Example: air traffic controller

Security Control Standards Catalog V1

Security Control Standards Catalog Version Texas Department of Information Resources 2/26/2016 Texas Department of Information Resources | Office of the Chief Information Security Officer ii Security Control Standards Catalog Contents About the Security Control Standards Catalog .. 1 Document Life Cycle .. 1 Revision History .. 2 Scope .. 2 Exceptions .. 2 Control Details and Sample Format .. 2 Notes on the Control Details and Sample Format .. 2 Security Controls Standards .. 4 AC Access Control .. 4 AP Authority and Purpose.

use to provide the appropriate levels of information security according to risk levels. The control catalog specifies the purpose, levels of risk, implementation overview ,and implementation examples for each control activity. See the Control Details and Sample Format section for further detail.

Fullscreen Download

Tags:

  Risks

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Security Control Standards Catalog V1

1 Security Control Standards Catalog Version Texas Department of Information Resources 2/26/2016 Texas Department of Information Resources | Office of the Chief Information Security Officer ii Security Control Standards Catalog Contents About the Security Control Standards Catalog .. 1 Document Life Cycle .. 1 Revision History .. 2 Scope .. 2 Exceptions .. 2 Control Details and Sample Format .. 2 Notes on the Control Details and Sample Format .. 2 Security Controls Standards .. 4 AC Access Control .. 4 AP Authority and Purpose.

2 21 AR Accountability, Audit, and Risk Management .. 23 AT Awareness and Training .. 29 AU Audit and Accountability .. 32 CA Security Assessment and Authorization .. 43 CM Configuration 49 CP Contingency Planning .. 57 DI Data Quality and Integrity .. 66 DM Data Minimization and Retention .. 68 IA Identification and Authentication .. 71 IP Individual Participation and Redress .. 79 IR Incident Response .. 82 MA Maintenance .. 90 MP Media Protection .. 95 PE Physical and Environmental Protection .. 101 PL Planning .. 114 PM Program Management .. 119 PS Personnel Security .

3 132 RA Risk Assessment .. 138 SA System and Service Acquisition .. 142 SC System and Communication Protection .. 156 SE Security .. 182 SI System and Information 184 TR Transparency .. 196 UL Use Limitation .. 199 Appendix A. NIST Control Families .. 201 Appendix B. Acronyms and Abbreviations .. 213 Appendix C. Glossary of Terms .. 215 Texas Department of Information Resources | Office of the Chief Information Security Officer Security Control Standards Catalog | ABOUT THE Catalog 1 About the Security Control Standards Catalog The purpose of this Security Control Standards Catalog ( Control Catalog ) is to provide state agencies and higher education institutions (subsequently referred to as state organizations)

4 Specific guidance for implementing Security controls in a format that easily aligns with the National Institute of Standards and Technology Special Publication 800-53 Version 4 (NIST SP 800-53 Rev. 4). The Control Catalog specifies the minimum information Security requirements that state organizations must use to provide the appropriate levels of information Security according to risk levels. The Control Catalog specifies the purpose, levels of risk, implementation overview, and implementation examples for each Control activity. See the Control Details and Sample Format section for further detail.

5 For more information related to information Security requirements for state organizations, refer to Texas Administrative Code (1 TAC 202). Document Life Cycle The Texas Department of Information Resources (DIR) will review the controls in this document each biennium. As changes in technology, threats, and risks are identified, DIR will work with representatives from state organizations to develop the controls necessary to maintain reasonable Security measures to protect state resources. Prior to publishing new or revised Standards , DIR will solicit comments on new controls from Information Resources Managers and Information Security Officers at state organizations.

6 All recommended changes will be presented to DIR s board for approval. To minimize their impact on state organizations, the required controls in the controls Catalog will be phased in over a period of three years, with no new controls in the first year. Additionally, new controls will be implemented with a required by date not to exceed 18 months, after which, all state organizations must adhere to the new standard. JunDecJa nJun State Strate gic Plan and LAR DevelopmentITCHE and D IR Board Review Regular LegislativeSession DIR drafts new Security Controls Standards in response to legislation or needODD-NUMBERED YEARSEVEN-NUMBERED YEARS Office of the Chief Information Security Officer | Texas Department of Information Resources 2 ABOUT THE Catalog | Security Control Standards Catalog Revision History VERSION UPDATED BY DATE CHANGE DESCRIPTION DIR Office of

7 The Chief Information Security Officer 3/23/14 Released Draft Version DIR Office of the Chief Information Security Officer 10/22/14 Released Draft Version DIR Office of the Chief Information Security Officer 3/17/15 Released Final Version DIR Office of the Chief Information Security Officer 4/3/15 Corrected date on cover; added missing legacy TAC references in Appendix A; ensured resulting pdf is fully searchable. DIR Office of the Chief Information Security Officer 2/26/16 Modified or corrected examples for AC-23, AC-24, AC-25, AR-5, CM-8, PM-7; Corrected TAC 202 reference in PL-1, SC-13; Added Program Management Controls to Appendix A.

