Recommended Security Controls for Federal Information Systems and Organizations


[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[NIST]


Recommended Security Controls for Federal Information Systems and Organizations
NIST 800-53 v3

Introduction

The Need For Security Controls to Protect Information and Information Systems

The selection and implementation of appropriate security controls for an information system4 or a system-of-systems5 are important tasks that can have major implications on
the operations6 and assets of an organization7 as well as the welfare of individuals and the
Nation. Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems:

- What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?

- Have the selected security controls been implemented or is there a realistic plan for their implementation?

- What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective8 in their application?

The answers to these questions are not given in isolation but rather in the context of an effective information security program for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks9 arising from its information and information systems. The security controls defined in this publication and recommended for use by organizations in protecting their information systems should be employed in conjunction with and as part of a well-defined and documented information security program. The program management controls (Appendix G), complement the security controls for an information system (Appendix F) by focusing on the organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs.


The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf