SlideShare une entreprise Scribd logo

NIST NVD REV 4 Security Controls Online Database Analysis

James W. De Rienzo
James W. De Rienzo

NIST SP 800-53 Revision 4 Security Controls Data Analysis

Données & analyses
1  sur  4
Télécharger pour lire hors ligne
NIST NVD 800 Rev4 Data Analysis Page 1 of 4 Priority 256 100% P3 12 4.7% P2 36 14.1% P1 122 47.7% 137 82 44 11 93 71 49 18 20 19 14 11 7 9 2 5 1 4 3 2 P0 54 21.1% Combined Count Control Count Enhance Count Level 1 Count Level 2 Count Level 3 Count Level 4 Count Level 5 Count Level 6 Count Level 7 Count Level 8 Count (blank) 32 12.5% 124 261 343 115 159 170 9 102 173 4 53 71 3 23 42 1 15 26 1 8 17 2 7 1 5 3 2 FAMILY ID SECURITY CONTROL TITLE P Low Mod High L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H AC AC-1 ACCESS CONTROL POLICY AND PROCEDURES P1 AC-1 AC-1 AC-1 1 1 1 1 1 1 AC AC-2 ACCOUNT MANAGEMENT P1 AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4) (5) (11) (12) (13) 1 5 9 1 1 1 4 8 (1) (1) (2) (2) (3) (3) (4) (4) (5) (11) (12) (13) AC AC-3 ACCESS ENFORCEMENT P1 AC-3 AC-3 AC-3 1 1 1 1 1 1 AC AC-4 INFORMATION FLOW ENFORCEMENT P1 AC-4 AC-4 1 1 1 1 AC AC-5 SEPARATION OF DUTIES P1 AC-5 AC-5 1 1 1 1 AC AC-6 LEAST PRIVILEGE P1 AC-6 (1) (2) (5) (9) (10) AC-6 (1) (2) (3) (5) (9) (10) 6 7 1 1 5 6 (1) (1) (2) (2) (5) (3) (9) (5) (10) (9) (10) AC AC-7 UNSUCCESSFUL LOGON ATTEMPTS P2 AC-7 AC-7 AC-7 1 1 1 1 1 1 AC AC-8 SYSTEM USE NOTIFICATION P1 AC-8 AC-8 AC-8 1 1 1 1 1 1 AC AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION P0 AC AC-10 CONCURRENT SESSION CONTROL P3 AC-10 1 1 AC AC-11 SESSION LOCK P3 AC-11 (1) AC-11 (1) 2 2 1 1 1 1 (1) (1) AC AC-12 SESSION TERMINATION P2 AC-12 AC-12 1 1 1 1 AC AC-13 SUPERVISION AND REVIEW - ACCESS CONTROL (blank) AC AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION P3 AC-14 AC-14 AC-14 1 1 1 1 1 1 AC AC-15 AUTOMATED MARKING (blank) AC AC-16 SECURITY ATTRIBUTES P0 AC AC-17 REMOTE ACCESS P1 AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2) (3) (4) 1 5 5 1 1 1 4 4 (1) (1) (2) (2) (3) (3) (4) (4) AC AC-18 WIRELESS ACCESS P1 AC-18 AC-18 (1) AC-18 (1) (4) (5) 1 2 4 1 1 1 1 3 (1) (1) (4) (5) AC AC-19 ACCESS CONTROL FOR MOBILE DEVICES P1 AC-19 AC-19 (5) AC-19 (5) 1 2 2 1 1 1 1 1 (5) (5) AC AC-20 USE OF EXTERNAL INFORMATION SYSTEMS P1 AC-20 AC-20 (1) (2) AC-20 (1) (2) 1 3 3 1 1 1 2 2 (1) (1) (2) (2) AC AC-21 INFORMATION SHARING P2 AC-21 AC-21 1 1 1 1 AC AC-22 PUBLICLY ACCESSIBLE CONTENT P3 AC-22 AC-22 AC-22 1 1 1 1 1 1 AC AC-23 DATA MINING PROTECTION P0 AC AC-24 ACCESS CONTROL DECISIONS P0 AC AC-25 REFERENCE MONITOR P0 AT AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES P1 AT-1 AT-1 AT-1 1 1 1 1 1 1 AT AT-2 SECURITY AWARENESS TRAINING P1 AT-2 AT-2 (2) AT-2 (2) 1 2 2 1 1 1 1 1 (2) (2) AT AT-3 ROLE-BASED SECURITY TRAINING P1 AT-3 AT-3 AT-3 1 1 1 1 1 1 AT AT-4 SECURITY TRAINING RECORDS P3 AT-4 AT-4 AT-4 1 1 1 1 1 1 AT AT-5 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS (blank) AU AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES P1 AU-1 AU-1 AU-1 1 1 1 1 1 1 AU AU-2 AUDIT EVENTS P1 AU-2 AU-2 (3) AU-2 (3) 1 2 2 1 1 1 1 1 (3) (3) AU AU-3 CONTENT OF AUDIT RECORDS P1 AU-3 AU-3 (1) AU-3 (1) (2) 1 2 3 1 1 1 1 2 (1) (1) (2) AU AU-4 AUDIT STORAGE CAPACITY P1 AU-4 AU-4 AU-4 1 1 1 1 1 1 AU AU-5 RESPONSE TO AUDIT PROCESSING FAILURES P1 AU-5 AU-5 AU-5 (1) (2) 1 1 3 1 1 1 2 (1) (2) AU AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING P1 AU-6 AU-6 (1) (3) AU-6 (1) (3) (5) (6) 1 3 5 1 1 1 2 4 (1) (1) (3) (3) (5) (6) AU AU-7 AUDIT REDUCTION AND REPORT GENERATION P2 AU-7 (1) AU-7 (1) 2 2 1 1 1 1 (1) (1) AU AU-8 TIME STAMPS P1 AU-8 AU-8 (1) AU-8 (1) 1 2 2 1 1 1 1 1 (1) (1) AU AU-9 PROTECTION OF AUDIT INFORMATION P1 AU-9 AU-9 (4) AU-9 (2) (3) (4) 1 2 4 1 1 1 1 3 (4) (2) (3) (4) AU AU-10 NON-REPUDIATION P2 AU-10 1 1 AU AU-11 AUDIT RECORD RETENTION P3 AU-11 AU-11 AU-11 1 1 1 1 1 1 AU AU-12 AUDIT GENERATION P1 AU-12 AU-12 AU-12 (1) (3) 1 1 3 1 1 1 2 (1) (3) AU AU-13 MONITORING FOR INFORMATION DISCLOSURE P0 AU AU-14 SESSION AUDIT P0 AU AU-15 ALTERNATE AUDIT CAPABILITY P0 AU AU-16 CROSS-ORGANIZATIONAL AUDITING P0 CA CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES P1 CA-1 CA-1 CA-1 1 1 1 1 1 1 CA CA-2 SECURITY ASSESSMENTS P2 CA-2 CA-2 (1) CA-2 (1) (2) 1 2 3 1 1 1 1 2 (1) (1) (2) CA CA-3 SYSTEM INTERCONNECTIONS P1 CA-3 CA-3 (5) CA-3 (5) 1 2 2 1 1 1 1 1 (5) (5) CA CA-4 SECURITY CERTIFICATION (blank) CA CA-5 PLAN OF ACTION AND MILESTONES P3 CA-5 CA-5 CA-5 1 1 1 1 1 1 CA CA-6 SECURITY AUTHORIZATION P2 CA-6 CA-6 CA-6 1 1 1 1 1 1 CA CA-7 CONTINUOUS MONITORING P2 CA-7 CA-7 (1) CA-7 (1) 1 2 2 1 1 1 1 1 (1) (1) CA CA-8 PENETRATION TESTING P2 CA-8 1 1 CA CA-9 INTERNAL SYSTEM CONNECTIONS P2 CA-9 CA-9 CA-9 1 1 1 1 1 1 CM CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES P1 CM-1 CM-1 CM-1 1 1 1 1 1 1 CM CM-2 BASELINE CONFIGURATION P1 CM-2 CM-2 (1) (3) (7) CM-2 (1) (2) (3) (7) 1 4 5 1 1 1 3 4 (1) (1) (3) (2) (7) (3) (7) CM CM-3 CONFIGURATION CHANGE CONTROL P1 CM-3 (2) CM-3 (1) (2) 2 3 1 1 1 2 (2) (1) (2) CM CM-4 SECURITY IMPACT ANALYSIS P2 CM-4 CM-4 CM-4 (1) 1 1 2 1 1 1 1 (1) CM CM-5 ACCESS RESTRICTIONS FOR CHANGE P1 CM-5 CM-5 (1) (2) (3) 1 4 1 1 3 (1) (2) (3) CM CM-6 CONFIGURATION SETTINGS P1 CM-6 CM-6 CM-6 (1) (2) 1 1 3 1 1 1 2 (1) (2) CM CM-7 LEAST FUNCTIONALITY P1 CM-7 CM-7 (1) (2) (4) CM-7 (1) (2) (5) 1 4 4 1 1 1 3 3 (1) (1) (2) (2) (4) (5) CM CM-8 INFORMATION SYSTEM COMPONENT INVENTORY P1 CM-8 CM-8 (1) (3) (5) CM-8 (1) (2) (3) (4) (5) 1 4 6 1 1 1 3 5 (1) (1) (3) (2) (5) (3) (4) (5) CM CM-9 CONFIGURATION MANAGEMENT PLAN P1 CM-9 CM-9 1 1 1 1
NIST NVD 800 Rev4 Data Analysis Page 2 of 4 Priority 256 100% P3 12 4.7% P2 36 14.1% P1 122 47.7% 137 82 44 11 93 71 49 18 20 19 14 11 7 9 2 5 1 4 3 2 P0 54 21.1% Combined Count Control Count Enhance Count Level 1 Count Level 2 Count Level 3 Count Level 4 Count Level 5 Count Level 6 Count Level 7 Count Level 8 Count (blank) 32 12.5% 124 261 343 115 159 170 9 102 173 4 53 71 3 23 42 1 15 26 1 8 17 2 7 1 5 3 2 FAMILY ID SECURITY CONTROL TITLE P Low Mod High L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H CM CM-10 SOFTWARE USAGE RESTRICTIONS P2 CM-10 CM-10 CM-10 1 1 1 1 1 1 CM CM-11 USER-INSTALLED SOFTWARE P1 CM-11 CM-11 CM-11 1 1 1 1 1 1 CP CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES P1 CP-1 CP-1 CP-1 1 1 1 1 1 1 CP CP-2 CONTINGENCY PLAN P1 CP-2 CP-2 (1) (3) (8) CP-2 (1) (2) (3) (4) (5) (8) 1 4 7 1 1 1 3 6 (1) (1) (3) (2) (8) (3) (4) (5) (8) CP CP-3 CONTINGENCY TRAINING P2 CP-3 CP-3 CP-3 (1) 1 1 2 1 1 1 1 (1) CP CP-4 CONTINGENCY PLAN TESTING P2 CP-4 CP-4 (1) CP-4 (1) (2) 1 2 3 1 1 1 1 2 (1) (1) (2) CP CP-5 CONTINGENCY PLAN UPDATE (blank) CP CP-6 ALTERNATE STORAGE SITE P1 CP-6 (1) (3) CP-6 (1) (2) (3) 3 4 1 1 2 3 (1) (1) (3) (2) (3) CP CP-7 ALTERNATE PROCESSING SITE P1 CP-7 (1) (2) (3) CP-7 (1) (2) (3) (4) 4 5 1 1 3 4 (1) (1) (2) (2) (3) (3) (4) CP CP-8 TELECOMMUNICATIONS SERVICES P1 CP-8 (1) (2) CP-8 (1) (2) (3) (4) 3 5 1 1 2 4 (1) (1) (2) (2) (3) (4) CP CP-9 INFORMATION SYSTEM BACKUP P1 CP-9 CP-9 (1) CP-9 (1) (2) (3) (5) 1 2 5 1 1 1 1 4 (1) (1) (2) (3) (5) CP CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION P1 CP-10 CP-10 (2) CP-10 (2) (4) 1 2 3 1 1 1 1 2 (2) (2) (4) CP CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS P0 CP CP-12 SAFE MODE P0 CP CP-13 ALTERNATIVE SECURITY MECHANISMS P0 IA IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES P1 IA-1 IA-1 IA-1 1 1 1 1 1 1 IA IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) P1 IA-2 (1) (12) IA-2 (1) (2) (3) (8) (11) (12) IA-2 (1) (2) (3) (4) (8) (9) (11) (12) 3 7 9 1 1 1 2 6 8 (1) (1) (1) (12) (2) (2) (3) (3) (8) (4) (11) (8) (12) (9) (11) (12) IA IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION P1 IA-3 IA-3 1 1 1 1 IA IA-4 IDENTIFIER MANAGEMENT P1 IA-4 IA-4 IA-4 1 1 1 1 1 1 IA IA-5 AUTHENTICATOR MANAGEMENT P1 IA-5 (1) (11) IA-5 (1) (2) (3) (11) IA-5 (1) (2) (3) (11) 3 5 5 1 1 1 2 4 4 (1) (1) (1) (11) (2) (2) (3) (3) (11) (11) IA IA-6 AUTHENTICATOR FEEDBACK P2 IA-6 IA-6 IA-6 1 1 1 1 1 1 IA IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION P1 IA-7 IA-7 IA-7 1 1 1 1 1 1 IA IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) P1 IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4) 5 5 5 1 1 1 4 4 4 (1) (1) (1) (2) (2) (2) (3) (3) (3) (4) (4) (4) IA IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION P0 IA IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION P0 IA IA-11 RE-AUTHENTICATION P0 IR IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES P1 IR-1 IR-1 IR-1 1 1 1 1 1 1 IR IR-2 INCIDENT RESPONSE TRAINING P2 IR-2 IR-2 IR-2 (1) (2) 1 1 3 1 1 1 2 (1) (2) IR IR-3 INCIDENT RESPONSE TESTING P2 IR-3 (2) IR-3 (2) 2 2 1 1 1 1 (2) (2) IR IR-4 INCIDENT HANDLING P1 IR-4 IR-4 (1) IR-4 (1) (4) 1 2 3 1 1 1 1 2 (1) (1) (4) IR IR-5 INCIDENT MONITORING P1 IR-5 IR-5 IR-5 (1) 1 1 2 1 1 1 1 (1) IR IR-6 INCIDENT REPORTING P1 IR-6 IR-6 (1) IR-6 (1) 1 2 2 1 1 1 1 1 (1) (1) IR IR-7 INCIDENT RESPONSE ASSISTANCE P2 IR-7 IR-7 (1) IR-7 (1) 1 2 2 1 1 1 1 1 (1) (1) IR IR-8 INCIDENT RESPONSE PLAN P1 IR-8 IR-8 IR-8 1 1 1 1 1 1 IR IR-9 INFORMATION SPILLAGE RESPONSE P0 IR IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM P0 MA MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES P1 MA-1 MA-1 MA-1 1 1 1 1 1 1 MA MA-2 CONTROLLED MAINTENANCE P2 MA-2 MA-2 MA-2 (2) 1 1 2 1 1 1 1 (2) MA MA-3 MAINTENANCE TOOLS P3 MA-3 (1) (2) MA-3 (1) (2) (3) 3 4 1 1 2 3 (1) (1) (2) (2) (3) MA MA-4 NONLOCAL MAINTENANCE P2 MA-4 MA-4 (2) MA-4 (2) (3) 1 2 3 1 1 1 1 2 (2) (2) (3) MA MA-5 MAINTENANCE PERSONNEL P2 MA-5 MA-5 MA-5 (1) 1 1 2 1 1 1 1 (1) MA MA-6 TIMELY MAINTENANCE P2 MA-6 MA-6 1 1 1 1 MP MP-1 MEDIA PROTECTION POLICY AND PROCEDURES P1 MP-1 MP-1 MP-1 1 1 1 1 1 1 MP MP-2 MEDIA ACCESS P1 MP-2 MP-2 MP-2 1 1 1 1 1 1 MP MP-3 MEDIA MARKING P2 MP-3 MP-3 1 1 1 1 MP MP-4 MEDIA STORAGE P1 MP-4 MP-4 1 1 1 1 MP MP-5 MEDIA TRANSPORT P1 MP-5 (4) MP-5 (4) 2 2 1 1 1 1 (4) (4) MP MP-6 MEDIA SANITIZATION P1 MP-6 MP-6 MP-6 (1) (2) (3) 1 1 4 1 1 1 3 (1) (2) (3) MP MP-7 MEDIA USE P1 MP-7 MP-7 (1) MP-7 (1) 1 2 2 1 1 1 1 1 (1) (1) MP MP-8 MEDIA DOWNGRADING P0 PE PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES P1 PE-1 PE-1 PE-1 1 1 1 1 1 1 PE PE-2 PHYSICAL ACCESS AUTHORIZATIONS P1 PE-2 PE-2 PE-2 1 1 1 1 1 1 PE PE-3 PHYSICAL ACCESS CONTROL P1 PE-3 PE-3 PE-3 (1) 1 1 2 1 1 1 1 (1) PE PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM P1 PE-4 PE-4 1 1 1 1 PE PE-5 ACCESS CONTROL FOR OUTPUT DEVICES P2 PE-5 PE-5 1 1 1 1 PE PE-6 MONITORING PHYSICAL ACCESS P1 PE-6 PE-6 (1) PE-6 (1) (4) 1 2 3 1 1 1 1 2 (1) (1) (4) PE PE-7 VISITOR CONTROL (blank) PE PE-8 VISITOR ACCESS RECORDS P3 PE-8 PE-8 PE-8 (1) 1 1 2 1 1 1 1 (1) PE PE-9 POWER EQUIPMENT AND CABLING P1 PE-9 PE-9 1 1 1 1 PE PE-10 EMERGENCY SHUTOFF P1 PE-10 PE-10 1 1 1 1 PE PE-11 EMERGENCY POWER P1 PE-11 PE-11 (1) 1 2 1 1 1 (1) PE PE-12 EMERGENCY LIGHTING P1 PE-12 PE-12 PE-12 1 1 1 1 1 1 PE PE-13 FIRE PROTECTION P1 PE-13 PE-13 (3) PE-13 (1) (2) (3) 1 2 4 1 1 1 1 3 (3) (1) (2) (3) PE PE-14 TEMPERATURE AND HUMIDITY CONTROLS P1 PE-14 PE-14 PE-14 1 1 1 1 1 1
