NIST Special Publication 800-12
Revision 1
An Introduction to Information Security
Michael Nieles
Kelley Dempsey
Victoria Yan Pillitteri
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-12r1
C O M P U T E R S E C U R I T Y
NIST Special Publication 800-12
Revision 1
An Introduction to Information Security
Michael Nieles
Kelley Dempsey
Victoria Yan Pillitteri
Computer Security Division
Information Technology Laboratory
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-12r1
June 2017
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Kent Rochford, Acting NIST Director and Under Secretary of Commerce for Standards and Technology
Authority
This publication has been developed by NIST in accordance with its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including
minimum requirements for federal systems, but such standards and guidelines shall not apply to national
security systems without the express approval of appropriate federal officials exercising policy authority
over such systems. This guideline is consistent with the requirements of the Office of Management and
Budget (OMB) Circular A-130.
Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and
binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these
guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
Director of the OMB, or any other federal official. This publication may be used by nongovernmental
organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would,
however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-12 Revision 1
Natl. Inst. Stand. Technol. Spec. Publ. 800-12 Rev. 1, 101 pages (June 2017)
CODEN: NSPUE2
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-12r1
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
available for the purpose.
There may be references in this publication to other publications currently under development by NIST in accordance
with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies,.
This document summarizes NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems and organizations. It describes how organizations can select controls to protect operations, assets, individuals and organizations from threats. The controls are customizable and implemented as part of an organization-wide risk management process. It also describes how specialized control overlays can be developed for specific environments. Finally, it addresses both security functionality and assurance to ensure systems are sufficiently trustworthy.
NIST Special Publication 800-53 Revision 4 Securit.docxvannagoforth
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
________________________________________________________________________________________________
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-53, Revision 4
462 pages (April 2013)
CODEN: NSPUE2
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-53r4
Comments on this publication ma ...
This document proposes five core primitives that are building blocks for Networks of 'Things' (NoTs), including the Internet of Things (IoT):
1) Sensors - which measure physical properties and output data
2) Aggregators - which collect and process data from multiple sensors
3) Communication channels - which allow for data transfer between primitives
4) External utilities (eUtilities) - which are entities outside the NoT that can input or output data
5) Decision triggers - which initiate actions based on aggregated data
These primitives provide a framework for analyzing reliability, security, and trust in NoTs.
This document summarizes NIST Special Publication 800-53 Revision 5 which provides a catalog of security and privacy controls for information systems and organizations. It contains controls that protect operations, assets, individuals and organizations from various threats. The controls are flexible, customizable and implemented as part of managing risk. They address diverse requirements from mission needs, laws, and policies. The controls consider both functionality, the strength of functions, and assurance, the confidence in security/privacy capabilities. This helps ensure trustworthy information technology and systems.
This document is NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems. It aims to protect operations, assets, individuals and organizations from threats. The controls are customizable and part of an organization-wide risk management process. It also describes developing specialized control overlays for specific environments. Finally, it addresses security from functionality and assurance perspectives to ensure systems are sufficiently trustworthy.
This document provides guidance to help organizations plan for and recover from cybersecurity events (cyber events). It aims to help organizations develop customized recovery playbooks. Recovery involves both tactical and strategic phases. The tactical phase involves executing the pre-planned recovery playbook in response to a cyber event. The strategic phase focuses on continuously improving all cybersecurity capabilities based on lessons learned to mitigate future impacts. The guidance covers planning, testing, metrics, and improving recovery capabilities over time based on experience with past events. The goal is to integrate recovery planning into an organization's overall risk management processes.
This document provides guidance on preventing and handling malware incidents for desktops and laptops. It discusses understanding malware threats, implementing prevention techniques, and responding to incidents. Recommendations are provided for each phase of the incident response lifecycle: preparation, detection/analysis, containment/eradication/recovery, and lessons learned. Key prevention techniques include policy, awareness training, vulnerability mitigation, threat mitigation using antivirus software, and defensive architecture methods like sandboxing. The document emphasizes the importance of detection, analysis and identifying infected hosts to minimize damage from incidents.
NIST Special Publication 800-52 Revision 2 Guidelines .docxgibbonshay
NIST Special Publication 800-52
Revision 2
Guidelines for the Selection,
Configuration, and Use of Transport
Layer Security (TLS) Implementations
Kerry A. McKay
David A. Cooper
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
C O M P U T E R S E C U R I T Y
NIST Special Publication 800-52
Revision 2
Guidelines for the Selection,
Configuration, and Use of Transport
Layer Security (TLS) Implementations
Kerry A. McKay
David A. Cooper
Computer Security Division
Information Technology Laboratory
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
August 2019
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
Authority
This publication has been developed by NIST in accordance with its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including
minimum requirements for federal information systems, but such standards and guidelines shall not apply
to national security systems without the express approval of appropriate federal officials exercising policy
authority over such systems. This guideline is consistent with the requirements of the Office of Management
and Budget (OMB) Circular A-130.
Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and
binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these
guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
Director of the OMB, or any other federal official. This publication may be used by nongovernmental
organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would,
however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-52 Revision 2
Natl. Inst. Stand. Technol. Spec. Publ. 800-52 Rev. 2, 72 pages (August 2019)
CODEN: NSPUE2
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
available for the purpose.
There may be references in this publication to other publications currently under development by NIST in accordance
with its assigned statutory responsibilities. The .
This document summarizes NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems and organizations. It describes how organizations can select controls to protect operations, assets, individuals and organizations from threats. The controls are customizable and implemented as part of an organization-wide risk management process. It also describes how specialized control overlays can be developed for specific environments. Finally, it addresses both security functionality and assurance to ensure systems are sufficiently trustworthy.
NIST Special Publication 800-53 Revision 4 Securit.docxvannagoforth
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
________________________________________________________________________________________________
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-53, Revision 4
462 pages (April 2013)
CODEN: NSPUE2
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-53r4
Comments on this publication ma ...
This document proposes five core primitives that are building blocks for Networks of 'Things' (NoTs), including the Internet of Things (IoT):
1) Sensors - which measure physical properties and output data
2) Aggregators - which collect and process data from multiple sensors
3) Communication channels - which allow for data transfer between primitives
4) External utilities (eUtilities) - which are entities outside the NoT that can input or output data
5) Decision triggers - which initiate actions based on aggregated data
These primitives provide a framework for analyzing reliability, security, and trust in NoTs.
This document summarizes NIST Special Publication 800-53 Revision 5 which provides a catalog of security and privacy controls for information systems and organizations. It contains controls that protect operations, assets, individuals and organizations from various threats. The controls are flexible, customizable and implemented as part of managing risk. They address diverse requirements from mission needs, laws, and policies. The controls consider both functionality, the strength of functions, and assurance, the confidence in security/privacy capabilities. This helps ensure trustworthy information technology and systems.
This document is NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems. It aims to protect operations, assets, individuals and organizations from threats. The controls are customizable and part of an organization-wide risk management process. It also describes developing specialized control overlays for specific environments. Finally, it addresses security from functionality and assurance perspectives to ensure systems are sufficiently trustworthy.
This document provides guidance to help organizations plan for and recover from cybersecurity events (cyber events). It aims to help organizations develop customized recovery playbooks. Recovery involves both tactical and strategic phases. The tactical phase involves executing the pre-planned recovery playbook in response to a cyber event. The strategic phase focuses on continuously improving all cybersecurity capabilities based on lessons learned to mitigate future impacts. The guidance covers planning, testing, metrics, and improving recovery capabilities over time based on experience with past events. The goal is to integrate recovery planning into an organization's overall risk management processes.
This document provides guidance on preventing and handling malware incidents for desktops and laptops. It discusses understanding malware threats, implementing prevention techniques, and responding to incidents. Recommendations are provided for each phase of the incident response lifecycle: preparation, detection/analysis, containment/eradication/recovery, and lessons learned. Key prevention techniques include policy, awareness training, vulnerability mitigation, threat mitigation using antivirus software, and defensive architecture methods like sandboxing. The document emphasizes the importance of detection, analysis and identifying infected hosts to minimize damage from incidents.
NIST Special Publication 800-52 Revision 2 Guidelines .docxgibbonshay
NIST Special Publication 800-52
Revision 2
Guidelines for the Selection,
Configuration, and Use of Transport
Layer Security (TLS) Implementations
Kerry A. McKay
David A. Cooper
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
C O M P U T E R S E C U R I T Y
NIST Special Publication 800-52
Revision 2
Guidelines for the Selection,
Configuration, and Use of Transport
Layer Security (TLS) Implementations
Kerry A. McKay
David A. Cooper
Computer Security Division
Information Technology Laboratory
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
August 2019
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
Authority
This publication has been developed by NIST in accordance with its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including
minimum requirements for federal information systems, but such standards and guidelines shall not apply
to national security systems without the express approval of appropriate federal officials exercising policy
authority over such systems. This guideline is consistent with the requirements of the Office of Management
and Budget (OMB) Circular A-130.
Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and
binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these
guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
Director of the OMB, or any other federal official. This publication may be used by nongovernmental
organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would,
however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-52 Revision 2
Natl. Inst. Stand. Technol. Spec. Publ. 800-52 Rev. 2, 72 pages (August 2019)
CODEN: NSPUE2
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
available for the purpose.
There may be references in this publication to other publications currently under development by NIST in accordance
with its assigned statutory responsibilities. The .
