NIST SP 800-53B Control Baselines for Information Systems and Organizations 情報システムと組織のコントロールベースライン
こんにちは、丸山満彦です。
NISTが連邦政府のセキュリティおよびプライバシー管理のベースラインである、SP 800-53B Control Baselines for Information Systems and Organizations を公表していますね。。。
ベースラインはセキュリティ管理ベースライン(システムへの影響レベル低、中、高)の3つと影響度に関係なくシステムに適用されるプライバシーベースラインの合わせて4つがありますね。。。
三章はひたすら表です。。。ということで重要なことは一章、二章に。。。
● NIST- ITL
・2020.10.29 (publications) SP 800-53B Control Baselines for Information Systems and Organizations
・[PDF] SP 800-53B
・Supplemental Material: [web] Security Control Overlay Repository (SCOR)
・Other Parts of this Publication: [web] SP 800-53 Rev. 5
■ 参考
● まるちゃんの情報セキュリティ気まぐれ日記
・2020.09.24 NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations
・2020.08.01 NIST SP 800-53B (Draft) Control Baselines for Information Systems and Organizations
Abstract
This publication provides security and privacy control baselines for the Federal Government. There are three security control baselines (one for each system impact level—low-impact, moderate-impact, and high-impact), as well as a privacy baseline that is applied to systems irrespective of impact level. In addition to the control baselines, this publication provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process. Finally, this publication provides guidance on the development of overlays to facilitate control baseline customization for specific communities of interest, technologies, and environments of operation.
Executive Summary
As we push computers to “the edge,” building an increasingly complex world of connected information systems and devices, security and privacy will continue to dominate the national dialogue. In its 2017 report entitled, Task Force on Cyber Deterrence [DSB 2017], the Defense Science Board provides a sobering assessment of the current vulnerabilities in the U.S. critical infrastructure and the information systems that support mission-essential operations and assets in the public and private sectors.
“…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing
efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…”
There is an urgent need to further strengthen the underlying information systems, component products, and services that the Nation depends on in every sector of the critical infrastructure— ensuring that those systems, components, and services are sufficiently trustworthy and provide the necessary resilience to support the economic and national security interests of the United States.
NIST SP 800-53B responds to the call of the Defense Science Board by providing a proactive and systemic approach to developing and making available to federal agencies and private sector organizations a comprehensive set of security and privacy control baselines for all types of computing platforms, including general-purpose computing systems, cyber-physical systems, cloud-based systems, mobile devices, and industrial and process control systems. The control baselines provide a starting point for organizations in the security and privacy control selection process. Using the tailoring guidance and assumptions provided, organizations can customize their security and privacy control baselines to ensure that they have the capability to protect their critical and essential operations and assets.
Table of Contents | 目次 |
CHAPTER ONE INTRODUCTION | 第一章 序章 |
1.1 PURPOSE AND APPLICABILITY | 1.1 目的と適用性 |
1.2 TARGET AUDIENCE | 1.2 対象読者 |
1.3 ORGANIZATIONAL RESPONSIBILITIES | 1.3 組織的責任 |
1.4 RELATIONSHIP TO OTHER PUBLICATIONS | 1.4 他の文書との関係 |
1.5 REVISIONS AND EXTENSIONS | 1.5 改訂と拡張 |
1.6 PUBLICATION ORGANIZATION | 1.6 本文書の体系 |
CHAPTER TWO THE FUNDAMENTALS | 第2章 基本的事項 |
2.1 CONTROL BASELINES | 2.1 コントロールベースライン |
2.2 SELECTING CONTROL BASELINES | 2.2 コントロールベースラインの選択 |
2.3 CONTROL BASELINE ASSUMPTIONS | 2.3 コントロールベースラインの推測 |
2.4 TAILORING CONTROL BASELINES | 2.4 コントロールベースラインのカスタマイズ |
2.5 CAPABILITIES | 2.5 キャパシティ |
CHAPTER THREE THE CONTROL BASELINES | 3 コントロールベースライン(ファミリー毎) |
3.1 ACCESS CONTROL FAMILY | 3.1 アクセスコントロール |
3.2 AWARENESS AND TRAINING FAMILY | 3.2 認識・訓練 |
3.3 AUDIT AND ACCOUNTABILITY FAMILY | 3.3 監査・アカウンタビリティ |
3.4 ASSESSMENT, AUTHORIZATION, AND MONITORING FAMILY | 3.4 評価、承認、モニタリング |
3.5 CONFIGURATION MANAGEMENT FAMILY | 3.5 コンフィグレーション管理 |
3.6 CONTINGENCY PLANNING FAMILY | 3.6 コンティンジェンシープランニング |
3.7 IDENTIFICATION AND AUTHENTICATION FAMILY | 3.7 識別・認証 |
3.8 INCIDENT RESPONSE FAMILY | 3.8 事故対応 |
3.9 MAINTENANCE FAMILY | 3.9 保守 |
3.10 MEDIA PROTECTION FAMILY | 3.10 媒体保護 |
3.11 PHYSICAL AND ENVIRONMENTAL PROTECTION FAMILY | 3.11 物理的・環境的保護 |
3.12 PLANNING FAMILY | 3.12 計画 |
3.13 PROGRAM MANAGEMENT FAMILY | 3.13 プログラム管理 |
3.14 PERSONNEL SECURITY FAMILY | 3.14 人的セキュリティ |
3.15 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING AN TRANSPARENCY FAMILY | 3.15 個人識別可能情報の処理の透明性 |
3.16 RISK ASSESSMENT FAMILY | 3.16 リスク評価 |
3.17 SYSTEM AND SERVICES ACQUISITION FAMILY | 3.17 システム及びサービスの取得 |
3.18 SYSTEM AND COMMUNICATIONS PROTECTION FAMILY | 3.18 システム及び通信保護 |
3.19 SYSTEM AND INFORMATION INTEGRITY FAMILY | 3.19 システム及び情報の統合 |
3.20 SUPPLY CHAIN RISK MANAGEMENT FAMILY | 3.20 サプライチェーンリスク管理 |
REFERENCES | 参考文献 |
APPENDIX A GLOSSARY | 付録 A 用語集 |
APPENDIX B ACRONYMS | 付録 B 略語 |
APPENDIX C OVERLAYS | 付録 C オーバーレイ |
« NIST SP 800-209 Security Guidelines for Storage Infrastructure ストレージインフラのセキュリティガイドライン | Main | Interpol / Council of Europe: Guide for Criminal Justice Statistics on Cybercrime and Electronic Evidence サイバー犯罪・電子証拠に関する刑事司法統計のガイド »
Comments