8 Scope Below is the inventoried list of NIST controls groups that are included in this Catalog . See the Control Details and Sample Format section for a description of how information on each Control is presented. NIST Control GROUPS/ABBREVIATIONS AC Access Control AP Authority and Purpose AR Accountability, Audit, Risk Management AT Awareness and Training AU Audit and Accountability CA Security Assessment and Authorization CM Configuration Management CP Contingency Planning DI Data Quality and Integrity DM Data Minimization and Retention IA Identification and Authentication IP Individual Participation and Redress IR Incident Response MA Maintenance MP Media Protection PE Physical and Environmental Protection PL Planning PM Program Management PS Personnel Security RA Risk Assessment SA System and Services Acquisition SC System and

9 Communications Protection SE Security SI System and Information Integrity TR Transparency UL Use Limitation Exceptions Any exception to the following controls shall be approved, justified and documented in accordance with 1 TAC (c), 1 TAC (1)(G), and TAC (a6) Office of the Chief Information Security Officer | Texas Department of Information Resources 2 ABOUT THE Catalog | Security Control Standards Catalog Control Details and Sample Format Each Control group is organized under its group identification code and title, , AC ACCESS Control ([NIST Domain Name abbreviation] [Unabbreviated NIST Control family description, , Access Control ]).

10 Information about each Control in a group is presented in the following format: Control ID-# Title [NIST 800-53 Rev. 4 Control (MOD) Control Number]-[C ontrol Name] RISK STATEMENT [A high level statement of the potential risk present by not addressing the Control activity] PRIORITY/BASELINE P1 > LOW Yes MOD Yes HIGH Yes REQUIRED BY [Date which requirement will become effective. Note: Only Low baseline controls are mandatory for all systems. Other controls may be applicable based on the state organization risk assessment] Control DESCRIPTION [Detailed NIST 800-53 Rev.]

Show more

Documents from same domain

INTERLOCAL COOPERATION CONTRACT - Texas

INTERLOCAL COOPERATION CONTRACT - Texas

publishingext.dir.texas.gov

INTERLOCAL COOPERATION CONTRACT for Information Resources Technologies ... Middle Tennessee State University, Tennessee Authorized By: Signature on File

  States, University, Contract, Tennessee, Middle, Cooperation, Middle tennessee state university, Interlocal cooperation contract, Interlocal

(Remainder of Page Intentionally Left Blank)

(Remainder of Page Intentionally Left Blank)

publishingext.dir.texas.gov

Amendment 5 Contract DIR-TSO-3373 rev. 07/21/16 Page 2 IN WITNESS WHEREOF, the parties hereby execute this amendment to be effective as of the date of the last signature. Microsoft Corporation Authorized By: __Signature on file____

  Blanks, Pages, Intentionally, Page intentionally

Appendix A Standard Terms and Conditions For Product and ...

Appendix A Standard Terms and Conditions For Product and ...

publishingext.dir.texas.gov

Appendix A Standard Terms and Conditions For Product and Related Services Contracts 09/24/2015 Page 3 of 29 C. Invalid Term or Condition 1) To the extent any term or condition in the Contract conflicts with the applicable State and/or United States law or regulation, such Contract term or condition is void and

  Services, Product, Standards, Terms, Conditions, Contract, Related, A standard terms and conditions, Product and related services contracts

DIR-TSO-3151 Amendment 2 - Texas

DIR-TSO-3151 Amendment 2 - Texas

publishingext.dir.texas.gov

Amendment 2 Contract DIR-TSO-3151 rev. 07/21/16 Page 3 All other terms and conditions of the Contract as amended, not specifically modified herein, shall remain in full force and effect.