NIST NVD 800 Rev4 Data Analysis Page 3 of 4 Priority 256 100% P3 12 4.7% P2 36 14.1% P1 122 47.7% 137 82 44 11 93 71 49 18 20 19 14 11 7 9 2 5 1 4 3 2 P0 54 21.1% Combined Count Control Count Enhance Count Level 1 Count Level 2 Count Level 3 Count Level 4 Count Level 5 Count Level 6 Count Level 7 Count Level 8 Count (blank) 32 12.5% 124 261 343 115 159 170 9 102 173 4 53 71 3 23 42 1 15 26 1 8 17 2 7 1 5 3 2 FAMILY ID SECURITY CONTROL TITLE P Low Mod High L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H PE PE-15 WATER DAMAGE PROTECTION P1 PE-15 PE-15 PE-15 (1) 1 1 2 1 1 1 1 (1) PE PE-16 DELIVERY AND REMOVAL P2 PE-16 PE-16 PE-16 1 1 1 1 1 1 PE PE-17 ALTERNATE WORK SITE P2 PE-17 PE-17 1 1 1 1 PE PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS P3 PE-18 1 1 PE PE-19 INFORMATION LEAKAGE P0 PE PE-20 ASSET MONITORING AND TRACKING P0 PL PL-1 SECURITY PLANNING POLICY AND PROCEDURES P1 PL-1 PL-1 PL-1 1 1 1 1 1 1 PL PL-2 SYSTEM SECURITY PLAN P1 PL-2 PL-2 (3) PL-2 (3) 1 2 2 1 1 1 1 1 (3) (3) PL PL-3 SYSTEM SECURITY PLAN UPDATE (blank) PL PL-4 RULES OF BEHAVIOR P2 PL-4 PL-4 (1) PL-4 (1) 1 2 2 1 1 1 1 1 (1) (1) PL PL-5 PRIVACY IMPACT ASSESSMENT (blank) PL PL-6 SECURITY-RELATED ACTIVITY PLANNING (blank) PL PL-7 SECURITY CONCEPT OF OPERATIONS P0 PL PL-8 INFORMATION SECURITY ARCHITECTURE P1 PL-8 PL-8 1 1 1 1 PL PL-9 CENTRAL MANAGEMENT P0 PM PM-1 INFORMATION SECURITY PROGRAM PLAN (blank) PM PM-2 SENIOR INFORMATION SECURITY OFFICER (blank) PM PM-3 INFORMATION SECURITY RESOURCES (blank) PM PM-4 PLAN OF ACTION AND MILESTONES PROCESS (blank) PM PM-5 INFORMATION SYSTEM INVENTORY (blank) PM PM-6 INFORMATION SECURITY MEASURES OF PERFORMANCE (blank) PM PM-7 ENTERPRISE ARCHITECTURE (blank) PM PM-8 CRITICAL INFRASTRUCTURE PLAN (blank) PM PM-9 RISK MANAGEMENT STRATEGY (blank) PM PM-10 SECURITY AUTHORIZATION PROCESS (blank) PM PM-11 MISSION/BUSINESS PROCESS DEFINITION (blank) PM PM-12 INSIDER THREAT PROGRAM (blank) PM PM-13 INFORMATION SECURITY WORKFORCE (blank) PM PM-14 TESTING, TRAINING, AND MONITORING (blank) PM PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS (blank) PM PM-16 THREAT AWARENESS PROGRAM (blank) PS PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES P1 PS-1 PS-1 PS-1 1 1 1 1 1 1 PS PS-2 POSITION RISK DESIGNATION P1 PS-2 PS-2 PS-2 1 1 1 1 1 1 PS PS-3 PERSONNEL SCREENING P1 PS-3 PS-3 PS-3 1 1 1 1 1 1 PS PS-4 PERSONNEL TERMINATION P1 PS-4 PS-4 PS-4 (2) 1 1 2 1 1 1 1 (2) PS PS-5 PERSONNEL TRANSFER P2 PS-5 PS-5 PS-5 1 1 1 1 1 1 PS PS-6 ACCESS AGREEMENTS P3 PS-6 PS-6 PS-6 1 1 1 1 1 1 PS PS-7 THIRD-PARTY PERSONNEL SECURITY P1 PS-7 PS-7 PS-7 1 1 1 1 1 1 PS PS-8 PERSONNEL SANCTIONS P3 PS-8 PS-8 PS-8 1 1 1 1 1 1 RA RA-1 RISK ASSESSMENT POLICY AND PROCEDURES P1 RA-1 RA-1 RA-1 1 1 1 1 1 1 RA RA-2 SECURITY CATEGORIZATION P1 RA-2 RA-2 RA-2 1 1 1 1 1 1 RA RA-3 RISK ASSESSMENT P1 RA-3 RA-3 RA-3 1 1 1 1 1 1 RA RA-4 RISK ASSESSMENT UPDATE (blank) RA RA-5 VULNERABILITY SCANNING P1 RA-5 RA-5 (1) (2) (5) RA-5 (1) (2) (4) (5) 1 4 5 1 1 1 3 4 (1) (1) (2) (2) (5) (4) (5) RA RA-6 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY P0 SA SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES P1 SA-1 SA-1 SA-1 1 1 1 1 1 1 SA SA-2 ALLOCATION OF RESOURCES P1 SA-2 SA-2 SA-2 1 1 1 1 1 1 SA SA-3 SYSTEM DEVELOPMENT LIFE CYCLE P1 SA-3 SA-3 SA-3 1 1 1 1 1 1 SA SA-4 ACQUISITION PROCESS P1 SA-4 (10) SA-4 (1) (2) (9) (10) SA-4 (1) (2) (9) (10) 2 5 5 1 1 1 1 4 4 (10) (1) (1) (2) (2) (9) (9) (10) (10) SA SA-5 INFORMATION SYSTEM DOCUMENTATION P2 SA-5 SA-5 SA-5 1 1 1 1 1 1 SA SA-6 SOFTWARE USAGE RESTRICTIONS (blank) SA SA-7 USER-INSTALLED SOFTWARE (blank) SA SA-8 SECURITY ENGINEERING PRINCIPLES P1 SA-8 SA-8 1 1 1 1 SA SA-9 EXTERNAL INFORMATION SYSTEM SERVICES P1 SA-9 SA-9 (2) SA-9 (2) 1 2 2 1 1 1 1 1 (2) (2) SA SA-10 DEVELOPER CONFIGURATION MANAGEMENT P1 SA-10 SA-10 1 1 1 1 SA SA-11 DEVELOPER SECURITY TESTING AND EVALUATION P1 SA-11 SA-11 1 1 1 1 SA SA-12 SUPPLY CHAIN PROTECTION P1 SA-12 1 1 SA SA-13 TRUSTWORTHINESS P0 SA SA-14 CRITICALITY ANALYSIS P0 SA SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS P2 SA-15 1 1 SA SA-16 DEVELOPER-PROVIDED TRAINING P2 SA-16 1 1 SA SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN P1 SA-17 1 1 SA SA-18 TAMPER RESISTANCE AND DETECTION P0 SA SA-19 COMPONENT AUTHENTICITY P0
NIST NVD 800 Rev4 Data Analysis Page 4 of 4 Priority 256 100% P3 12 4.7% P2 36 14.1% P1 122 47.7% 137 82 44 11 93 71 49 18 20 19 14 11 7 9 2 5 1 4 3 2 P0 54 21.1% Combined Count Control Count Enhance Count Level 1 Count Level 2 Count Level 3 Count Level 4 Count Level 5 Count Level 6 Count Level 7 Count Level 8 Count (blank) 32 12.5% 124 261 343 115 159 170 9 102 173 4 53 71 3 23 42 1 15 26 1 8 17 2 7 1 5 3 2 FAMILY ID SECURITY CONTROL TITLE P Low Mod High L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H SA SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS P0 SA SA-21 DEVELOPER SCREENING P0 SA SA-22 UNSUPPORTED SYSTEM COMPONENTS P0 SC SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES P1 SC-1 SC-1 SC-1 1 1 1 1 1 1 SC SC-2 APPLICATION PARTITIONING P1 SC-2 SC-2 1 1 1 1 SC SC-3 SECURITY FUNCTION ISOLATION P1 SC-3 1 1 SC SC-4 INFORMATION IN SHARED RESOURCES P1 SC-4 SC-4 1 1 1 1 SC SC-5 DENIAL OF SERVICE PROTECTION P1 SC-5 SC-5 SC-5 1 1 1 1 1 1 SC SC-6 RESOURCE AVAILABILITY P0 SC SC-7 BOUNDARY PROTECTION P1 SC-7 SC-7 (3) (4) (5) (7) SC-7 (3) (4) (5) (7) (8) (18) (21) 1 5 8 1 1 1 4 7 (3) (3) (4) (4) (5) (5) (7) (7) (8) (18) (21) SC SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY P1 SC-8 (1) SC-8 (1) 2 2 1 1 1 1 (1) (1) SC SC-9 TRANSMISSION CONFIDENTIALITY (blank) SC SC-10 NETWORK DISCONNECT P2 SC-10 SC-10 1 1 1 1 SC SC-11 TRUSTED PATH P0 SC SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT P1 SC-12 SC-12 SC-12 (1) 1 1 2 1 1 1 1 (1) SC SC-13 CRYPTOGRAPHIC PROTECTION P1 SC-13 SC-13 SC-13 1 1 1 1 1 1 SC SC-14 PUBLIC ACCESS PROTECTIONS (blank) SC SC-15 COLLABORATIVE COMPUTING DEVICES P1 SC-15 SC-15 SC-15 1 1 1 1 1 1 SC SC-16 TRANSMISSION OF SECURITY ATTRIBUTES P0 SC SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES P1 SC-17 SC-17 1 1 1 1 SC SC-18 MOBILE CODE P2 SC-18 SC-18 1 1 1 1 SC SC-19 VOICE OVER INTERNET PROTOCOL P1 SC-19 SC-19 1 1 1 1 SC SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) P1 SC-20 SC-20 SC-20 1 1 1 1 1 1 SC SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) P1 SC-21 SC-21 SC-21 1 1 1 1 1 1 SC SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE P1 SC-22 SC-22 SC-22 1 1 1 1 1 1 SC SC-23 SESSION AUTHENTICITY P1 SC-23 SC-23 1 1 1 1 SC SC-24 FAIL IN KNOWN STATE P1 SC-24 1 1 SC SC-25 THIN NODES P0 SC SC-26 HONEYPOTS P0 SC SC-27 PLATFORM-INDEPENDENT APPLICATIONS P0 SC SC-28 PROTECTION OF INFORMATION AT REST P1 SC-28 SC-28 1 1 1 1 SC SC-29 HETEROGENEITY P0 SC SC-30 CONCEALMENT AND MISDIRECTION P0 SC SC-31 COVERT CHANNEL ANALYSIS P0 SC SC-32 INFORMATION SYSTEM PARTITIONING P0 SC SC-33 TRANSMISSION PREPARATION INTEGRITY (blank) SC SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS P0 SC SC-35 HONEYCLIENTS P0 SC SC-36 DISTRIBUTED PROCESSING AND STORAGE P0 SC SC-37 OUT-OF-BAND CHANNELS P0 SC SC-38 OPERATIONS SECURITY P0 SC SC-39 PROCESS ISOLATION P1 SC-39 SC-39 SC-39 1 1 1 1 1 1 SC SC-40 WIRELESS LINK PROTECTION P0 SC SC-41 PORT AND I/O DEVICE ACCESS P0 SC SC-42 SENSOR CAPABILITY AND DATA P0 SC SC-43 USAGE RESTRICTIONS P0 SC SC-44 DETONATION CHAMBERS P0 SI SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES P1 SI-1 SI-1 SI-1 1 1 1 1 1 1 SI SI-2 FLAW REMEDIATION P1 SI-2 SI-2 (2) SI-2 (1) (2) 1 2 3 1 1 1 1 2 (2) (1) (2) SI SI-3 MALICIOUS CODE PROTECTION P1 SI-3 SI-3 (1) (2) SI-3 (1) (2) 1 3 3 1 1 1 2 2 (1) (1) (2) (2) SI SI-4 INFORMATION SYSTEM MONITORING P1 SI-4 SI-4 (2) (4) (5) SI-4 (2) (4) (5) 1 4 4 1 1 1 3 3 (2) (2) (4) (4) (5) (5) SI SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES P1 SI-5 SI-5 SI-5 (1) 1 1 2 1 1 1 1 (1) SI SI-6 SECURITY FUNCTION VERIFICATION P1 SI-6 1 1 SI SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY P1 SI-7 (1) (7) SI-7 (1) (2) (5) (7) (14) 3 6 1 1 2 5 (1) (1) (7) (2) (5) (7) (14) SI SI-8 SPAM PROTECTION P2 SI-8 (1) (2) SI-8 (1) (2) 3 3 1 1 2 2 (1) (1) (2) (2) SI SI-9 INFORMATION INPUT RESTRICTIONS (blank) SI SI-10 INFORMATION INPUT VALIDATION P1 SI-10 SI-10 1 1 1 1 SI SI-11 ERROR HANDLING P2 SI-11 SI-11 1 1 1 1 SI SI-12 INFORMATION HANDLING AND RETENTION P2 SI-12 SI-12 SI-12 1 1 1 1 1 1 SI SI-13 PREDICTABLE FAILURE PREVENTION P0 SI SI-14 NON-PERSISTENCE P0 SI SI-15 INFORMATION OUTPUT FILTERING P0 SI SI-16 MEMORY PROTECTION P1 SI-16 SI-16 1 1 1 1 SI SI-17 FAIL-SAFE PROCEDURES P0

Recommandé

Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...James W. De Rienzo
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4James W. De Rienzo
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...James W. De Rienzo
 
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804James W. De Rienzo
 
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...James W. De Rienzo
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aJames W. De Rienzo
 
Tala Tek NIST_rev4-final
Tala Tek NIST_rev4-finalTala Tek NIST_rev4-final
Tala Tek NIST_rev4-finalBaan
 
Risk Presentation (2)
Risk Presentation (2)Risk Presentation (2)
Risk Presentation (2)Kathy_67
 

Recommandé

Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...James W. De Rienzo
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4James W. De Rienzo
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...James W. De Rienzo
 
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804James W. De Rienzo
 
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...James W. De Rienzo
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aJames W. De Rienzo
 
Tala Tek NIST_rev4-final
Tala Tek NIST_rev4-finalTala Tek NIST_rev4-final
Tala Tek NIST_rev4-finalBaan
 
Risk Presentation (2)
Risk Presentation (2)Risk Presentation (2)
Risk Presentation (2)Kathy_67
 
When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?ISA Interchange
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systemsMowaten Masry
 
Edwards Signaling E-FSA64RD Installation Manual
Edwards Signaling E-FSA64RD Installation ManualEdwards Signaling E-FSA64RD Installation Manual
Edwards Signaling E-FSA64RD Installation ManualJMAC Supply
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 
55419663 burner-management-system
55419663 burner-management-system55419663 burner-management-system
55419663 burner-management-systemMowaten Masry
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration TestingAhmed Sherif
 
Sil 1 (1)1
Sil 1 (1)1Sil 1 (1)1
Sil 1 (1)1Affan Sadiq MIChemE CEng
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
71364263 voting-logic-sil-calculation
71364263 voting-logic-sil-calculation71364263 voting-logic-sil-calculation
71364263 voting-logic-sil-calculationMowaten Masry
 