NIST Special Publication 800-52 Revision 2 Guidelines .docxvannagoforth
NIST Special Publication 800-52
Revision 2
Guidelines for the Selection,
Configuration, and Use of Transport
Layer Security (TLS) Implementations
Kerry A. McKay
David A. Cooper
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
C O M P U T E R S E C U R I T Y
NIST Special Publication 800-52
Revision 2
Guidelines for the Selection,
Configuration, and Use of Transport
Layer Security (TLS) Implementations
Kerry A. McKay
David A. Cooper
Computer Security Division
Information Technology Laboratory
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
August 2019
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
Authority
This publication has been developed by NIST in accordance with its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including
minimum requirements for federal information systems, but such standards and guidelines shall not apply
to national security systems without the express approval of appropriate federal officials exercising policy
authority over such systems. This guideline is consistent with the requirements of the Office of Management
and Budget (OMB) Circular A-130.
Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and
binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these
guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
Director of the OMB, or any other federal official. This publication may be used by nongovernmental
organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would,
however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-52 Revision 2
Natl. Inst. Stand. Technol. Spec. Publ. 800-52 Rev. 2, 72 pages (August 2019)
CODEN: NSPUE2
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
available for the purpose.
There may be references in this publication to other publications currently under development by NIST in accordance
with its assigned statutory responsibilities. The ...
This document provides guidelines for securing mobile devices used in enterprises. It discusses mobile device management technologies that can be used for centralized control and security. The document covers the full life cycle of securing mobile devices, from initial planning and deployment to ongoing maintenance. Regular assessments are recommended to ensure policies are being followed correctly. The guidelines are intended to help organizations securely support both organization-issued and personal devices.
This document provides guidance on conducting risk assessments and is intended for organizations to help:
1) Determine the most appropriate risk responses to ongoing cyber threats and disasters.
2) Guide investment strategies and decisions for the most effective cyber defenses to help protect operations, assets, individuals, and the nation.
3) Maintain ongoing situational awareness of the security state of systems and their operating environments.
The guidance focuses on risk assessments as one of the four steps in the risk management process and expands on factors like threats, vulnerabilities, impacts, and likelihoods to assess information security risk at the organizational, mission, and system levels. Templates and scales are also provided to facilitate risk assessments.
NIST Special Publication 800-34 Rev. 1 Contingency.docxpicklesvalery
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in
order to describe an experimental procedure or concept adequately. Such identification is not
intended to imply recommendation or endorsement by the National Institute of Standards and
Technology, nor is it intended to imply that the entities, materials, or equipment are
necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in
accordance with responsibilities assigned to NIST under the Federal Information Security
Management Act of 2002. The methodologies in this document may be used even before the
completion of such companion documents. Thus, until such time as each document is
completed, current requirements, guidelines, and procedures (where they exist) remain
operative. For planning and transition purposes, federal agencies may wish to closely follow
the development of these new documents by NIST. Individuals are also encouraged to review
the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are
available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34
Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010)
CODEN: NSPUE2
http://csrc.nist.gov/publications
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative
activities with industry, government, and academic organizations..
SP 800-150, the Guide to Cyber Threat Information SharingDavid Sweigert
This document provides guidelines for organizations to establish coordinated computer security incident response capabilities through active cyber threat information sharing and ongoing coordination with partners. It discusses the benefits of information sharing and challenges to overcome. Various information sharing architectures and both formal and informal sharing communities are described. The document also provides guidance on understanding an organization's current cybersecurity capabilities, establishing and maintaining information sharing relationships, and protecting sensitive incident response data.
Contingency Planning Guide for Federal Information Systems Maria.docxmaxinesmith73660
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in accordance with responsibilities assigned to NIST under the Federal Information Security Management Act of 2002. The methodologies in this document may be used even before the completion of such companion documents. Thus, until such time as each document is completed, current requirements, guidelines, and procedures (where they exist) remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new documents by NIST. Individuals are also encouraged to review the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34 Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010) CODEN: NSPUE2
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
ii
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Authority
This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its st.
This document provides an overview of enterprise patch management technologies. It begins with an introduction that explains the purpose and scope is to assist organizations in understanding enterprise patch management technologies. It describes the importance of patch management for addressing software vulnerabilities. It then examines the key challenges of patch management, such as timing, prioritization and testing of patches. The document provides an overview of the components, security capabilities and management capabilities of enterprise patch management technologies. It concludes with a brief discussion of metrics for measuring the effectiveness of these technologies and comparing the importance of patches. The appendices include a tutorial on the Security Content Automation Protocol (SCAP) and a summary of recommendations for improving patch management.
NIST 800-125 a DRAFT (HyperVisor Security)David Sweigert
This document provides security recommendations for hypervisor deployment. It discusses architectural choices for hypervisors, including whether the hypervisor is installed on bare metal or another OS, and whether it uses hardware or software for virtualization support. It also covers potential threats related to the hypervisor's baseline functions, such as execution isolation for VMs and device emulation. The document then provides security recommendations based on these architectural choices and hypervisor functions. It focuses recommendations on device emulation and access control, as well as VM management functions like memory and CPU allocation, image management, and security monitoring of VMs.
This document provides guidance on securing industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and programmable logic controllers (PLC). It discusses ICS and typical topologies, identifies common threats and vulnerabilities, and recommends security countermeasures. The document aims to address ICS unique performance, reliability, and safety requirements. It has been updated with the latest ICS threats, practices, architectures, activities, and security capabilities. An overlay of tailored NIST SP 800-53 controls for low, moderate, and high impact ICS is included.
This document introduces information security continuous monitoring (ISCM) which is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. It describes how establishing an ISCM strategy and program can help organizations move from compliance-driven to data-driven risk management. Key aspects covered include defining an ISCM strategy, establishing an ISCM program, implementing the program, analyzing and reporting findings, responding to findings, and reviewing and updating the strategy and program. Both automated and manual processes have roles to play in ISCM.
NIST SP 800-137 Information security continuous monitoring (ISCM)David Sweigert
This document provides guidance for implementing Information Security Continuous Monitoring (ISCM) programs in federal agencies to maintain ongoing authorization of information systems and support risk management decisions. It discusses establishing an ISCM strategy based on the organization's mission and architecture. Key aspects of the ISCM process include defining roles and responsibilities, implementing automated monitoring capabilities, analyzing data to identify security issues, responding appropriately to findings, and regularly reviewing and updating the monitoring program. The publication aims to help agencies proactively manage information security risks to systems and missions over time.
This document provides guidelines for using firewalls to protect sensitive unclassified information in federal computer systems. It summarizes a 2002 NIST publication on firewalls and firewall policy that has since been superseded. The publication outlines best practices for acquiring and implementing firewalls and developing firewall policies. It has been archived for historical purposes only and federal organizations are now directed to follow guidelines in the 2009 revised version of the publication.
FOR MORE CLASSES VISIT
www.tutorialoutlet.com
Case Study #1: Technology & Product Review for Endpoint Protection Solutions
Case Scenario:
Red Clay Renovations (the “client”) has requested that your company research and recommend
an Endpoint Protection Platform which will provide host-based protection for the laptop PC’s used by its
construction managers and architects.
NIST SP 800-171 - Protecting Controlled Unclassified Information David Sweigert
This document is NIST Special Publication 800-171, which provides recommended requirements for protecting controlled unclassified information (CUI) in nonfederal information systems and organizations. It was written by experts from NIST, the National Archives and Records Administration, the Department of Defense, and the Institute for Defense Analyses. The publication establishes requirements in 3 categories - access control, awareness and training, and audit and accountability. It is intended to help nonfederal entities comply with security requirements for handling CUI received from federal agencies.
Glossary - Standard Security Terms - NIST VocabularyDavid Sweigert
This document is a glossary of key information security terms from NIST publications and the CNSSI-4009. It contains definitions for over 800 terms and points to the source documents for each term defined. The glossary is intended to provide a central resource for common security terms and definitions used in NIST and CNSS publications. Comments and suggestions can be sent to secglossary@nist.gov.
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
This document provides guidance for applying systems security engineering principles and practices to the development of secure systems. It discusses integrating security considerations into each stage of the system development life cycle based on the International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers 15288 standard for systems and software engineering. The purpose is to address security issues from stakeholders' protection needs and requirements perspectives using established engineering processes to ensure those needs are adequately addressed throughout the system life cycle.
This document provides guidance for conducting risk assessments to support risk management activities at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results over time. Risk assessments are an important part of effective enterprise-wide risk management for both public and private sector organizations that depend on information systems and technology.
This document provides guidance for conducting risk assessments to support risk management at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results. Risk assessments are a key part of effective risk management and help inform decision making throughout the system development life cycle. Organizations have flexibility in applying this guidance based on their specific needs.
Sp800 55 Rev1 Performance Measurement Guide For Information SecurityJoao Couto
This document provides guidance on developing and implementing performance measures to assess the effectiveness of information security controls and programs. It describes a process for establishing measures that are quantifiable and can be used to track performance over time. The measures developed should indicate how well security policies are implemented, how efficiently security controls operate, and the impact of any security issues. This will help organizations comply with laws like FISMA and use security metrics to improve practices and allocate resources. The guidance can be applied at the individual system or enterprise program level.
https://class.waldenu.edu/webapps/assessment/take/launchAssessment.jsp?course_id=_16908130_1&
content_id=_61332310_1&mode=cpview
Date updated: September 23, 2021
Withdrawn NIST Technical Series Publication
Warning Notice
The attached publication has been withdrawn (archived) and is provided solely for historical purposes. It
may have been superseded by another publication (indicated below).
