundamentals
• 2.1 Security control organization and structure
• 2.2 Security control baselines
• 2.3 Common security controls
• 2.4 Security controls in external environments
• 2.5 Security control assurance
• 2.6 Revisions and extensions
• Chapter three the process
• 3.1 Managing risk
• 3.2 Security categorization
• 3.3 Selecting and tailoring the initial baseline
• 3.4 Supplementing the tailored baseline
• 3.5 Updating security controls
• Appendix a References
• Appendix b Glossary
• Appendix c Acronyms
• Appendix d Minimum security controls – summary
• Appendix e Minimum assurance requirements
• Appendix f Security control catalog
• Appendix g Security control mappings
• Appendix h Standards and guidance mappings
• Appendix i Industrial control systems

IsacaRoma Newsletter link