Functional Safety (SIL) in the Subsea and Drilling Industry
Functional Safety (SIL) in the Subsea and Drilling IndustryFunctional Safety (SIL) in the Subsea and Drilling Industry
Functional Safety (SIL) in the Subsea and Drilling IndustryLloyd's Register Energy
 
Sil presentation
Sil presentationSil presentation
Sil presentationValeriano Barrilà
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
BTS Key Mgt
BTS Key MgtBTS Key Mgt
BTS Key MgtMahmudul Hassan
 
SIL in de praktjk (functional Safety)
SIL in de praktjk (functional Safety)SIL in de praktjk (functional Safety)
SIL in de praktjk (functional Safety)ie-net ingenieursvereniging vzw
 
Industrial Sales Presentation
Industrial Sales PresentationIndustrial Sales Presentation
Industrial Sales PresentationExpertsLogicTechnolo
 
MKAD_black_V2
MKAD_black_V2MKAD_black_V2
MKAD_black_V2Marina Krotofil
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...Emerson Exchange
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3Marina Krotofil
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804James W. De Rienzo
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)James W. De Rienzo
 

Contenu connexe

Tendances

When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?ISA Interchange
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systemsMowaten Masry
 
Edwards Signaling E-FSA64RD Installation Manual
Edwards Signaling E-FSA64RD Installation ManualEdwards Signaling E-FSA64RD Installation Manual
Edwards Signaling E-FSA64RD Installation ManualJMAC Supply
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenMarina Krotofil
 
55419663 burner-management-system
55419663 burner-management-system55419663 burner-management-system
55419663 burner-management-systemMowaten Masry
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration TestingAhmed Sherif
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...Marina Krotofil
 
71364263 voting-logic-sil-calculation
71364263 voting-logic-sil-calculation71364263 voting-logic-sil-calculation
71364263 voting-logic-sil-calculationMowaten Masry
 
Functional Safety (SIL) in the Subsea and Drilling Industry
Functional Safety (SIL) in the Subsea and Drilling IndustryFunctional Safety (SIL) in the Subsea and Drilling Industry
Functional Safety (SIL) in the Subsea and Drilling IndustryLloyd's Register Energy
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
 
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...Emerson Exchange
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALMarina Krotofil
 

Tendances (20)

When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systems
 
Edwards Signaling E-FSA64RD Installation Manual
Edwards Signaling E-FSA64RD Installation ManualEdwards Signaling E-FSA64RD Installation Manual
Edwards Signaling E-FSA64RD Installation Manual
 
DefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_LarsenDefCon_2015_Slides_Krotofil_Larsen
DefCon_2015_Slides_Krotofil_Larsen
 
55419663 burner-management-system
55419663 burner-management-system55419663 burner-management-system
55419663 burner-management-system
 
Scada Security & Penetration Testing
Scada Security & Penetration TestingScada Security & Penetration Testing
Scada Security & Penetration Testing
 
Sil 1 (1)1
Sil 1 (1)1Sil 1 (1)1
Sil 1 (1)1
 
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
 
71364263 voting-logic-sil-calculation
71364263 voting-logic-sil-calculation71364263 voting-logic-sil-calculation
71364263 voting-logic-sil-calculation
 
Functional Safety (SIL) in the Subsea and Drilling Industry
Functional Safety (SIL) in the Subsea and Drilling IndustryFunctional Safety (SIL) in the Subsea and Drilling Industry
Functional Safety (SIL) in the Subsea and Drilling Industry
 
Sil presentation
Sil presentationSil presentation
Sil presentation
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
 
BTS Key Mgt
BTS Key MgtBTS Key Mgt
BTS Key Mgt
 
SIL in de praktjk (functional Safety)
SIL in de praktjk (functional Safety)SIL in de praktjk (functional Safety)
SIL in de praktjk (functional Safety)
 
Industrial Sales Presentation
Industrial Sales PresentationIndustrial Sales Presentation
Industrial Sales Presentation
 
MKAD_black_V2
MKAD_black_V2MKAD_black_V2
MKAD_black_V2
 
Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing Scada Industrial Control Systems Penetration Testing
Scada Industrial Control Systems Penetration Testing
 
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...
SIS “Final Element” Diagnostics Including The SOV, Using A Digital Valve Cont...
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINAL
 
presentation_sas2016_V3
presentation_sas2016_V3presentation_sas2016_V3
presentation_sas2016_V3
 

En vedette

(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804James W. De Rienzo
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)James W. De Rienzo
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)James W. De Rienzo
 
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...James W. De Rienzo
 
Program za cjeloživotno učenje Comenius
Program za cjeloživotno učenje ComeniusProgram za cjeloživotno učenje Comenius
Program za cjeloživotno učenje ComeniusPogled kroz prozor
 
Insight Appstore Optimization - Matthaus Michalik, AKM3
Insight Appstore Optimization - Matthaus Michalik, AKM3Insight Appstore Optimization - Matthaus Michalik, AKM3
Insight Appstore Optimization - Matthaus Michalik, AKM3DroidConTLV
 
Mantenimiento de hardware
Mantenimiento de hardwareMantenimiento de hardware
Mantenimiento de hardwareJimer Velasquez
 
Tenerife abp equipos directivos_septiembre2016_desktop
Tenerife abp equipos directivos_septiembre2016_desktopTenerife abp equipos directivos_septiembre2016_desktop
Tenerife abp equipos directivos_septiembre2016_desktopCEPTENERIFESUR
 
Smc Zee 18july09
Smc Zee 18july09Smc Zee 18july09
Smc Zee 18july09Harsh Arun
 
Promendoza em binos_china2011
Promendoza em binos_china2011Promendoza em binos_china2011
Promendoza em binos_china2011Barby Del Pópolo
 
Repositorio de imagenes imageshack
Repositorio de imagenes imageshackRepositorio de imagenes imageshack
Repositorio de imagenes imageshackfeditic
 
Revista ContactForum No. 56 Edición Noviembre - Diciembre, Personalidades de ...
Revista ContactForum No. 56 Edición Noviembre - Diciembre, Personalidades de ...Revista ContactForum No. 56 Edición Noviembre - Diciembre, Personalidades de ...
Revista ContactForum No. 56 Edición Noviembre - Diciembre, Personalidades de ...SICREA Autofinanciamiento NISSAN
 
Presentación la caixa jornada de financiación 14 nov 2011
Presentación la caixa jornada de financiación 14 nov 2011Presentación la caixa jornada de financiación 14 nov 2011
Presentación la caixa jornada de financiación 14 nov 2011FIAB
 
Ventajas de Mudar un Software 2D al 3D
Ventajas de Mudar un Software 2D al 3DVentajas de Mudar un Software 2D al 3D
Ventajas de Mudar un Software 2D al 3DIntelligy
 
Anales vol 27 2014
Anales vol 27 2014Anales vol 27 2014
Anales vol 27 2014RACVAO
 

En vedette (20)

(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
 
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
 
L'uso dei Social Media tra i Giuristi d'Impresa
L'uso dei Social Media tra i Giuristi d'ImpresaL'uso dei Social Media tra i Giuristi d'Impresa
L'uso dei Social Media tra i Giuristi d'Impresa
 
Program za cjeloživotno učenje Comenius
Program za cjeloživotno učenje ComeniusProgram za cjeloživotno učenje Comenius
Program za cjeloživotno učenje Comenius
 
Insight Appstore Optimization - Matthaus Michalik, AKM3
Insight Appstore Optimization - Matthaus Michalik, AKM3Insight Appstore Optimization - Matthaus Michalik, AKM3
Insight Appstore Optimization - Matthaus Michalik, AKM3
 
Mantenimiento de hardware
Mantenimiento de hardwareMantenimiento de hardware
Mantenimiento de hardware
 
Tenerife abp equipos directivos_septiembre2016_desktop
Tenerife abp equipos directivos_septiembre2016_desktopTenerife abp equipos directivos_septiembre2016_desktop
Tenerife abp equipos directivos_septiembre2016_desktop
 
Kids consult!
Kids consult!Kids consult!
Kids consult!
 
FiberCorp -Sebastián Borghello
FiberCorp -Sebastián BorghelloFiberCorp -Sebastián Borghello
FiberCorp -Sebastián Borghello
 
Smc Zee 18july09
Smc Zee 18july09Smc Zee 18july09
Smc Zee 18july09
 
Promendoza em binos_china2011
Promendoza em binos_china2011Promendoza em binos_china2011
Promendoza em binos_china2011
 
Repositorio de imagenes imageshack
Repositorio de imagenes imageshackRepositorio de imagenes imageshack
Repositorio de imagenes imageshack
 
Programa Ponencias 28-09-2012
Programa Ponencias 28-09-2012Programa Ponencias 28-09-2012
Programa Ponencias 28-09-2012
 
Revista ContactForum No. 56 Edición Noviembre - Diciembre, Personalidades de ...
Revista ContactForum No. 56 Edición Noviembre - Diciembre, Personalidades de ...Revista ContactForum No. 56 Edición Noviembre - Diciembre, Personalidades de ...
Revista ContactForum No. 56 Edición Noviembre - Diciembre, Personalidades de ...
 
Presentación la caixa jornada de financiación 14 nov 2011
Presentación la caixa jornada de financiación 14 nov 2011Presentación la caixa jornada de financiación 14 nov 2011
Presentación la caixa jornada de financiación 14 nov 2011
 
Ventajas de Mudar un Software 2D al 3D
Ventajas de Mudar un Software 2D al 3DVentajas de Mudar un Software 2D al 3D
Ventajas de Mudar un Software 2D al 3D
 
ITS 2013 Smart Truck Parking
ITS 2013 Smart Truck ParkingITS 2013 Smart Truck Parking
ITS 2013 Smart Truck Parking
 
Anales vol 27 2014
Anales vol 27 2014Anales vol 27 2014
Anales vol 27 2014
 

Similaire à NIST NVD REV 4 Security Controls Online Database Analysis

Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxstilliegeorgiana
 
I phone 5 full Schematic Diagram 820 3141-b
I phone 5 full Schematic Diagram 820 3141-bI phone 5 full Schematic Diagram 820 3141-b
I phone 5 full Schematic Diagram 820 3141-bdiyfix phone
 
Automated FMECA Technology for Tomorrow
Automated FMECA Technology for TomorrowAutomated FMECA Technology for Tomorrow
Automated FMECA Technology for TomorrowMads Grahl-Madsen
 
H2O World - PAAS: Predictive Analytics offered as a Service - Prateem Mandal
H2O World - PAAS: Predictive Analytics offered as a Service - Prateem MandalH2O World - PAAS: Predictive Analytics offered as a Service - Prateem Mandal
H2O World - PAAS: Predictive Analytics offered as a Service - Prateem MandalSri Ambati
 
CSA CCM V3.0CLOUD CONTROLS MATRIX VERSION 3.0Control DomainCCM V3..docx
CSA CCM V3.0CLOUD CONTROLS MATRIX VERSION 3.0Control DomainCCM V3..docxCSA CCM V3.0CLOUD CONTROLS MATRIX VERSION 3.0Control DomainCCM V3..docx
CSA CCM V3.0CLOUD CONTROLS MATRIX VERSION 3.0Control DomainCCM V3..docxmydrynan
 
pdfcoffee.com_otis-gen-2-regen-baa21000h-plano-7-pdf-free (1).pptx
pdfcoffee.com_otis-gen-2-regen-baa21000h-plano-7-pdf-free (1).pptxpdfcoffee.com_otis-gen-2-regen-baa21000h-plano-7-pdf-free (1).pptx
pdfcoffee.com_otis-gen-2-regen-baa21000h-plano-7-pdf-free (1).pptxGustavoJesus32
 
Dual Purpose Generator Set Maintenance Manual
Dual Purpose Generator Set Maintenance ManualDual Purpose Generator Set Maintenance Manual
Dual Purpose Generator Set Maintenance ManualRimsky Cheng
 
15 - Introduction to Optimization Tools Rev A.ppt
15 - Introduction to Optimization Tools Rev A.ppt15 - Introduction to Optimization Tools Rev A.ppt
15 - Introduction to Optimization Tools Rev A.pptMohamedShabana37
 
ECS H77H2-M4 rA.pptx
ECS H77H2-M4 rA.pptxECS H77H2-M4 rA.pptx
ECS H77H2-M4 rA.pptxssusercda6b5
 
UENR4505-00.pdf
UENR4505-00.pdfUENR4505-00.pdf
UENR4505-00.pdfthang tong
 
C041221821
C041221821C041221821
C041221821IOSR-JEN
 
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Jordi Cabot
 
CSA CCM V3.0.1 CLOUD CONTROLS MATRIX VERSION 3.0.1Control DomainC.docx
CSA CCM V3.0.1 CLOUD CONTROLS MATRIX VERSION 3.0.1Control DomainC.docxCSA CCM V3.0.1 CLOUD CONTROLS MATRIX VERSION 3.0.1Control DomainC.docx
CSA CCM V3.0.1 CLOUD CONTROLS MATRIX VERSION 3.0.1Control DomainC.docxmydrynan
 

Similaire à NIST NVD REV 4 Security Controls Online Database Analysis (20)

Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
 
I phone 5 full Schematic Diagram 820 3141-b
I phone 5 full Schematic Diagram 820 3141-bI phone 5 full Schematic Diagram 820 3141-b
I phone 5 full Schematic Diagram 820 3141-b
 
Fmea
FmeaFmea
Fmea
 
Automated FMECA Technology for Tomorrow
Automated FMECA Technology for TomorrowAutomated FMECA Technology for Tomorrow
Automated FMECA Technology for Tomorrow
 
H2O World - PAAS: Predictive Analytics offered as a Service - Prateem Mandal
H2O World - PAAS: Predictive Analytics offered as a Service - Prateem MandalH2O World - PAAS: Predictive Analytics offered as a Service - Prateem Mandal
H2O World - PAAS: Predictive Analytics offered as a Service - Prateem Mandal
 
CSA CCM V3.0CLOUD CONTROLS MATRIX VERSION 3.0Control DomainCCM V3..docx
CSA CCM V3.0CLOUD CONTROLS MATRIX VERSION 3.0Control DomainCCM V3..docxCSA CCM V3.0CLOUD CONTROLS MATRIX VERSION 3.0Control DomainCCM V3..docx
CSA CCM V3.0CLOUD CONTROLS MATRIX VERSION 3.0Control DomainCCM V3..docx
 
10004455533
1000445553310004455533
10004455533
 
pdfcoffee.com_otis-gen-2-regen-baa21000h-plano-7-pdf-free (1).pptx
pdfcoffee.com_otis-gen-2-regen-baa21000h-plano-7-pdf-free (1).pptxpdfcoffee.com_otis-gen-2-regen-baa21000h-plano-7-pdf-free (1).pptx
pdfcoffee.com_otis-gen-2-regen-baa21000h-plano-7-pdf-free (1).pptx
 
Dual Purpose Generator Set Maintenance Manual
Dual Purpose Generator Set Maintenance ManualDual Purpose Generator Set Maintenance Manual
Dual Purpose Generator Set Maintenance Manual
 
SmartZone 5.0
SmartZone 5.0SmartZone 5.0
SmartZone 5.0
 
SUZUKI G.VITARA AT.pdf
SUZUKI G.VITARA AT.pdfSUZUKI G.VITARA AT.pdf
SUZUKI G.VITARA AT.pdf
 
15 - Introduction to Optimization Tools Rev A.ppt
15 - Introduction to Optimization Tools Rev A.ppt15 - Introduction to Optimization Tools Rev A.ppt
15 - Introduction to Optimization Tools Rev A.ppt
 
ECS H77H2-M4 rA.pptx
ECS H77H2-M4 rA.pptxECS H77H2-M4 rA.pptx
ECS H77H2-M4 rA.pptx
 
iaf.pptx
iaf.pptxiaf.pptx
iaf.pptx
 
UENR4505-00.pdf
UENR4505-00.pdfUENR4505-00.pdf
UENR4505-00.pdf
 
Honey process manager
Honey process managerHoney process manager
Honey process manager
 
C041221821
C041221821C041221821
C041221821
 
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
Model-driven Extraction and Analysis of Network Security Policies (at MoDELS'13)
 
WBS is Paramount
WBS is ParamountWBS is Paramount
WBS is Paramount
 
CSA CCM V3.0.1 CLOUD CONTROLS MATRIX VERSION 3.0.1Control DomainC.docx
CSA CCM V3.0.1 CLOUD CONTROLS MATRIX VERSION 3.0.1Control DomainC.docxCSA CCM V3.0.1 CLOUD CONTROLS MATRIX VERSION 3.0.1Control DomainC.docx
CSA CCM V3.0.1 CLOUD CONTROLS MATRIX VERSION 3.0.1Control DomainC.docx
 

Plus de James W. De Rienzo

Nist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributesNist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributesJames W. De Rienzo
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...James W. De Rienzo
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJob aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJames W. De Rienzo
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...James W. De Rienzo
 
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...James W. De Rienzo
 
Information Security Fundamentals
Information Security FundamentalsInformation Security Fundamentals
Information Security FundamentalsJames W. De Rienzo
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkJames W. De Rienzo
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)James W. De Rienzo
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...James W. De Rienzo
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)James W. De Rienzo
 
VDI and Application Virtualization
VDI and Application VirtualizationVDI and Application Virtualization
VDI and Application VirtualizationJames W. De Rienzo
 

Plus de James W. De Rienzo (15)

Nist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributesNist sp 800_r5_baselines_&_attributes
Nist sp 800_r5_baselines_&_attributes
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJob aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
 
SEI CERT Podcast Series
SEI CERT Podcast SeriesSEI CERT Podcast Series
SEI CERT Podcast Series
 
CNDSP Assessment Template
CNDSP Assessment TemplateCNDSP Assessment Template
CNDSP Assessment Template
 
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
 
Information Security Fundamentals
Information Security FundamentalsInformation Security Fundamentals
Information Security Fundamentals
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual Framework
 
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
VDI and Application Virtualization
VDI and Application VirtualizationVDI and Application Virtualization
VDI and Application Virtualization
 

Dernier

Learn How Data Science Changes Our World
Learn How Data Science Changes Our WorldLearn How Data Science Changes Our World
Learn How Data Science Changes Our WorldEduminds Learning
 
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...Dr Arash Najmaei ( Phd., MBA, BSc)
 
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...Amil Baba Dawood bangali
 
Semantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxSemantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxMike Bennett
 
Networking Case Study prepared by teacher.pptx
Networking Case Study prepared by teacher.pptxNetworking Case Study prepared by teacher.pptx
Networking Case Study prepared by teacher.pptxHimangsuNath
 
IBEF report on the Insurance market in India
IBEF report on the Insurance market in IndiaIBEF report on the Insurance market in India
IBEF report on the Insurance market in IndiaManalVerma4
 
What To Do For World Nature Conservation Day by Slidesgo.pptx
What To Do For World Nature Conservation Day by Slidesgo.pptxWhat To Do For World Nature Conservation Day by Slidesgo.pptx
What To Do For World Nature Conservation Day by Slidesgo.pptxSimranPal17
 
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptxmodul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptxaleedritatuxx
 
FAIR, FAIRsharing, FAIR Cookbook and ELIXIR - Sansone SA - Boston 2024
FAIR, FAIRsharing, FAIR Cookbook and ELIXIR - Sansone SA - Boston 2024FAIR, FAIRsharing, FAIR Cookbook and ELIXIR - Sansone SA - Boston 2024
FAIR, FAIRsharing, FAIR Cookbook and ELIXIR - Sansone SA - Boston 2024Susanna-Assunta Sansone
 
SMOTE and K-Fold Cross Validation-Presentation.pptx
SMOTE and K-Fold Cross Validation-Presentation.pptxSMOTE and K-Fold Cross Validation-Presentation.pptx
SMOTE and K-Fold Cross Validation-Presentation.pptxHaritikaChhatwal1
 
Rithik Kumar Singh codealpha pythohn.pdf
Rithik Kumar Singh codealpha pythohn.pdfRithik Kumar Singh codealpha pythohn.pdf
Rithik Kumar Singh codealpha pythohn.pdfrahulyadav957181
 
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis model
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis modelDecoding Movie Sentiments: Analyzing Reviews with Data Analysis model
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis modelBoston Institute of Analytics
 
Decoding the Heart: Student Presentation on Heart Attack Prediction with Data...
Decoding the Heart: Student Presentation on Heart Attack Prediction with Data...Decoding the Heart: Student Presentation on Heart Attack Prediction with Data...
Decoding the Heart: Student Presentation on Heart Attack Prediction with Data...Boston Institute of Analytics
 
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptx
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptxThe Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptx
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptxTasha Penwell
 
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...Jack Cole
 
Principles and Practices of Data Visualization
Principles and Practices of Data VisualizationPrinciples and Practices of Data Visualization
Principles and Practices of Data VisualizationKianJazayeri1
 
Real-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max PrincetonReal-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max PrincetonTimothy Spann
 
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdf
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdfEnglish-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdf
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdfblazblazml
 
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...Boston Institute of Analytics
 

Dernier (20)

Learn How Data Science Changes Our World
Learn How Data Science Changes Our WorldLearn How Data Science Changes Our World
Learn How Data Science Changes Our World
 
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...
6 Tips for Interpretable Topic Models _ by Nicha Ruchirawat _ Towards Data Sc...
 
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
 
Semantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptxSemantic Shed - Squashing and Squeezing.pptx
Semantic Shed - Squashing and Squeezing.pptx
 
Networking Case Study prepared by teacher.pptx
Networking Case Study prepared by teacher.pptxNetworking Case Study prepared by teacher.pptx
Networking Case Study prepared by teacher.pptx
 
IBEF report on the Insurance market in India
IBEF report on the Insurance market in IndiaIBEF report on the Insurance market in India
IBEF report on the Insurance market in India
 
What To Do For World Nature Conservation Day by Slidesgo.pptx
What To Do For World Nature Conservation Day by Slidesgo.pptxWhat To Do For World Nature Conservation Day by Slidesgo.pptx
What To Do For World Nature Conservation Day by Slidesgo.pptx
 
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptxmodul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
 
FAIR, FAIRsharing, FAIR Cookbook and ELIXIR - Sansone SA - Boston 2024
FAIR, FAIRsharing, FAIR Cookbook and ELIXIR - Sansone SA - Boston 2024FAIR, FAIRsharing, FAIR Cookbook and ELIXIR - Sansone SA - Boston 2024
FAIR, FAIRsharing, FAIR Cookbook and ELIXIR - Sansone SA - Boston 2024
 
SMOTE and K-Fold Cross Validation-Presentation.pptx
SMOTE and K-Fold Cross Validation-Presentation.pptxSMOTE and K-Fold Cross Validation-Presentation.pptx
SMOTE and K-Fold Cross Validation-Presentation.pptx
 
Rithik Kumar Singh codealpha pythohn.pdf
Rithik Kumar Singh codealpha pythohn.pdfRithik Kumar Singh codealpha pythohn.pdf
Rithik Kumar Singh codealpha pythohn.pdf
 
Data Analysis Project: Stroke Prediction
Data Analysis Project: Stroke PredictionData Analysis Project: Stroke Prediction
Data Analysis Project: Stroke Prediction
 
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis model
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis modelDecoding Movie Sentiments: Analyzing Reviews with Data Analysis model
Decoding Movie Sentiments: Analyzing Reviews with Data Analysis model
 
Decoding the Heart: Student Presentation on Heart Attack Prediction with Data...
Decoding the Heart: Student Presentation on Heart Attack Prediction with Data...Decoding the Heart: Student Presentation on Heart Attack Prediction with Data...
Decoding the Heart: Student Presentation on Heart Attack Prediction with Data...
 
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptx
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptxThe Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptx
The Power of Data-Driven Storytelling_ Unveiling the Layers of Insight.pptx
 
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...
why-transparency-and-traceability-are-essential-for-sustainable-supply-chains...
 
Principles and Practices of Data Visualization
Principles and Practices of Data VisualizationPrinciples and Practices of Data Visualization
Principles and Practices of Data Visualization
 
Real-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max PrincetonReal-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max Princeton
 
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdf
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdfEnglish-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdf
English-8-Q4-W3-Synthesizing-Essential-Information-From-Various-Sources-1.pdf
 
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
 

NIST NVD REV 4 Security Controls Online Database Analysis

  • 1. NIST NVD 800 Rev4 Data Analysis Page 1 of 4 Priority 256 100% P3 12 4.7% P2 36 14.1% P1 122 47.7% 137 82 44 11 93 71 49 18 20 19 14 11 7 9 2 5 1 4 3 2 P0 54 21.1% Combined Count Control Count Enhance Count Level 1 Count Level 2 Count Level 3 Count Level 4 Count Level 5 Count Level 6 Count Level 7 Count Level 8 Count (blank) 32 12.5% 124 261 343 115 159 170 9 102 173 4 53 71 3 23 42 1 15 26 1 8 17 2 7 1 5 3 2 FAMILY ID SECURITY CONTROL TITLE P Low Mod High L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H AC AC-1 ACCESS CONTROL POLICY AND PROCEDURES P1 AC-1 AC-1 AC-1 1 1 1 1 1 1 AC AC-2 ACCOUNT MANAGEMENT P1 AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4) (5) (11) (12) (13) 1 5 9 1 1 1 4 8 (1) (1) (2) (2) (3) (3) (4) (4) (5) (11) (12) (13) AC AC-3 ACCESS ENFORCEMENT P1 AC-3 AC-3 AC-3 1 1 1 1 1 1 AC AC-4 INFORMATION FLOW ENFORCEMENT P1 AC-4 AC-4 1 1 1 1 AC AC-5 SEPARATION OF DUTIES P1 AC-5 AC-5 1 1 1 1 AC AC-6 LEAST PRIVILEGE P1 AC-6 (1) (2) (5) (9) (10) AC-6 (1) (2) (3) (5) (9) (10) 6 7 1 1 5 6 (1) (1) (2) (2) (5) (3) (9) (5) (10) (9) (10) AC AC-7 UNSUCCESSFUL LOGON ATTEMPTS P2 AC-7 AC-7 AC-7 1 1 1 1 1 1 AC AC-8 SYSTEM USE NOTIFICATION P1 AC-8 AC-8 AC-8 1 1 1 1 1 1 AC AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION P0 AC AC-10 CONCURRENT SESSION CONTROL P3 AC-10 1 1 AC AC-11 SESSION LOCK P3 AC-11 (1) AC-11 (1) 2 2 1 1 1 1 (1) (1) AC AC-12 SESSION TERMINATION P2 AC-12 AC-12 1 1 1 1 AC AC-13 SUPERVISION AND REVIEW - ACCESS CONTROL (blank) AC AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION P3 AC-14 AC-14 AC-14 1 1 1 1 1 1 AC AC-15 AUTOMATED MARKING (blank) AC AC-16 SECURITY ATTRIBUTES P0 AC AC-17 REMOTE ACCESS P1 AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2) (3) (4) 1 5 5 1 1 1 4 4 (1) (1) (2) (2) (3) (3) (4) (4) AC AC-18 WIRELESS ACCESS P1 AC-18 AC-18 (1) AC-18 (1) (4) (5) 1 2 4 1 1 1 1 3 (1) (1) (4) (5) AC AC-19 ACCESS CONTROL FOR MOBILE DEVICES P1 AC-19 AC-19 (5) AC-19 (5) 1 2 2 1 1 1 1 1 (5) (5) AC AC-20 USE OF EXTERNAL INFORMATION SYSTEMS P1 AC-20 AC-20 (1) (2) AC-20 (1) (2) 1 3 3 1 1 1 2 2 (1) (1) (2) (2) AC AC-21 INFORMATION SHARING P2 AC-21 AC-21 1 1 1 1 AC AC-22 PUBLICLY ACCESSIBLE CONTENT P3 AC-22 AC-22 AC-22 1 1 1 1 1 1 AC AC-23 DATA MINING PROTECTION P0 AC AC-24 ACCESS CONTROL DECISIONS P0 AC AC-25 REFERENCE MONITOR P0 AT AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES P1 AT-1 AT-1 AT-1 1 1 1 1 1 1 AT AT-2 SECURITY AWARENESS TRAINING P1 AT-2 AT-2 (2) AT-2 (2) 1 2 2 1 1 1 1 1 (2) (2) AT AT-3 ROLE-BASED SECURITY TRAINING P1 AT-3 AT-3 AT-3 1 1 1 1 1 1 AT AT-4 SECURITY TRAINING RECORDS P3 AT-4 AT-4 AT-4 1 1 1 1 1 1 AT AT-5 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS (blank) AU AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES P1 AU-1 AU-1 AU-1 1 1 1 1 1 1 AU AU-2 AUDIT EVENTS P1 AU-2 AU-2 (3) AU-2 (3) 1 2 2 1 1 1 1 1 (3) (3) AU AU-3 CONTENT OF AUDIT RECORDS P1 AU-3 AU-3 (1) AU-3 (1) (2) 1 2 3 1 1 1 1 2 (1) (1) (2) AU AU-4 AUDIT STORAGE CAPACITY P1 AU-4 AU-4 AU-4 1 1 1 1 1 1 AU AU-5 RESPONSE TO AUDIT PROCESSING FAILURES P1 AU-5 AU-5 AU-5 (1) (2) 1 1 3 1 1 1 2 (1) (2) AU AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING P1 AU-6 AU-6 (1) (3) AU-6 (1) (3) (5) (6) 1 3 5 1 1 1 2 4 (1) (1) (3) (3) (5) (6) AU AU-7 AUDIT REDUCTION AND REPORT GENERATION P2 AU-7 (1) AU-7 (1) 2 2 1 1 1 1 (1) (1) AU AU-8 TIME STAMPS P1 AU-8 AU-8 (1) AU-8 (1) 1 2 2 1 1 1 1 1 (1) (1) AU AU-9 PROTECTION OF AUDIT INFORMATION P1 AU-9 AU-9 (4) AU-9 (2) (3) (4) 1 2 4 1 1 1 1 3 (4) (2) (3) (4) AU AU-10 NON-REPUDIATION P2 AU-10 1 1 AU AU-11 AUDIT RECORD RETENTION P3 AU-11 AU-11 AU-11 1 1 1 1 1 1 AU AU-12 AUDIT GENERATION P1 AU-12 AU-12 AU-12 (1) (3) 1 1 3 1 1 1 2 (1) (3) AU AU-13 MONITORING FOR INFORMATION DISCLOSURE P0 AU AU-14 SESSION AUDIT P0 AU AU-15 ALTERNATE AUDIT CAPABILITY P0 AU AU-16 CROSS-ORGANIZATIONAL AUDITING P0 CA CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES P1 CA-1 CA-1 CA-1 1 1 1 1 1 1 CA CA-2 SECURITY ASSESSMENTS P2 CA-2 CA-2 (1) CA-2 (1) (2) 1 2 3 1 1 1 1 2 (1) (1) (2) CA CA-3 SYSTEM INTERCONNECTIONS P1 CA-3 CA-3 (5) CA-3 (5) 1 2 2 1 1 1 1 1 (5) (5) CA CA-4 SECURITY CERTIFICATION (blank) CA CA-5 PLAN OF ACTION AND MILESTONES P3 CA-5 CA-5 CA-5 1 1 1 1 1 1 CA CA-6 SECURITY AUTHORIZATION P2 CA-6 CA-6 CA-6 1 1 1 1 1 1 CA CA-7 CONTINUOUS MONITORING P2 CA-7 CA-7 (1) CA-7 (1) 1 2 2 1 1 1 1 1 (1) (1) CA CA-8 PENETRATION TESTING P2 CA-8 1 1 CA CA-9 INTERNAL SYSTEM CONNECTIONS P2 CA-9 CA-9 CA-9 1 1 1 1 1 1 CM CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES P1 CM-1 CM-1 CM-1 1 1 1 1 1 1 CM CM-2 BASELINE CONFIGURATION P1 CM-2 CM-2 (1) (3) (7) CM-2 (1) (2) (3) (7) 1 4 5 1 1 1 3 4 (1) (1) (3) (2) (7) (3) (7) CM CM-3 CONFIGURATION CHANGE CONTROL P1 CM-3 (2) CM-3 (1) (2) 2 3 1 1 1 2 (2) (1) (2) CM CM-4 SECURITY IMPACT ANALYSIS P2 CM-4 CM-4 CM-4 (1) 1 1 2 1 1 1 1 (1) CM CM-5 ACCESS RESTRICTIONS FOR CHANGE P1 CM-5 CM-5 (1) (2) (3) 1 4 1 1 3 (1) (2) (3) CM CM-6 CONFIGURATION SETTINGS P1 CM-6 CM-6 CM-6 (1) (2) 1 1 3 1 1 1 2 (1) (2) CM CM-7 LEAST FUNCTIONALITY P1 CM-7 CM-7 (1) (2) (4) CM-7 (1) (2) (5) 1 4 4 1 1 1 3 3 (1) (1) (2) (2) (4) (5) CM CM-8 INFORMATION SYSTEM COMPONENT INVENTORY P1 CM-8 CM-8 (1) (3) (5) CM-8 (1) (2) (3) (4) (5) 1 4 6 1 1 1 3 5 (1) (1) (3) (2) (5) (3) (4) (5) CM CM-9 CONFIGURATION MANAGEMENT PLAN P1 CM-9 CM-9 1 1 1 1
  • 2. NIST NVD 800 Rev4 Data Analysis Page 2 of 4 Priority 256 100% P3 12 4.7% P2 36 14.1% P1 122 47.7% 137 82 44 11 93 71 49 18 20 19 14 11 7 9 2 5 1 4 3 2 P0 54 21.1% Combined Count Control Count Enhance Count Level 1 Count Level 2 Count Level 3 Count Level 4 Count Level 5 Count Level 6 Count Level 7 Count Level 8 Count (blank) 32 12.5% 124 261 343 115 159 170 9 102 173 4 53 71 3 23 42 1 15 26 1 8 17 2 7 1 5 3 2 FAMILY ID SECURITY CONTROL TITLE P Low Mod High L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H CM CM-10 SOFTWARE USAGE RESTRICTIONS P2 CM-10 CM-10 CM-10 1 1 1 1 1 1 CM CM-11 USER-INSTALLED SOFTWARE P1 CM-11 CM-11 CM-11 1 1 1 1 1 1 CP CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES P1 CP-1 CP-1 CP-1 1 1 1 1 1 1 CP CP-2 CONTINGENCY PLAN P1 CP-2 CP-2 (1) (3) (8) CP-2 (1) (2) (3) (4) (5) (8) 1 4 7 1 1 1 3 6 (1) (1) (3) (2) (8) (3) (4) (5) (8) CP CP-3 CONTINGENCY TRAINING P2 CP-3 CP-3 CP-3 (1) 1 1 2 1 1 1 1 (1) CP CP-4 CONTINGENCY PLAN TESTING P2 CP-4 CP-4 (1) CP-4 (1) (2) 1 2 3 1 1 1 1 2 (1) (1) (2) CP CP-5 CONTINGENCY PLAN UPDATE (blank) CP CP-6 ALTERNATE STORAGE SITE P1 CP-6 (1) (3) CP-6 (1) (2) (3) 3 4 1 1 2 3 (1) (1) (3) (2) (3) CP CP-7 ALTERNATE PROCESSING SITE P1 CP-7 (1) (2) (3) CP-7 (1) (2) (3) (4) 4 5 1 1 3 4 (1) (1) (2) (2) (3) (3) (4) CP CP-8 TELECOMMUNICATIONS SERVICES P1 CP-8 (1) (2) CP-8 (1) (2) (3) (4) 3 5 1 1 2 4 (1) (1) (2) (2) (3) (4) CP CP-9 INFORMATION SYSTEM BACKUP P1 CP-9 CP-9 (1) CP-9 (1) (2) (3) (5) 1 2 5 1 1 1 1 4 (1) (1) (2) (3) (5) CP CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION P1 CP-10 CP-10 (2) CP-10 (2) (4) 1 2 3 1 1 1 1 2 (2) (2) (4) CP CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS P0 CP CP-12 SAFE MODE P0 CP CP-13 ALTERNATIVE SECURITY MECHANISMS P0 IA IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES P1 IA-1 IA-1 IA-1 1 1 1 1 1 1 IA IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) P1 IA-2 (1) (12) IA-2 (1) (2) (3) (8) (11) (12) IA-2 (1) (2) (3) (4) (8) (9) (11) (12) 3 7 9 1 1 1 2 6 8 (1) (1) (1) (12) (2) (2) (3) (3) (8) (4) (11) (8) (12) (9) (11) (12) IA IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION P1 IA-3 IA-3 1 1 1 1 IA IA-4 IDENTIFIER MANAGEMENT P1 IA-4 IA-4 IA-4 1 1 1 1 1 1 IA IA-5 AUTHENTICATOR MANAGEMENT P1 IA-5 (1) (11) IA-5 (1) (2) (3) (11) IA-5 (1) (2) (3) (11) 3 5 5 1 1 1 2 4 4 (1) (1) (1) (11) (2) (2) (3) (3) (11) (11) IA IA-6 AUTHENTICATOR FEEDBACK P2 IA-6 IA-6 IA-6 1 1 1 1 1 1 IA IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION P1 IA-7 IA-7 IA-7 1 1 1 1 1 1 IA IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) P1 IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4) 5 5 5 1 1 1 4 4 4 (1) (1) (1) (2) (2) (2) (3) (3) (3) (4) (4) (4) IA IA-9 SERVICE IDENTIFICATION AND AUTHENTICATION P0 IA IA-10 ADAPTIVE IDENTIFICATION AND AUTHENTICATION P0 IA IA-11 RE-AUTHENTICATION P0 IR IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES P1 IR-1 IR-1 IR-1 1 1 1 1 1 1 IR IR-2 INCIDENT RESPONSE TRAINING P2 IR-2 IR-2 IR-2 (1) (2) 1 1 3 1 1 1 2 (1) (2) IR IR-3 INCIDENT RESPONSE TESTING P2 IR-3 (2) IR-3 (2) 2 2 1 1 1 1 (2) (2) IR IR-4 INCIDENT HANDLING P1 IR-4 IR-4 (1) IR-4 (1) (4) 1 2 3 1 1 1 1 2 (1) (1) (4) IR IR-5 INCIDENT MONITORING P1 IR-5 IR-5 IR-5 (1) 1 1 2 1 1 1 1 (1) IR IR-6 INCIDENT REPORTING P1 IR-6 IR-6 (1) IR-6 (1) 1 2 2 1 1 1 1 1 (1) (1) IR IR-7 INCIDENT RESPONSE ASSISTANCE P2 IR-7 IR-7 (1) IR-7 (1) 1 2 2 1 1 1 1 1 (1) (1) IR IR-8 INCIDENT RESPONSE PLAN P1 IR-8 IR-8 IR-8 1 1 1 1 1 1 IR IR-9 INFORMATION SPILLAGE RESPONSE P0 IR IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM P0 MA MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES P1 MA-1 MA-1 MA-1 1 1 1 1 1 1 MA MA-2 CONTROLLED MAINTENANCE P2 MA-2 MA-2 MA-2 (2) 1 1 2 1 1 1 1 (2) MA MA-3 MAINTENANCE TOOLS P3 MA-3 (1) (2) MA-3 (1) (2) (3) 3 4 1 1 2 3 (1) (1) (2) (2) (3) MA MA-4 NONLOCAL MAINTENANCE P2 MA-4 MA-4 (2) MA-4 (2) (3) 1 2 3 1 1 1 1 2 (2) (2) (3) MA MA-5 MAINTENANCE PERSONNEL P2 MA-5 MA-5 MA-5 (1) 1 1 2 1 1 1 1 (1) MA MA-6 TIMELY MAINTENANCE P2 MA-6 MA-6 1 1 1 1 MP MP-1 MEDIA PROTECTION POLICY AND PROCEDURES P1 MP-1 MP-1 MP-1 1 1 1 1 1 1 MP MP-2 MEDIA ACCESS P1 MP-2 MP-2 MP-2 1 1 1 1 1 1 MP MP-3 MEDIA MARKING P2 MP-3 MP-3 1 1 1 1 MP MP-4 MEDIA STORAGE P1 MP-4 MP-4 1 1 1 1 MP MP-5 MEDIA TRANSPORT P1 MP-5 (4) MP-5 (4) 2 2 1 1 1 1 (4) (4) MP MP-6 MEDIA SANITIZATION P1 MP-6 MP-6 MP-6 (1) (2) (3) 1 1 4 1 1 1 3 (1) (2) (3) MP MP-7 MEDIA USE P1 MP-7 MP-7 (1) MP-7 (1) 1 2 2 1 1 1 1 1 (1) (1) MP MP-8 MEDIA DOWNGRADING P0 PE PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES P1 PE-1 PE-1 PE-1 1 1 1 1 1 1 PE PE-2 PHYSICAL ACCESS AUTHORIZATIONS P1 PE-2 PE-2 PE-2 1 1 1 1 1 1 PE PE-3 PHYSICAL ACCESS CONTROL P1 PE-3 PE-3 PE-3 (1) 1 1 2 1 1 1 1 (1) PE PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM P1 PE-4 PE-4 1 1 1 1 PE PE-5 ACCESS CONTROL FOR OUTPUT DEVICES P2 PE-5 PE-5 1 1 1 1 PE PE-6 MONITORING PHYSICAL ACCESS P1 PE-6 PE-6 (1) PE-6 (1) (4) 1 2 3 1 1 1 1 2 (1) (1) (4) PE PE-7 VISITOR CONTROL (blank) PE PE-8 VISITOR ACCESS RECORDS P3 PE-8 PE-8 PE-8 (1) 1 1 2 1 1 1 1 (1) PE PE-9 POWER EQUIPMENT AND CABLING P1 PE-9 PE-9 1 1 1 1 PE PE-10 EMERGENCY SHUTOFF P1 PE-10 PE-10 1 1 1 1 PE PE-11 EMERGENCY POWER P1 PE-11 PE-11 (1) 1 2 1 1 1 (1) PE PE-12 EMERGENCY LIGHTING P1 PE-12 PE-12 PE-12 1 1 1 1 1 1 PE PE-13 FIRE PROTECTION P1 PE-13 PE-13 (3) PE-13 (1) (2) (3) 1 2 4 1 1 1 1 3 (3) (1) (2) (3) PE PE-14 TEMPERATURE AND HUMIDITY CONTROLS P1 PE-14 PE-14 PE-14 1 1 1 1 1 1
  • 3. NIST NVD 800 Rev4 Data Analysis Page 3 of 4 Priority 256 100% P3 12 4.7% P2 36 14.1% P1 122 47.7% 137 82 44 11 93 71 49 18 20 19 14 11 7 9 2 5 1 4 3 2 P0 54 21.1% Combined Count Control Count Enhance Count Level 1 Count Level 2 Count Level 3 Count Level 4 Count Level 5 Count Level 6 Count Level 7 Count Level 8 Count (blank) 32 12.5% 124 261 343 115 159 170 9 102 173 4 53 71 3 23 42 1 15 26 1 8 17 2 7 1 5 3 2 FAMILY ID SECURITY CONTROL TITLE P Low Mod High L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H PE PE-15 WATER DAMAGE PROTECTION P1 PE-15 PE-15 PE-15 (1) 1 1 2 1 1 1 1 (1) PE PE-16 DELIVERY AND REMOVAL P2 PE-16 PE-16 PE-16 1 1 1 1 1 1 PE PE-17 ALTERNATE WORK SITE P2 PE-17 PE-17 1 1 1 1 PE PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS P3 PE-18 1 1 PE PE-19 INFORMATION LEAKAGE P0 PE PE-20 ASSET MONITORING AND TRACKING P0 PL PL-1 SECURITY PLANNING POLICY AND PROCEDURES P1 PL-1 PL-1 PL-1 1 1 1 1 1 1 PL PL-2 SYSTEM SECURITY PLAN P1 PL-2 PL-2 (3) PL-2 (3) 1 2 2 1 1 1 1 1 (3) (3) PL PL-3 SYSTEM SECURITY PLAN UPDATE (blank) PL PL-4 RULES OF BEHAVIOR P2 PL-4 PL-4 (1) PL-4 (1) 1 2 2 1 1 1 1 1 (1) (1) PL PL-5 PRIVACY IMPACT ASSESSMENT (blank) PL PL-6 SECURITY-RELATED ACTIVITY PLANNING (blank) PL PL-7 SECURITY CONCEPT OF OPERATIONS P0 PL PL-8 INFORMATION SECURITY ARCHITECTURE P1 PL-8 PL-8 1 1 1 1 PL PL-9 CENTRAL MANAGEMENT P0 PM PM-1 INFORMATION SECURITY PROGRAM PLAN (blank) PM PM-2 SENIOR INFORMATION SECURITY OFFICER (blank) PM PM-3 INFORMATION SECURITY RESOURCES (blank) PM PM-4 PLAN OF ACTION AND MILESTONES PROCESS (blank) PM PM-5 INFORMATION SYSTEM INVENTORY (blank) PM PM-6 INFORMATION SECURITY MEASURES OF PERFORMANCE (blank) PM PM-7 ENTERPRISE ARCHITECTURE (blank) PM PM-8 CRITICAL INFRASTRUCTURE PLAN (blank) PM PM-9 RISK MANAGEMENT STRATEGY (blank) PM PM-10 SECURITY AUTHORIZATION PROCESS (blank) PM PM-11 MISSION/BUSINESS PROCESS DEFINITION (blank) PM PM-12 INSIDER THREAT PROGRAM (blank) PM PM-13 INFORMATION SECURITY WORKFORCE (blank) PM PM-14 TESTING, TRAINING, AND MONITORING (blank) PM PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS (blank) PM PM-16 THREAT AWARENESS PROGRAM (blank) PS PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES P1 PS-1 PS-1 PS-1 1 1 1 1 1 1 PS PS-2 POSITION RISK DESIGNATION P1 PS-2 PS-2 PS-2 1 1 1 1 1 1 PS PS-3 PERSONNEL SCREENING P1 PS-3 PS-3 PS-3 1 1 1 1 1 1 PS PS-4 PERSONNEL TERMINATION P1 PS-4 PS-4 PS-4 (2) 1 1 2 1 1 1 1 (2) PS PS-5 PERSONNEL TRANSFER P2 PS-5 PS-5 PS-5 1 1 1 1 1 1 PS PS-6 ACCESS AGREEMENTS P3 PS-6 PS-6 PS-6 1 1 1 1 1 1 PS PS-7 THIRD-PARTY PERSONNEL SECURITY P1 PS-7 PS-7 PS-7 1 1 1 1 1 1 PS PS-8 PERSONNEL SANCTIONS P3 PS-8 PS-8 PS-8 1 1 1 1 1 1 RA RA-1 RISK ASSESSMENT POLICY AND PROCEDURES P1 RA-1 RA-1 RA-1 1 1 1 1 1 1 RA RA-2 SECURITY CATEGORIZATION P1 RA-2 RA-2 RA-2 1 1 1 1 1 1 RA RA-3 RISK ASSESSMENT P1 RA-3 RA-3 RA-3 1 1 1 1 1 1 RA RA-4 RISK ASSESSMENT UPDATE (blank) RA RA-5 VULNERABILITY SCANNING P1 RA-5 RA-5 (1) (2) (5) RA-5 (1) (2) (4) (5) 1 4 5 1 1 1 3 4 (1) (1) (2) (2) (5) (4) (5) RA RA-6 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY P0 SA SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES P1 SA-1 SA-1 SA-1 1 1 1 1 1 1 SA SA-2 ALLOCATION OF RESOURCES P1 SA-2 SA-2 SA-2 1 1 1 1 1 1 SA SA-3 SYSTEM DEVELOPMENT LIFE CYCLE P1 SA-3 SA-3 SA-3 1 1 1 1 1 1 SA SA-4 ACQUISITION PROCESS P1 SA-4 (10) SA-4 (1) (2) (9) (10) SA-4 (1) (2) (9) (10) 2 5 5 1 1 1 1 4 4 (10) (1) (1) (2) (2) (9) (9) (10) (10) SA SA-5 INFORMATION SYSTEM DOCUMENTATION P2 SA-5 SA-5 SA-5 1 1 1 1 1 1 SA SA-6 SOFTWARE USAGE RESTRICTIONS (blank) SA SA-7 USER-INSTALLED SOFTWARE (blank) SA SA-8 SECURITY ENGINEERING PRINCIPLES P1 SA-8 SA-8 1 1 1 1 SA SA-9 EXTERNAL INFORMATION SYSTEM SERVICES P1 SA-9 SA-9 (2) SA-9 (2) 1 2 2 1 1 1 1 1 (2) (2) SA SA-10 DEVELOPER CONFIGURATION MANAGEMENT P1 SA-10 SA-10 1 1 1 1 SA SA-11 DEVELOPER SECURITY TESTING AND EVALUATION P1 SA-11 SA-11 1 1 1 1 SA SA-12 SUPPLY CHAIN PROTECTION P1 SA-12 1 1 SA SA-13 TRUSTWORTHINESS P0 SA SA-14 CRITICALITY ANALYSIS P0 SA SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS P2 SA-15 1 1 SA SA-16 DEVELOPER-PROVIDED TRAINING P2 SA-16 1 1 SA SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN P1 SA-17 1 1 SA SA-18 TAMPER RESISTANCE AND DETECTION P0 SA SA-19 COMPONENT AUTHENTICITY P0
  • 4. NIST NVD 800 Rev4 Data Analysis Page 4 of 4 Priority 256 100% P3 12 4.7% P2 36 14.1% P1 122 47.7% 137 82 44 11 93 71 49 18 20 19 14 11 7 9 2 5 1 4 3 2 P0 54 21.1% Combined Count Control Count Enhance Count Level 1 Count Level 2 Count Level 3 Count Level 4 Count Level 5 Count Level 6 Count Level 7 Count Level 8 Count (blank) 32 12.5% 124 261 343 115 159 170 9 102 173 4 53 71 3 23 42 1 15 26 1 8 17 2 7 1 5 3 2 FAMILY ID SECURITY CONTROL TITLE P Low Mod High L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H L M H SA SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS P0 SA SA-21 DEVELOPER SCREENING P0 SA SA-22 UNSUPPORTED SYSTEM COMPONENTS P0 SC SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES P1 SC-1 SC-1 SC-1 1 1 1 1 1 1 SC SC-2 APPLICATION PARTITIONING P1 SC-2 SC-2 1 1 1 1 SC SC-3 SECURITY FUNCTION ISOLATION P1 SC-3 1 1 SC SC-4 INFORMATION IN SHARED RESOURCES P1 SC-4 SC-4 1 1 1 1 SC SC-5 DENIAL OF SERVICE PROTECTION P1 SC-5 SC-5 SC-5 1 1 1 1 1 1 SC SC-6 RESOURCE AVAILABILITY P0 SC SC-7 BOUNDARY PROTECTION P1 SC-7 SC-7 (3) (4) (5) (7) SC-7 (3) (4) (5) (7) (8) (18) (21) 1 5 8 1 1 1 4 7 (3) (3) (4) (4) (5) (5) (7) (7) (8) (18) (21) SC SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY P1 SC-8 (1) SC-8 (1) 2 2 1 1 1 1 (1) (1) SC SC-9 TRANSMISSION CONFIDENTIALITY (blank) SC SC-10 NETWORK DISCONNECT P2 SC-10 SC-10 1 1 1 1 SC SC-11 TRUSTED PATH P0 SC SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT P1 SC-12 SC-12 SC-12 (1) 1 1 2 1 1 1 1 (1) SC SC-13 CRYPTOGRAPHIC PROTECTION P1 SC-13 SC-13 SC-13 1 1 1 1 1 1 SC SC-14 PUBLIC ACCESS PROTECTIONS (blank) SC SC-15 COLLABORATIVE COMPUTING DEVICES P1 SC-15 SC-15 SC-15 1 1 1 1 1 1 SC SC-16 TRANSMISSION OF SECURITY ATTRIBUTES P0 SC SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES P1 SC-17 SC-17 1 1 1 1 SC SC-18 MOBILE CODE P2 SC-18 SC-18 1 1 1 1 SC SC-19 VOICE OVER INTERNET PROTOCOL P1 SC-19 SC-19 1 1 1 1 SC SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) P1 SC-20 SC-20 SC-20 1 1 1 1 1 1 SC SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) P1 SC-21 SC-21 SC-21 1 1 1 1 1 1 SC SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE P1 SC-22 SC-22 SC-22 1 1 1 1 1 1 SC SC-23 SESSION AUTHENTICITY P1 SC-23 SC-23 1 1 1 1 SC SC-24 FAIL IN KNOWN STATE P1 SC-24 1 1 SC SC-25 THIN NODES P0 SC SC-26 HONEYPOTS P0 SC SC-27 PLATFORM-INDEPENDENT APPLICATIONS P0 SC SC-28 PROTECTION OF INFORMATION AT REST P1 SC-28 SC-28 1 1 1 1 SC SC-29 HETEROGENEITY P0 SC SC-30 CONCEALMENT AND MISDIRECTION P0 SC SC-31 COVERT CHANNEL ANALYSIS P0 SC SC-32 INFORMATION SYSTEM PARTITIONING P0 SC SC-33 TRANSMISSION PREPARATION INTEGRITY (blank) SC SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS P0 SC SC-35 HONEYCLIENTS P0 SC SC-36 DISTRIBUTED PROCESSING AND STORAGE P0 SC SC-37 OUT-OF-BAND CHANNELS P0 SC SC-38 OPERATIONS SECURITY P0 SC SC-39 PROCESS ISOLATION P1 SC-39 SC-39 SC-39 1 1 1 1 1 1 SC SC-40 WIRELESS LINK PROTECTION P0 SC SC-41 PORT AND I/O DEVICE ACCESS P0 SC SC-42 SENSOR CAPABILITY AND DATA P0 SC SC-43 USAGE RESTRICTIONS P0 SC SC-44 DETONATION CHAMBERS P0 SI SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES P1 SI-1 SI-1 SI-1 1 1 1 1 1 1 SI SI-2 FLAW REMEDIATION P1 SI-2 SI-2 (2) SI-2 (1) (2) 1 2 3 1 1 1 1 2 (2) (1) (2) SI SI-3 MALICIOUS CODE PROTECTION P1 SI-3 SI-3 (1) (2) SI-3 (1) (2) 1 3 3 1 1 1 2 2 (1) (1) (2) (2) SI SI-4 INFORMATION SYSTEM MONITORING P1 SI-4 SI-4 (2) (4) (5) SI-4 (2) (4) (5) 1 4 4 1 1 1 3 3 (2) (2) (4) (4) (5) (5) SI SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES P1 SI-5 SI-5 SI-5 (1) 1 1 2 1 1 1 1 (1) SI SI-6 SECURITY FUNCTION VERIFICATION P1 SI-6 1 1 SI SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY P1 SI-7 (1) (7) SI-7 (1) (2) (5) (7) (14) 3 6 1 1 2 5 (1) (1) (7) (2) (5) (7) (14) SI SI-8 SPAM PROTECTION P2 SI-8 (1) (2) SI-8 (1) (2) 3 3 1 1 2 2 (1) (1) (2) (2) SI SI-9 INFORMATION INPUT RESTRICTIONS (blank) SI SI-10 INFORMATION INPUT VALIDATION P1 SI-10 SI-10 1 1 1 1 SI SI-11 ERROR HANDLING P2 SI-11 SI-11 1 1 1 1 SI SI-12 INFORMATION HANDLING AND RETENTION P2 SI-12 SI-12 SI-12 1 1 1 1 1 1 SI SI-13 PREDICTABLE FAILURE PREVENTION P0 SI SI-14 NON-PERSISTENCE P0 SI SI-15 INFORMATION OUTPUT FILTERING P0 SI SI-16 MEMORY PROTECTION P1 SI-16 SI-16 1 1 1 1 SI SI-17 FAIL-SAFE PROCEDURES P0