Withdrawn Publication
Series/Number NIST Special Publication 800-53 Rev. 4
Title Security and Privacy Controls for Federal Information Systems and
Organizations
Publication Date(s) April 2013 (including updates as of January 22, 2015)
Withdrawal Date September 23, 2021
Withdrawal Note SP 800-53 Rev. 4 is superseded in its entirety by SP 800-53 Rev. 5 (September
2020, including updates as of 12/10/20).
Superseding Publication(s) (if applicable)
The attached publication has been superseded by the following publication(s):
Series/Number NIST Special Publication 800-53 Rev. 5
Title Security and Privacy Controls for Information Systems and Organizations
Author(s) Joint Task Force
Publication Date(s) September 2020 (including updates as of December 10, 2020)
URL/DOI https://doi.org/10.6028/NIST.SP.800-53r5
Additional Information (if applicable)
Contact Computer Security Division (Information Technology Laboratory)
Latest revision of the
attached publication
Related Information https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Withdrawal
Announcement Link
https://doi.org/10.6028/NIST.SP.800-53r5
https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
_____________________________________________ ...
NPV, IRR, Payback period,— PA1Correlates with CLA2 (NPV portion.docxpicklesvalery
NPV, IRR, Payback period,—> PA1
Correlates with CLA2 (NPV portion)
Real world examples
Which method is used more commonly?
Reference
**************
make 4 PPT slides. bullet points on the slides. speech notes on note area needed references
.
Now that you have had the opportunity to review various Cyber At.docxpicklesvalery
Now that you have had the opportunity to review various Cyber Attack Scenarios, it is now your turn to create one. As a Group you will identify a Scenario plagued with Cyber Threats. Each team will then be required to create a Threat Model (Logic Diagram) with various options. Selections will result in another option.
Below are some examples of possible Threat Modeling activities.
https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
Each team will be required to present their Threat Model via Powerpoint and present to the class on Day 3. Each member of the team will be required to submit a copy of their teams powerpoint.
Subject :
Spring 2020 - Emerging Threats & Countermeas (ITS-834-25) - Full Term
Documentation :
https://www.cs.montana.edu/courses/csci476/topics/threat_modeling.pdf
Example :
https://www.helpsystems.com/blog/break-time-6-cybersecurity-games-youll-love
1. Targeted Attack: The Game
2. Cybersecurity Lab
3. Cyber Awareness Challenge
4. Keep Tradition Secure
What you need to do:
Write one page abstract
DO one page PPT
Write 2 pages main paper for this two topics( Library users and librarian & User credentials )
Draw a diagram if possible
.
More Related Content
Similar to NIST Special Publication 800-12 Revision 1 An Introduc.docx
NIST Special Publication 800-52 Revision 2 Guidelines .docxvannagoforth
NIST Special Publication 800-52
Revision 2
Guidelines for the Selection,
Configuration, and Use of Transport
Layer Security (TLS) Implementations
Kerry A. McKay
David A. Cooper
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
C O M P U T E R S E C U R I T Y
NIST Special Publication 800-52
Revision 2
Guidelines for the Selection,
Configuration, and Use of Transport
Layer Security (TLS) Implementations
Kerry A. McKay
David A. Cooper
Computer Security Division
Information Technology Laboratory
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
August 2019
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
Authority
This publication has been developed by NIST in accordance with its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including
minimum requirements for federal information systems, but such standards and guidelines shall not apply
to national security systems without the express approval of appropriate federal officials exercising policy
authority over such systems. This guideline is consistent with the requirements of the Office of Management
and Budget (OMB) Circular A-130.
Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and
binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these
guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
Director of the OMB, or any other federal official. This publication may be used by nongovernmental
organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would,
however, be appreciated by NIST.
National Institute of Standards and Technology Special Publication 800-52 Revision 2
Natl. Inst. Stand. Technol. Spec. Publ. 800-52 Rev. 2, 72 pages (August 2019)
CODEN: NSPUE2
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-52r2
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
available for the purpose.
There may be references in this publication to other publications currently under development by NIST in accordance
with its assigned statutory responsibilities. The ...
This document provides guidelines for securing mobile devices used in enterprises. It discusses mobile device management technologies that can be used for centralized control and security. The document covers the full life cycle of securing mobile devices, from initial planning and deployment to ongoing maintenance. Regular assessments are recommended to ensure policies are being followed correctly. The guidelines are intended to help organizations securely support both organization-issued and personal devices.
This document provides guidance on conducting risk assessments and is intended for organizations to help:
1) Determine the most appropriate risk responses to ongoing cyber threats and disasters.
2) Guide investment strategies and decisions for the most effective cyber defenses to help protect operations, assets, individuals, and the nation.
3) Maintain ongoing situational awareness of the security state of systems and their operating environments.
The guidance focuses on risk assessments as one of the four steps in the risk management process and expands on factors like threats, vulnerabilities, impacts, and likelihoods to assess information security risk at the organizational, mission, and system levels. Templates and scales are also provided to facilitate risk assessments.
NIST Special Publication 800-34 Rev. 1 Contingency.docxpicklesvalery
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in
order to describe an experimental procedure or concept adequately. Such identification is not
intended to imply recommendation or endorsement by the National Institute of Standards and
Technology, nor is it intended to imply that the entities, materials, or equipment are
necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in
accordance with responsibilities assigned to NIST under the Federal Information Security
Management Act of 2002. The methodologies in this document may be used even before the
completion of such companion documents. Thus, until such time as each document is
completed, current requirements, guidelines, and procedures (where they exist) remain
operative. For planning and transition purposes, federal agencies may wish to closely follow
the development of these new documents by NIST. Individuals are also encouraged to review
the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are
available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34
Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010)
CODEN: NSPUE2
http://csrc.nist.gov/publications
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative
activities with industry, government, and academic organizations..
SP 800-150, the Guide to Cyber Threat Information SharingDavid Sweigert
This document provides guidelines for organizations to establish coordinated computer security incident response capabilities through active cyber threat information sharing and ongoing coordination with partners. It discusses the benefits of information sharing and challenges to overcome. Various information sharing architectures and both formal and informal sharing communities are described. The document also provides guidance on understanding an organization's current cybersecurity capabilities, establishing and maintaining information sharing relationships, and protecting sensitive incident response data.
Contingency Planning Guide for Federal Information Systems Maria.docxmaxinesmith73660
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in accordance with responsibilities assigned to NIST under the Federal Information Security Management Act of 2002. The methodologies in this document may be used even before the completion of such companion documents. Thus, until such time as each document is completed, current requirements, guidelines, and procedures (where they exist) remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new documents by NIST. Individuals are also encouraged to review the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34 Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010) CODEN: NSPUE2
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
ii
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Authority
This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its st.
This document provides an overview of enterprise patch management technologies. It begins with an introduction that explains the purpose and scope is to assist organizations in understanding enterprise patch management technologies. It describes the importance of patch management for addressing software vulnerabilities. It then examines the key challenges of patch management, such as timing, prioritization and testing of patches. The document provides an overview of the components, security capabilities and management capabilities of enterprise patch management technologies. It concludes with a brief discussion of metrics for measuring the effectiveness of these technologies and comparing the importance of patches. The appendices include a tutorial on the Security Content Automation Protocol (SCAP) and a summary of recommendations for improving patch management.
NIST 800-125 a DRAFT (HyperVisor Security)David Sweigert
This document provides security recommendations for hypervisor deployment. It discusses architectural choices for hypervisors, including whether the hypervisor is installed on bare metal or another OS, and whether it uses hardware or software for virtualization support. It also covers potential threats related to the hypervisor's baseline functions, such as execution isolation for VMs and device emulation. The document then provides security recommendations based on these architectural choices and hypervisor functions. It focuses recommendations on device emulation and access control, as well as VM management functions like memory and CPU allocation, image management, and security monitoring of VMs.
This document provides guidance on securing industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and programmable logic controllers (PLC). It discusses ICS and typical topologies, identifies common threats and vulnerabilities, and recommends security countermeasures. The document aims to address ICS unique performance, reliability, and safety requirements. It has been updated with the latest ICS threats, practices, architectures, activities, and security capabilities. An overlay of tailored NIST SP 800-53 controls for low, moderate, and high impact ICS is included.
This document introduces information security continuous monitoring (ISCM) which is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. It describes how establishing an ISCM strategy and program can help organizations move from compliance-driven to data-driven risk management. Key aspects covered include defining an ISCM strategy, establishing an ISCM program, implementing the program, analyzing and reporting findings, responding to findings, and reviewing and updating the strategy and program. Both automated and manual processes have roles to play in ISCM.
NIST SP 800-137 Information security continuous monitoring (ISCM)David Sweigert
This document provides guidance for implementing Information Security Continuous Monitoring (ISCM) programs in federal agencies to maintain ongoing authorization of information systems and support risk management decisions. It discusses establishing an ISCM strategy based on the organization's mission and architecture. Key aspects of the ISCM process include defining roles and responsibilities, implementing automated monitoring capabilities, analyzing data to identify security issues, responding appropriately to findings, and regularly reviewing and updating the monitoring program. The publication aims to help agencies proactively manage information security risks to systems and missions over time.
This document provides guidelines for using firewalls to protect sensitive unclassified information in federal computer systems. It summarizes a 2002 NIST publication on firewalls and firewall policy that has since been superseded. The publication outlines best practices for acquiring and implementing firewalls and developing firewall policies. It has been archived for historical purposes only and federal organizations are now directed to follow guidelines in the 2009 revised version of the publication.
FOR MORE CLASSES VISIT
www.tutorialoutlet.com
Case Study #1: Technology & Product Review for Endpoint Protection Solutions
Case Scenario:
Red Clay Renovations (the “client”) has requested that your company research and recommend
an Endpoint Protection Platform which will provide host-based protection for the laptop PC’s used by its
construction managers and architects.
NIST SP 800-171 - Protecting Controlled Unclassified Information David Sweigert
This document is NIST Special Publication 800-171, which provides recommended requirements for protecting controlled unclassified information (CUI) in nonfederal information systems and organizations. It was written by experts from NIST, the National Archives and Records Administration, the Department of Defense, and the Institute for Defense Analyses. The publication establishes requirements in 3 categories - access control, awareness and training, and audit and accountability. It is intended to help nonfederal entities comply with security requirements for handling CUI received from federal agencies.
Glossary - Standard Security Terms - NIST VocabularyDavid Sweigert
This document is a glossary of key information security terms from NIST publications and the CNSSI-4009. It contains definitions for over 800 terms and points to the source documents for each term defined. The glossary is intended to provide a central resource for common security terms and definitions used in NIST and CNSS publications. Comments and suggestions can be sent to secglossary@nist.gov.
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityDavid Sweigert
This document provides guidance for applying systems security engineering principles and practices to the development of secure systems. It discusses integrating security considerations into each stage of the system development life cycle based on the International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers 15288 standard for systems and software engineering. The purpose is to address security issues from stakeholders' protection needs and requirements perspectives using established engineering processes to ensure those needs are adequately addressed throughout the system life cycle.
This document provides guidance for conducting risk assessments to support risk management activities at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results over time. Risk assessments are an important part of effective enterprise-wide risk management for both public and private sector organizations that depend on information systems and technology.
This document provides guidance for conducting risk assessments to support risk management at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results. Risk assessments are a key part of effective risk management and help inform decision making throughout the system development life cycle. Organizations have flexibility in applying this guidance based on their specific needs.
Sp800 55 Rev1 Performance Measurement Guide For Information SecurityJoao Couto
This document provides guidance on developing and implementing performance measures to assess the effectiveness of information security controls and programs. It describes a process for establishing measures that are quantifiable and can be used to track performance over time. The measures developed should indicate how well security policies are implemented, how efficiently security controls operate, and the impact of any security issues. This will help organizations comply with laws like FISMA and use security metrics to improve practices and allocate resources. The guidance can be applied at the individual system or enterprise program level.
https://class.waldenu.edu/webapps/assessment/take/launchAssessment.jsp?course_id=_16908130_1&
content_id=_61332310_1&mode=cpview
Date updated: September 23, 2021
Withdrawn NIST Technical Series Publication
Warning Notice
The attached publication has been withdrawn (archived) and is provided solely for historical purposes. It
may have been superseded by another publication (indicated below).
Withdrawn Publication
Series/Number NIST Special Publication 800-53 Rev. 4
Title Security and Privacy Controls for Federal Information Systems and
Organizations
Publication Date(s) April 2013 (including updates as of January 22, 2015)
Withdrawal Date September 23, 2021
Withdrawal Note SP 800-53 Rev. 4 is superseded in its entirety by SP 800-53 Rev. 5 (September
2020, including updates as of 12/10/20).
Superseding Publication(s) (if applicable)
The attached publication has been superseded by the following publication(s):
Series/Number NIST Special Publication 800-53 Rev. 5
Title Security and Privacy Controls for Information Systems and Organizations
Author(s) Joint Task Force
Publication Date(s) September 2020 (including updates as of December 10, 2020)
URL/DOI https://doi.org/10.6028/NIST.SP.800-53r5
Additional Information (if applicable)
Contact Computer Security Division (Information Technology Laboratory)
Latest revision of the
attached publication
Related Information https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Withdrawal
Announcement Link
https://doi.org/10.6028/NIST.SP.800-53r5
https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
_____________________________________________ ...
Similar to NIST Special Publication 800-12 Revision 1 An Introduc.docx (20)
NPV, IRR, Payback period,— PA1Correlates with CLA2 (NPV portion.docxpicklesvalery
NPV, IRR, Payback period,—> PA1
Correlates with CLA2 (NPV portion)
Real world examples
Which method is used more commonly?
Reference
**************
make 4 PPT slides. bullet points on the slides. speech notes on note area needed references
.
Now that you have had the opportunity to review various Cyber At.docxpicklesvalery
Now that you have had the opportunity to review various Cyber Attack Scenarios, it is now your turn to create one. As a Group you will identify a Scenario plagued with Cyber Threats. Each team will then be required to create a Threat Model (Logic Diagram) with various options. Selections will result in another option.
Below are some examples of possible Threat Modeling activities.
https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
Each team will be required to present their Threat Model via Powerpoint and present to the class on Day 3. Each member of the team will be required to submit a copy of their teams powerpoint.
Subject :
Spring 2020 - Emerging Threats & Countermeas (ITS-834-25) - Full Term
Documentation :
https://www.cs.montana.edu/courses/csci476/topics/threat_modeling.pdf
Example :
https://www.helpsystems.com/blog/break-time-6-cybersecurity-games-youll-love
1. Targeted Attack: The Game
2. Cybersecurity Lab
3. Cyber Awareness Challenge
4. Keep Tradition Secure
What you need to do:
Write one page abstract
DO one page PPT
Write 2 pages main paper for this two topics( Library users and librarian & User credentials )
Draw a diagram if possible
.
Now that you have completed a series of assignments that have led yo.docxpicklesvalery
Now that you have completed a series of assignments that have led you into the active project planning and development stage for your project "
Work Overload in Healthcare System"
, briefly describe your proposed solution to address the problem, issue, suggestion, initiative, or educational need and how it has changed since you first envisioned it. What led to your current perspective and direction?
.
Now that you have completed your paper (ATTACHED), build and deliver.docxpicklesvalery
Now that you have completed your paper (ATTACHED), build and deliver a presentation that details your solution to the healthcare issue that serves as your topic.
In your presentation, you should:
Exhibit comprehensive research and understanding by referencing important points and insights from the perspectives of inquiry papers.
Present your issue and your argument for your solution
Demonstrate effective oral communication skills:
Exhibit competency in using virtual presentation tools and techniques.
Demonstrate planning, preparation, and practice.
Employ effective visual elements (multimedia).
.
Now that you have identified the revenue-related internal contro.docxpicklesvalery
Now that you have identified the revenue-related internal control that relates to the five assertions (existence, completeness, accuracy or valuation, rights and obligations, and presentation and disclosure), the test of controls will need to be identified for each assertion and internal control.
For this assignment, you will write and submit 400–500 words that set specific tests of internal controls for the 5 internal controls related to management assertions that you identified for the Unit 4
.
Now that you have read about Neandertals and modern Homo sapiens.docxpicklesvalery
Now that you have read about Neandertals and modern Homo sapiens, do you think that peoples' attitudes towards Neandertals in the past (and some today) was and is racist in nature? If you do, do you think the view is changing?
Answer the above question in an essay between 125 and 150 words.
.
Now that you have had an opportunity to explore ethics formally, cre.docxpicklesvalery
Now that you have had an opportunity to explore ethics formally, create a reflective assessment of your learning experience and the collaborations you engaged in throughout this session. You will submit
both
of the following:
A written reflection
For the written reflection, address Jane Doe's and respond to the following:
Articulate again your moral theory from week eight discussion (You can revise it if you wish). What two ethical theories best apply to it? Why those two?
week 8 discussion :’’The ethical philosophy chosen is utilitarianism. This philosophy is attributable to happiness if identified actions are right or harmful if the actions are considered to be wrong regardless of the prevailing conditions (Sen, 2019). It is meaningful to me since it is focused on contentment. Thus its moral obligation and importance is that it advocates for the satisfaction of the parties involved. The precedents of utilitarianism philosophy entail the following; that happiness of everyone counts uniformly, that actions are right if they result in pleasure otherwise wrong if they render unhappiness and that pleasure is the only thing that matters.
John Doe's involves a fiction scenario tailored at protecting the identity of witnesses in a case. Thus it is a slang name that informally represents the witnesses in a case to prevent them from manipulation by the defendant as their identity is rendered secretive (Smart, 2018). By application of the utilitarianism philosophy, a witness is considered to be happy (contented) if the identity is not revealed before the case for law during prosecution and hence we aspire to gain useful evidence. The morality of the theory revolves around its reliability as its only main obligation is to render witnesses pleasured. However, it might be termed immoral in situations where faithful information is required about every detail of the underlying case since no matter what; identity of the witnesses ought not to be revealed. Thus compromises its integrity.
Veil of ignorance constitutes the ethical reasoning whereby fair ruling is anticipated from a case by denying the parties involved any information that might bias them into suspecting who might benefit more from the ruling(Heen,2020). Thus in John Doe's case, when the identity of the witnesses is hidden, it is hard to identify possible relations of them with the plaintiff or defendant. This makes the judges seek justice independent of any information are sympathy to one of the parties at the expense of the other.’’
Apply to Jane Doe's case your personal moral philosophy as developed in week eight discussion and now. Use it to determine if what Jane Doe did was ethical or unethical per your own moral philosophy.
Consider if some of these examples are more grave instances of ethical transgressions than others. Explain.
Propose a course of social action and a solution by using the ethics of egoism, utilitarianism, the "veil of ignorance" method, deontological pr.
Novel Literary Exploration EssayWrite a Literary Exploration Ess.docxpicklesvalery
Novel Literary Exploration Essay
Write a Literary Exploration Essay for
Crow Lake
and additional texts on the following topic:
What is your opinion of the idea that the past can affect whom people become as adults?
.
Notifications My CommunityHomeBBA 3551-16P-5A19-S3, Inform.docxpicklesvalery
Notifications My CommunityHome
BBA 3551-16P-5A19-S3, Information Systems Management
Unit VIII
Unit VIII Introduction
During this term we have introduced many
different aspects of information systems
management. I hope you have learned lots of
new terms and concepts that will help you in
school and your career. In this unit we will
cover how systems are developed or created.
Organizations have a variety of tools,
methodologies, and processes that can be
used to assist in the development and
deployment of their information system.
Keep up the good work. Let me know if you
have any questions or issues.
Professor Bulloch
Unit VIII Study Guide
Click the link above to open the unit study
guide, which contains this unit's lesson and
reading assignment(s). This information is
necessary in order to complete this course.
Unit VIII Discussion Board
Weight: 2% of course grade
Grading Rubric
Comment Due: Saturday, 05/18/2019
11:59 PM (CST)
Response Due: Tuesday, 05/21/2019
11:59 PM (CST)
Go to Unit VIII Discussion Board »
Unit VIII Essay
Weight: 12% of course grade
Grading Rubric
Due: Tuesday, 05/21/2019 11:59 PM
(CST)
Instructions
Identify the components of an
information system (IS) using the five-
component framework, and provide a
brief summary of each.
Explain Porter’s five forces model.
Management IS (MIS) incorporate
software and hardware technologies to
provide useful information for decision-
making. Explain each of the following IS,
and use at least one example in each to
support your discussion:
a collaboration information system,
a database management system,
a content management system,
a knowledge management/expert
system,
a customer relationship
management system,
an enterprise resource planning
system,
a social media IS,
a business intelligence/decision
support system, and
an enterprise IS.
Identify and discuss one technical and
one human safeguard to protect against
IS security threats.
There are several processes that can be
used to develop IS and applications
such as systems development life cycle
(SDLC) and scrum (agile development).
Provide a brief description of SDLC and
scrum, and then discuss at least one
similarity and one difference between
SDLC and scrum
Sum up your paper by discussing the
importance of MIS.
In this final assignment, you will develop a
paper that reviews some of the main topics
covered in the course. Compose an essay
to address the elements listed below.
Your paper must be at least three pages in
length (not counting the title and reference
pages), and you must use at least two
resources. Be sure to cite all sources used
in APA format, and format your essay in
APA style.
Submit Unit VIII Essay »
�
›
� Logout�� Mary Katz
5/15/19, 12(27 PM
Page 1 of 1
BBA 3551, Information Systems Management
Course Learning Outcomes for Unit VIII
Upon completion of this unit, students should be able to:
1. .
November-December 2013 • Vol. 22/No. 6 359
Beverly Waller Dabney, PhD, RN, is Associate Professor, Southwestern Adventist University,
Keene, TX.
Huey-Ming Tzeng, PhD, RN, FAAN, is Professor of Nursing and Associate Dean for Academic
Programs, College of Nursing, Washington State University, Spokane, WA.
Service Quality and Patient-Centered
Care
L
eaders of the U.S. Depart -
ment of Health & Human
Services (2011) urge providers
to improve the overall quality of
health care by making it more
patient centered. Patient-centered
care (or person-centered care) refers
to the therapeutic relationship
between health care providers and
recipients of health care services,
with emphasis on meeting the
needs of individual patients. Al -
though the term has been used
widely in recent years, it remains a
poorly defined and conceptualized
phenomenon (Hobbs, 2009).
Patient-centered care is believed
to be holistic nursing care. It pro-
vides a mechanism for nurses to
engage patients as active partici-
pants in every aspect of their health
(Scott, 2010). Patient shadowing
and care flow mapping were used to
create a sense of empathy and
urgency among clinicians by clarify-
ing the patient and family experi-
ence. These two approaches, which
were meant to promote patient-cen-
tered care, can improve patient sat-
isfaction scores without increasing
costs (DiGioia, Lorenz, Greenhouse,
Bertoty, & Rocks, 2010). A better
under standing of attributes of
patient-centered care and areas for
improvement is needed in order to
develop nursing policies that in -
crease the use of this model in health
care settings.
The purpose of this discussion is
to clarify the concept of patient-cen-
tered care for consistency with the
common understanding about pa -
tient satisfaction and the quality of
care delivered from nurses to
patients. Attributes from a customer
service model, the Gap Model of
Service Quality, are used in a focus
on the perspective of the patient as
the driver and evaluator of service
quality. Relevant literature and the
Gap Model of Service Quality
(Parasuraman, Zeithaml, & Leonard,
1985) are reviewed. Four gaps in
patient-centered care are identified,
with discussion of nursing implica-
tions.
Background and Brief
Literature Review
Patient-Centered Care
The Institute of Medicine (IOM,
2001a) and Epstein and Street (2011)
identified patient-centeredness as
one of the areas for improvement in
health care quality. The IOM (2001b)
defined patient-centeredness as
…health care that establishes a
partnership among practition-
ers, patients, and their families
(when appropriate) to ensure
that decisions respect patients’
wants, needs, and preferences
and that patients have the edu-
cation and support they require
to make decisions and partici-
pate in their own care… (p. 7)
Charmel and Frampton (2008)
defined patient-centered care as
…a healthcare setting in which
patients are encouraged to be
actively involved in their care,
with a physical environment
t.
NOTEPlease pay attention to the assignment instructionsZero.docxpicklesvalery
NOTE:
Please pay attention to the assignment instructions
Zero plagiarism
Five references
The Assignment: (1- to 2-page Comparison Grid; 1- to 2-page Legislation Testimony/Advocacy Statement)
Part 1: Legislation Comparison Grid
Based on the health-related bill (proposed, not enacted) you selected, complete the Legislation Comparison Grid Template. Be sure to address the following:
Determine the legislative intent of the bill you have reviewed.
Identify the proponents/opponents of the bill.
Identify the target populations addressed by the bill.
Where in the process is the bill currently? Is it in hearings or committees?
Is it receiving press coverage?
Part 2: Legislation Testimony/Advocacy Statement
Based on the health-related bill you selected, develop a 1- to 2-page Legislation Testimony/Advocacy Statement that addresses the following:
Advocate a position for the bill you selected and write testimony in support of your position.
Describe how you would address the opponent to your position. Be specific and provide examples.
Recommend at least one amendment to the bill in support of your position.
.
NOTE Everything in BOLD are things that I need to turn in for m.docxpicklesvalery
NOTE: Everything in
BOLD
are things that I need to turn in for my part.
Think of how many risks come into play when you decide to conduct a simple project, such as painting your living room. The following are some examples of risks:
What type of paint will you use (and can you afford high-quality paint)?
Who will move that brand new, big screen TV?
Who is going to paint?
Do you have the time, money, and resources?
Have you ever considered any of this, or do you simply cover up as much things as you can and start painting?
Risks exist regardless of whether people acknowledge it or not. Depending on the complexity of the project, the number and type of risk multiplies. Everyone has their own solution to each risk, but when working with a group within an organization, fragmentation such as this becomes counterproductive and a major risk in the end.
Scenario :
I have come with an Idea called ROSE which stands for Reserve on Site Easily, its a application that can be used on any phone. How it works is by lets say someone doesn't have a Wi-Fi connection or is not by Wi-Fi. What would happen is once by or near Wi-Fi their reservations will be saved and than will be sent to the hotel they would like to stay at, this will save a lot of time for not only them but the hotel as well. This will also save their spot until they have reached Wi-Fi, this will also be able to show what's available and what's not available when not on Wi-Fi.
Assignment:
Group Portion
As a group, you are to describe a project that all of you will participate in, and include the following:
Define the goal of the project
List the project's duration
Explain who are the stakeholders (those who participate)
*** Review benefits by the project implementation *** (My Portions)
Explain your need for resources
You need not go into in-depth details on the project.
Individual Portion
Each group member is to come up with 2 risks to this project. Each risk must include the following elements:
What technique(s) was used to identify the risk?
What type of risk is it, and does it have specific IT elements and considerations?
How was the risk assessed, and how does it rank with all of the risks identified by the group?
Is the risk qualitative or quantitative, and does it work with an EMV or Pareto analysis with all of the risks identified by the group?
What is the response to this risk, assuming it occurs during the project's lifecycle?
Provide at least 2 contingency plans for this risk (one primary and a second backup).
Group Portion
Combine the individual portion into a cohesive 6–8-page report that also includes the following:
A summary of the project (as discussed in the 1st group discussion)
How will the risks be monitored and controlled?
How will risks be communicated to all project participants?
*** What EVM comes from the risk management plan? *** (My Portion)
Are there any special tools utilized by the plan to manage all identified risks?
.
Note Be sure to focus only on the causes of the problem in this.docxpicklesvalery
Note: Be sure to focus only on the causes of the problem in this paper; do not consider effects or solutions.
A. Write a causal analysis essay (
suggested length of 3–7 pages
). In your essay, do the following:
1. Address an appropriate topic.
2. Provide an effective introduction.
3. Provide an appropriate thesis statement that previews
two
to
four
causes.
4. Explain the causes of the problem.
5. Provide evidence to support your claim.
6. Provide an effective conclusion.
B. Include
at least
two
academically credible sources in the body of your essay.
1. For your sources, include all in-text citations and references in APA format.
C. Demonstrate professional communication in the content and presentation of your submission.
.
Note I’ll provide my sources in the morning, and lmk if you hav.docxpicklesvalery
Note: I’ll provide my sources in the morning, and lmk if you have any questions since the instructions aren’t very detailed.
Objective
This research paper is an opportunity to demonstrate your understanding of issues and theories in critical Canadian Communication Studies. It is also an opportunity to demonstrate and practise scholarly research, critical thinking and good writing. Your paper will present an identifiable argument, a clear thesis and scholarly research.
Evaluation (20% of final grade)
Evaluation will be based on evidence that you have used
10 scholarly sources
to support and interpret your thesis. Use sources from your annotated bibliography. Include any number of additional popular sources (e.g., government documents, news item, film, web material) in addition to your 10 scholarly sources. The latter (in brackets above) are not scholarly sources.
Format
Margins: 2.5cm (one inch)
Length: 6-8 pages (not including title page or bibliography), double-spaced text
Font: 12-point, Times New Roman
APA format
Topic:
Fake news
is a recently-named genre in our contemporary media landscape. With reference to a specific example, argue for or against the idea that fake news harms democracy in Canada. Potential examples include disinformation tactics during an election campaign or deep fakes of notable people. Consider questions such as these: What is fake news? What are the implications for democracy in Canada and for the “marketplace of ideas” if we cannot distinguish fake news? Does objective and balanced journalism lose validity in the face of fake news?
.
Note Here, the company I mentioned was Qualcomm 1. Email is the.docxpicklesvalery
Note: Here, the company I mentioned was Qualcomm
1. Email is the most commonly used form of communication for businesses. To what degree does your company use email?
2. Imagine that this internship position is your long-term place of employment. What computer or technology equipment would you change and why?
.
Note Please follow instructions to the T.Topic of 3 page pape.docxpicklesvalery
Note: Please follow instructions to the T.
Topic of 3 page paper : a brief presentation on the corona virus on the U.S economy. I am asking for a 3 page summary presentation on the current status of the corona virus as it effects those working in government emergency management positions --focus on the emergency management operations centers (EOCs) in the state of Florida. This report paper will discuss the current involvement of the EOC in working with the businesses and other industries in the state of Florida that are dealing with the closing of businesses and other either forced closing of certain businesses and industries . Please provide information on what you are finding in your 3 page report are the effects of the corona virus on the closing of commerce and the potential repercussion of these forced shut downs by our government that will effect the economy. Make the paper a research type paper of interest to you and what you are concerned about as it may effect you and your job should a force closing be made that effects you.
PLEASE READ THIS ARTICLE BELOW AND USE THE SUBJECT MATTER IN THIS ARTICLE AS DIRECTION FOR YOUR PAPER
Example of a report as follows-- please do not copy an printed document/ article or other publication --make this your work and a report with your opinions and concerns.
Coronavirus triggers cancellations, closures and contingency planning across the country
With daily reports of the deadly coronavirus spreading (Links to an external site.) into communities across the country, schools (Links to an external site.), companies, religious organizations and local governments are grappling with whether to shut down facilities and cancel events or to proceed, cautiously, as planned.
Increasingly, organizations are opting to cancel large gatherings, encourage remote work or take other steps (Links to an external site.) reflecting an abundance of caution about the virus, according to interviews with officials in several states. Others are making contingency plans about more-significant steps they might take in the case of a wider outbreak.
Washington Gov. Jay Inslee (Links to an external site.) (D) said people should prepare for disruptions in their daily lives as a result of the novel coronavirus, which has killed nine people in the state.
“Folks should begin to think about avoiding large events and assemblies,” Inslee said Monday. “We are not making a request formally right now for events to be canceled, but people should be prepared for that possibility.”
While the virus has been deadliest in Washington state, it has spread across the United States, with more than a dozen states reporting infections. There have been several instances of people contracting the virus while inside the country.
The response effort so far has been fragmented, with conflicting messages about the level of threat and the need for significant lifestyle changes.
“The general rule is, use common sense,” said Health and Human Services Secret.
Note A full-sentence outline differs from bullet points because e.docxpicklesvalery
Note:
A full-sentence outline differs from bullet points because each section of the outline must be a complete sentence. Each part may only have one sentence in it. Capital letters are ideas that support the thesis.
Your outline must contain a minimum of 12 full sentences as follows.
The thesis statement of the paper (2 sentences minimum)
4 key points to support the thesis statement:
What is the issue and why is it significant? (2 full sentences minimum to clarify this point)
How would your first philosopher address your issue? (2 full sentences minimum to clarify this point)
How would your second philosopher address your issue? (2 full sentences minimum to clarify this point)
How would you apply your philosophers’ principles to your issue in modern society? (2 full sentences minimum to clarify this point)
Conclusion (2 sentences minimum)
Topic: Is the issue of racism painful in today's society?
Philosophers: John Locke & Thomas Hobbes
Resources
.
Notable photographers 1980 to presentAlmas, ErikAraki, No.docxpicklesvalery
Notable photographers: 1980 to present
Almas, Erik
Araki, Nobuyoshi
Balog, James
Bar-Am, Micha
Barbieri, Olivo
Clang, John
Clark, Larry
Consentino, Manuel
Crewdson, Gregory
Day, Corinne
Effendi, Rena
Flores, Ricky
Fontana, Franco
Galella, Ron
Geddes, Anne
Ghirri, Luigi
Goldberger, Sacha
Goldblatt, David
Goldin, Nan
Goldsworthy, Andy
Grannan, Katy
Gursky, Andreas
Herbert, Gerald
Higgins Jr., Chester
Hockney, David
Johansson, Erik
Johnson, Kremer
Jones, Charles
JR
Kander, Nadav
Kawauchi, Rinko
Kepule, Katrina
Kruger, Barbara
Kwon, Sue
Lanting Frans
Lassry, Elad
Lemoigne, Jean-Yves
Leone, Lisa
Luce, Kirsten
Manzano, Javier
Mapplethorpe, Robert
McGinley, Ryan
Modu, Chi
Mull, Carter
Neshat, Shirin
Nick Knight
Nilsson, Lennart
Opie, Catherine
Pao, Basil
Peters, Jennifer (and Michael Taylor)
.
Note 2 political actions that are in line with Socialism and explain.docxpicklesvalery
Note 2 political actions that are in line with Socialism and explain why and how they relate to the concepts attached to this ideology. List your sources.
2- Answer the questions below. List your source(s) for all your answers:
A) Why is Communism considered a dying ideology? Provide 2 arguments to support your answer.
B) Has Communism ever existed in practice? Use one example to support your answer.
800 words maximum
.
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...EduSkills OECD
Andreas Schleicher, Director of Education and Skills at the OECD presents at the launch of PISA 2022 Volume III - Creative Minds, Creative Schools on 18 June 2024.
Brand Guideline of Bashundhara A4 Paper - 2024khabri85
It outlines the basic identity elements such as symbol, logotype, colors, and typefaces. It provides examples of applying the identity to materials like letterhead, business cards, reports, folders, and websites.
THE SACRIFICE HOW PRO-PALESTINE PROTESTS STUDENTS ARE SACRIFICING TO CHANGE T...indexPub
The recent surge in pro-Palestine student activism has prompted significant responses from universities, ranging from negotiations and divestment commitments to increased transparency about investments in companies supporting the war on Gaza. This activism has led to the cessation of student encampments but also highlighted the substantial sacrifices made by students, including academic disruptions and personal risks. The primary drivers of these protests are poor university administration, lack of transparency, and inadequate communication between officials and students. This study examines the profound emotional, psychological, and professional impacts on students engaged in pro-Palestine protests, focusing on Generation Z's (Gen-Z) activism dynamics. This paper explores the significant sacrifices made by these students and even the professors supporting the pro-Palestine movement, with a focus on recent global movements. Through an in-depth analysis of printed and electronic media, the study examines the impacts of these sacrifices on the academic and personal lives of those involved. The paper highlights examples from various universities, demonstrating student activism's long-term and short-term effects, including disciplinary actions, social backlash, and career implications. The researchers also explore the broader implications of student sacrifices. The findings reveal that these sacrifices are driven by a profound commitment to justice and human rights, and are influenced by the increasing availability of information, peer interactions, and personal convictions. The study also discusses the broader implications of this activism, comparing it to historical precedents and assessing its potential to influence policy and public opinion. The emotional and psychological toll on student activists is significant, but their sense of purpose and community support mitigates some of these challenges. However, the researchers call for acknowledging the broader Impact of these sacrifices on the future global movement of FreePalestine.
How to Download & Install Module From the Odoo App Store in Odoo 17Celine George
Custom modules offer the flexibility to extend Odoo's capabilities, address unique requirements, and optimize workflows to align seamlessly with your organization's processes. By leveraging custom modules, businesses can unlock greater efficiency, productivity, and innovation, empowering them to stay competitive in today's dynamic market landscape. In this tutorial, we'll guide you step by step on how to easily download and install modules from the Odoo App Store.
Information and Communication Technology in EducationMJDuyan
(𝐓𝐋𝐄 𝟏𝟎𝟎) (𝐋𝐞𝐬𝐬𝐨𝐧 2)-𝐏𝐫𝐞𝐥𝐢𝐦𝐬
𝐄𝐱𝐩𝐥𝐚𝐢𝐧 𝐭𝐡𝐞 𝐈𝐂𝐓 𝐢𝐧 𝐞𝐝𝐮𝐜𝐚𝐭𝐢𝐨𝐧:
Students will be able to explain the role and impact of Information and Communication Technology (ICT) in education. They will understand how ICT tools, such as computers, the internet, and educational software, enhance learning and teaching processes. By exploring various ICT applications, students will recognize how these technologies facilitate access to information, improve communication, support collaboration, and enable personalized learning experiences.
𝐃𝐢𝐬𝐜𝐮𝐬𝐬 𝐭𝐡𝐞 𝐫𝐞𝐥𝐢𝐚𝐛𝐥𝐞 𝐬𝐨𝐮𝐫𝐜𝐞𝐬 𝐨𝐧 𝐭𝐡𝐞 𝐢𝐧𝐭𝐞𝐫𝐧𝐞𝐭:
-Students will be able to discuss what constitutes reliable sources on the internet. They will learn to identify key characteristics of trustworthy information, such as credibility, accuracy, and authority. By examining different types of online sources, students will develop skills to evaluate the reliability of websites and content, ensuring they can distinguish between reputable information and misinformation.
NIST Special Publication 800-12 Revision 1 An Introduc.docx
1. NIST Special Publication 800-12
Revision 1
An Introduction to Information Security
Michael Nieles
Kelley Dempsey
Victoria Yan Pillitteri
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-12r1
C O M P U T E R S E C U R I T Y
2. NIST Special Publication 800-12
Revision 1
An Introduction to Information Security
Michael Nieles
Kelley Dempsey
Victoria Yan Pillitteri
Computer Security Division
Information Technology Laboratory
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-12r1
June 2017
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
3. Kent Rochford, Acting NIST Director and Under Secretary of
Commerce for Standards and Technology
Authority
This publication has been developed by NIST in accordance
with its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA) of
2014, 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information
security standards and guidelines, including
minimum requirements for federal systems, but such standards
and guidelines shall not apply to national
security systems without the express approval of appropriate
federal officials exercising policy authority
over such systems. This guideline is consistent with the
requirements of the Office of Management and
Budget (OMB) Circular A-130.
Nothing in this publication should be taken to contradict the
standards and guidelines made mandatory and
binding on federal agencies by the Secretary of Commerce
under statutory authority. Nor should these
guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce,
Director of the OMB, or any other federal official. This
publication may be used by nongovernmental
organizations on a voluntary basis and is not subject to
copyright in the United States. Attribution would,
however, be appreciated by NIST.
National Institute of Standards and Technology Special
Publication 800-12 Revision 1
4. Natl. Inst. Stand. Technol. Spec. Publ. 800-12 Rev. 1, 101 pages
(June 2017)
CODEN: NSPUE2
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-12r1
Certain commercial entities, equipment, or materials may be
identified in this document in order to describe an
experimental procedure or concept adequately. Such
identification is not intended to imply recommendation or
endorsement by NIST, nor is it intended to imply that the
entities, materials, or equipment are necessarily the best
available for the purpose.
There may be references in this publication to other
publications currently under development by NIST in
accordance
with its assigned statutory responsibilities. The information in
this publication, including concepts and methodologies,
may be used by federal agencies even before the completion of
such companion publications. Thus, until each
publication is completed, current requirements, guidelines, and
procedures, where they exist, remain operative. For
planning and transition purposes, federal agencies may wish to
closely follow the development of these new
publications by NIST.
Organizations are encouraged to review all draft publications
during public comment periods and provide feedback to
NIST. Many NIST cybersecurity publications, other than the
ones noted above, are available at
http://csrc.nist.gov/publications.
5. Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology
Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-
8930
Email: [email protected]
All comments are subject to release under the Freedom of
Information Act (FOIA).
http://csrc.nist.gov/publications
mailto:[email protected]
NIST SP 800-12 REV. 1 AN INTRODUCTION TO
INFORMATION SECURITY
ii
T
his publication is available free of charge from
: https://doi.org/10.6028/N
IS
T
.S
6. P
.800-12r1
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National
Institute of Standards and
Technology (NIST) promotes the U.S. economy and public
welfare by providing technical
leadership for the Nation’s measurement and standards
infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and
technical analyses to advance the
development and productive use of information technology.
ITL’s responsibilities include the
development of management, administrative, technical, and
physical standards and guidelines for
the cost-effective security and privacy of other than national
security-related information in federal
systems. The Special Publication 800-series reports on ITL’s
research, guidelines, and outreach
efforts in systems security as well as its collaborative activities
with industry, government, and
academic organizations.
Abstract
Organizations rely heavily on the use of information technology
(IT) products and services to run
their day-to-day activities. Ensuring the security of these
products and services is of the utmost
importance for the success of the organization. This publication
introduces the information
security principles that organizations may leverage to
7. understand the information security needs
of their respective systems.
Keywords
assurance; computer security; information security;
introduction; risk management; security
controls; security requirements
NIST SP 800-12 REV. 1 AN INTRODUCTION TO
INFORMATION SECURITY
iii
T
his publication is available free of charge from
: https://doi.org/10.6028/N
IS
T
.S
P
.800-12r1
8. Acknowledgements
The authors would like to thank everyone who took the time to
review and make comments on
the draft of this publication, specifically Celia Paulsen, Ned
Goren, Isabel Van Wyk, and Rathini
Vijayaverl of the National Institute of Standards and
Technology (NIST). The authors would also
like to acknowledge the original authors, Barbara Guttman and
Edward A. Roback, as well as all
those individuals who contributed to the original version of this
publication.
NIST SP 800-12 REV. 1 AN INTRODUCTION TO
INFORMATION SECURITY
iv
T
his publication is available free of charge from
: https://doi.org/10.6028/N
IS
T
9. .S
P
.800-12r1
Table of Contents
1 Introduction
...............................................................................................
............. 1
1.1 Purpose
...............................................................................................
.............. 1
1.2 Intended Audience
............................................................................................ 1
1.3 Organization
...............................................................................................
....... 1
1.4 Important Terminology
...................................................................................... 2
1.5 Legal Foundation for Federal Information Security Programs
........................... 3
1.6 Related NIST Publications
................................................................................ 4
2 Elements of Information Security
......................................................................... 7
2.1 Information security supports the mission of the
organization ........................... 7
2.2 Information security is an integral element of sound
management ................... 8
2.3 Information security protections are implemented so as to be
commensurate
with risk
...............................................................................................
10. .................... 8
2.4 Information security roles and responsibilities are made
explicit ....................... 9
2.5 Information security responsibilities for system owners go
beyond their own
organization
...............................................................................................
............. 9
2.6 Information security requires a comprehensive and
integrated approach ......... 9
2.6.1 Interdependencies of security controls
............................................... 10
2.6.2 Other interdependencies
.................................................................... 10
2.7 Information security is assessed and monitored regularly
............................... 10
2.8 Information security is constrained by societal and cultural
factors ................. 11
3 Roles and
Responsibilities.......................................................................
........... 13
3.1 Risk Executive Function (Senior Management)
.............................................. 13
3.2 Chief Executive Officer (CEO)
......................................................................... 13
3.3 Chief Information Officer (CIO)
........................................................................ 14
3.4 Information Owner/Steward
............................................................................ 14
3.5 Senior Agency Information Security Officer (SAISO)
...................................... 14
3.6 Authorizing Official (AO)
.................................................................................. 15
11. 3.7 Authorizing Official Designated Representative
.............................................. 15
3.8 Senior Agency Official for Privacy (SAOP)
...................................................... 15
3.9 Common Control Provider
............................................................................... 15
3.10 System Owner
...............................................................................................
16
3.11 System Security Officer (SSO)
...................................................................... 16
NIST SP 800-12 REV. 1 AN INTRODUCTION TO
INFORMATION SECURITY
v
T
his publication is available free of charge from
: https://doi.org/10.6028/N
IS
T
.S
P
12. .800-12r1
3.12 Information Security Architect
....................................................................... 16
3.13 System Security Engineer (SSE)
.................................................................. 17
3.14 Security Control Assessor
............................................................................. 17
3.15 System Administrator
.................................................................................... 17
3.16 User
...............................................................................................
............... 17
3.17 Supporting Roles
...........................................................................................
18
4 Threats and Vulnerabilities: A Brief Overview
................................................... 20
4.1 Examples of Adversarial Threat Sources and Events
..................................... 20
4.1.1 Fraud and Theft
.................................................................................. 21
4.1.2 Insider Threat
..................................................................................... 22
4.1.3 Malicious Hacker
................................................................................ 22
4.1.4 Malicious Code
................................................................................... 23
4.2 Examples of Non-Adversarial Threat Sources and Events
............................. 24
4.2.1 Errors and Omissions
......................................................................... 24
13. 4.2.2 Loss of Physical and Infrastructure Support
....................................... 24
4.2.3 Impacts to Personal Privacy of Information Sharing
........................... 25
5 Information Security Policy
................................................................................. 26
5.1 Standards, Guidelines, and Procedures
.......................................................... 26
5.2 Program Policy
............................................................................................ ...
. 27
5.2.1 Basic Components of Program Policy
................................................ 27
5.3 Issue-Specific Policy
....................................................................................... 28
5.3.1 Example Topics for Issue-Specific Policy
........................................... 28
5.3.2 Basic Components of Issue-Specific Policy
........................................ 29
5.4 System-Specific Policy
.................................................................................... 30
5.4.1 Security Objectives
............................................................................. 31
5.4.2 Operational Security Rules
................................................................. 31
5.4.3 System-Specific Policy Implementation
.............................................. 32
5.5 Interdependencies
...........................................................................................
32
5.6 Cost Considerations
14. ........................................................................................ 33
6 Information Security Risk Management
............................................................. 34
6.1 Categorize
......................................................................................... ......
........ 36
6.2 Select
...............................................................................................
............... 36
NIST SP 800-12 REV. 1 AN INTRODUCTION TO
INFORMATION SECURITY
vi
T
his publication is available free of charge from
: https://doi.org/10.6028/N
IS
T
.S
P
.800-12r1
16. 7.3.1 Security and Privacy Control Assessments
........................................ 42
7.3.2 Audit Methods and Tools
.................................................................... 42
7.3.3 Monitoring Methods and Tools
........................................................... 44
7.4 Interdependencies
...........................................................................................
46
7.5 Cost Considerations
........................................................................................ 46
8 Security Considerations in System Support and Operations
.......................... 47
8.1 User Support
...............................................................................................
.... 47
8.2 Software Support
............................................................................................
48
8.3 Configuration Management
............................................................................. 48
8.4 Backups
...............................................................................................
........... 49
8.5 Media Controls
...............................................................................................
. 49
8.6 Documentation
...............................................................................................
. 49
8.7 Maintenance
...............................................................................................
..... 50
8.8 Interdependencies
17. ...........................................................................................
50
8.9 Cost Considerations
........................................................................................ 51
9
Cryptography..........................................................................
.............................. 52
9.1 Uses of Cryptography
..................................................................................... 52
9.1.1 Data Encryption
.................................................................................. 52
9.1.2 Integrity
....................................................................................... ........
53
9.1.3 Electronic Signatures
.......................................................................... 53
NIST SP 800-12 REV. 1 AN INTRODUCTION TO
INFORMATION SECURITY
vii
T
his publication is available free of charge from
18. : https://doi.org/10.6028/N
IS
T
.S
P
.800-12r1
9.1.4 User Authentication
............................................................................ 54
9.2 Implementation Issues
.................................................................................... 54
9.2.1 Selecting Design and Implementation Standards
............................... 55
9.2.2 Deciding between Software, Hardware, or Firmware
Implementations ..
...............................................................................................
............ 55
9.2.3 Managing Keys
................................................................................... 55
9.2.4 Security of Cryptographic Modules
..................................................... 56
9.2.5 Applying Cryptography to Networks
................................................... 56
9.2.6 Complying with Export Rules
.............................................................. 57
9.3 Interdependencies
...........................................................................................
57
9.4 Cost Considerations
........................................................................................ 58
20. ..............................................................................................
67
10.15 Program Management (PM)
........................................................................ 67
10.16 Personnel Security (PS)
.............................................................................. 68
10.17 Risk Assessment (RA)
................................................................................ 68
10.18 System and Services Acquisition (SA)
........................................................ 69
10.19 System and Communications Protection (SC)
............................................ 69
NIST SP 800-12 REV. 1 AN INTRODUCTION TO
INFORMATION SECURITY
viii
T
his publication is available free of charge from
: https://doi.org/10.6028/N
IS
T
.S
21. P
.800-12r1
10.20 System and Information Integrity (SI)
.......................................................... 70
List of Appendices
References
.......................................................................................... 71
Glossary
..............................................................................................
76
Acronyms and Abbreviations
............................................................ 88
List of Figures
Figure 1 - Risk Management Framework (RMF) Overview
........................................... 36
NIST SP 800-12 REV. 1 AN INTRODUCTION TO
INFORMATION SECURITY
1
T
his publication is available free of charge from
: https://doi.org/10.6028/N
IS
22. T
.S
P
.800-12r1
1 Introduction
1.1 Purpose
This publication serves as a starting-point for those new to
information security as well as those
unfamiliar with NIST information security publications and
guidelines. The intent of this special
publication is to provide a high-level overview of information
security principles by introducing
related concepts and the security control families (as defined in
NIST SP 800-53, Security and
Privacy Controls for Federal Information Systems and
Organizations) that organizations can
leverage to effectively secure their systems1 and information.
To better understand the meaning
and intent of the security control families described later, this
publication begins by familiarizing
the reader with various information security principles.
After the introduction of these security principles, the
publication provides detailed descriptions
of multiple security control families as well as the benefits of
each control family. The point is
not to impose requirements on organizations, but to explore
available techniques for applying a
specific control family to an organization’s system and to
explain the benefit(s) of employing the
23. selected controls.
Since this publication provides an introduction to information
security, detailed steps as to how
security controls are implemented or how to check for security
control effectiveness are not
included. Rather, separate publications that may provide more
detailed information about a
specific topic will be noted as a reference.
1.2 Intended Audience
The target audience for this publication are those new to the
information security principles and
tenets needed to protect information and systems in a way that
is commensurate with risk. This
publication provides a basic foundation of concepts and ideas to
any person tasked with or
interested in understanding how to secure systems.
For that reason, this publication is a good resource for anyone
seeking a better understanding of
information security basics or a high-level view on the topic.
The tips and techniques described
in this publication may be applied to any type of information or
system in any type of
organization. While there may be differences in the way federal
organizations, academia, and the
private sector process, store, and disseminate information
within their respective systems, the
basic principles of information security are applicable to all.
1.3 Organization
This publication is organized as follows:
24. • Chapter 1 describes the purpose, target audience, important
terms, the legal foundation
for information security, and a list of NIST publications related
to information security
and information risk management.
1 System is defined in SP 800-53 as any organized assembly of
resources and procedures united and regulated by interaction or
interdependence to accomplish a set of specific functions.
NIST SP 800-12 REV. 1 AN INTRODUCTION TO
INFORMATION SECURITY
2
T
his publication is available free of charge from
: https://doi.org/10.6028/N
IS
T
.S
P
.800-12r1
• Chapter 2 lists eight major elements regarding information
security.
25. • Chapter 3 outlines several roles, supporting roles, and the
respective responsibilities
attributed to those roles on providing information security to
the organization.
• Chapter 4 introduces threats and vulnerabilities, distinguishes
the difference between the
two, and provides examples of different threat sources and
events.
• Chapter 5 discusses information security policy and the
differences between Program
Policy, Issue-Specific Policy, and System-Specific Policy.
• Chapter 6 considers how to manage risk and briefly describes
the six steps of the NIST
Risk Management Framework (RMF).
• Chapter 7 focuses on information assurance and what
measures can be taken to protect
information and systems.
• Chapter 8 introduces system support and operations, which
collectively function to run a
system.
• Chapter 9 provides a brief overview of cryptography as well as
several NIST 800-series
Publications that contain additional, more detailed information
on specific cryptographic
technologies.
• Chapter 10 introduces the 20 information security and privacy
control families.
• Appendix A provides a list of References.
26. • Appendix B provides a Glossary of terms used throughout the
document.
• Appendix C provides a list of Acronyms and Abbreviations
used throughout the
document.
1.4 Important Terminology
The term Information System is defined by 44 U.S.C., Sec. 3502
as “a discrete set of information
resources organized for the collection, processing, maintenance,
use, sharing, dissemination, or
disposition of information.”
For this publication, the term system is used in lieu of the term
information system to reflect the
broader applicability of information resources of any size or
complexity, organized expressly for
the collection, processing, use, sharing, dissemination,
maintenance, or disposition of data or
information. Some other key terms to be familiar with are:2
• Information – (1) Facts or ideas, which can be represented
(encoded) as various forms of
data; (2) Knowledge (e.g., data, instructions) in any medium or
form that can be
communicated between system entities.
• Information Security – The protection of information and
information systems from
unauthorized access, use, disclosure, disruption, modification,
or destruction in order to
ensure confidentiality, integrity, and availability.
• Confidentiality – Preserving authorized restrictions on
27. information access and disclosure,
2 These terms and definitions were retrieved from CNSSI 4009,
Committee on National Security Systems (CNSS) Glossary,
dated
April 6, 2015.
NIST SP 800-12 REV. 1 AN INTRODUCTION TO
INFORMATION SECURITY
3
T
his publication is available free of charge from
: https://doi.org/10.6028/N
IS
T
.S
P
.800-12r1
including means for protecting personal privacy and proprietary
information.
• Integrity – Guarding against improper information
modification or destruction and
28. ensuring information non-repudiation and authenticity.
o Data Integrity – The property that data has not been altered in
an unauthorized
manner. Data integrity covers data in storage, during
processing, and while in
transit.
o System Integrity – The quality that a system has when it
performs its intended
function in an unimpaired manner, free from unauthorized
manipulation of the
system, whether intentional or accidental.
• Availability – Ensuring timely and reliable access to and use
of information.
• Security Controls3 – The management, operational, and
technical controls (i.e.,
safeguards or countermeasures) prescribed for a system to
protect the confidentiality,
availability, and integrity of the system and its information.
1.5 Legal Foundation for Federal Information Security Programs
Within the Federal Government, many laws and regulations
mandate that federal organizations
protect their systems, the information processed, stored, or
transmitted by systems, and related
technology resources (e.g., telecommunications). A sampling of
these laws and regulations is …
Managing and Using Information Systems:
A Strategic Approach – Seventh Edition
Keri Pearlson, Carol Saunders,