  1135, Amendment, Dir tso 3151 amendment 2, Amendment 2, Dir tso 3151

Identity & Access Management Analysis IT Assessment & …

Identity & Access Management Analysis IT Assessment &

publishingext.dir.texas.gov

Statement of Work Identity and Access Management Analysis 2 1. Introduction The purpose of this Statement of Work (SOW), in accordance with SB 1878 (84R), is to

  Assessment, Analysis, Management, Identity, Access, Access and identity management, Access management analysis it assessment amp

State Website Linking and Privacy Policy

State Website Linking and Privacy Policy

publishingext.dir.texas.gov

The State of Texas recommends linking to federal, state, and local government websites that ... from the individual or the individual’s computer network location via the state agency’s ... such as through the use of logging software and cookies, as well as information collected via email and web-based forms; c. describe what information is ...

  Network, Well, Texas

INTERLOCAL COOPERATION CONTRACT - Texas

INTERLOCAL COOPERATION CONTRACT - Texas

publishingext.dir.texas.gov

THIS INTERLOCAL COOPERATION CONTRACT is entered into by and between Allegany County Sheriff’s Office, New York [DIR Customer], with its principal place of business at 4884 State Route 19, Belmont, New York 14813 and the STATE OF TEXAS, acting by and through the DEPARTMENT OF

  States, Contract, Office, Cooperation, Interlocal cooperation contract, Interlocal

Records and Information Management For State Agencies …

Records and Information Management For State Agencies

publishingext.dir.texas.gov

Records and Information Management For State Agencies and State Universities More than a good idea ... State Records Center Services: Store inactive records in paper, microfilm, electronic formats, Disaster Recovery Vault, and Microfilming services The Office of …

  Information, States, Management, Record, Office, Agencies, Records and information management for state agencies

Incident Response Template - publishingext.dir.texas.gov

Incident Response Template - publishingext.dir.texas.gov

publishingext.dir.texas.gov

7 Data: information in an oral, written, or electronic format that allows it to be retrieved or transmitted. Disaster Recovery Plan: a crisis management master plan activated to recover IT systems in the event of a disruption or disaster. Once the situation is under control, a …

  Management, Response, Incident, Crisis management, Crisis, Incident response

Related documents

GUIDE TO CONDUCTING CYBERSECURITY RISK …

GUIDE TO CONDUCTING CYBERSECURITY RISK

www.csa.gov.sg

Other areas such as risk monitoring and reporting, which comes under a wider domain of risk management, is beyond the scope of this guidance. Guide to Conducting Cybersecurity Risk Assessment for Critical Information Infrastructure ... Figure 1: An example of how risk tolerance is represented 4 Sources such as ISACA define risk tolerance as ...

  Assessment, Information, Critical, Infrastructures, Risks, Course, Conducting, Scopes, Cybersecurity, To conducting cybersecurity risk, To conducting cybersecurity risk assessment for critical information infrastructure

CMS Acceptable Risk Safeguards (ARS)

CMS Acceptable Risk Safeguards (ARS)

www.cms.gov

3. Scope 7 . 3.1 External ... protection due to the risk and magnitude of loss or harm, such as Personally Identifiable Information (PII), Protected Health ... Appendix A provides references to these authoritative sources. Per HHS IS2P Appendix A Section 10.2, the CMS Chief Information Officer (CIO) designates ...

  Risks, Course, Acceptable, Scopes, Safeguards, Acceptable risk safeguards

Deviation Handling and Quality Risk Management

Deviation Handling and Quality Risk Management

www.who.int

Quality Risk Management ... Scope 4 3. Introduction 4 4. Deviation Handling 5 4.1. Event Detection 5 4.2. Deviation Categorization 6 ... 5.1.6 Information Sources for QRM 17 5.2 QRM Tools 17 5.2.1 Examples of QRM for Production Processes 20 6. Training 24 7. …

  Risks, Course, Scopes

Risk Management Plan - phe.gov

Risk Management Plan - phe.gov

www.phe.gov

Risk is defined as an event that has a probability of occurring, and could have either a positive or ... the degree of impact to the schedule, scope, cost, and quality, and then prioritized. Risk events may impact only one or while others may impact the ... Risks can be identified from a number of different sources. Some may be quite

  Management, Risks, Course, Plan, Scopes, Risk management plan

Related search queries

TO CONDUCTING CYBERSECURITY RISK, Risk, Scope, To Conducting Cybersecurity Risk Assessment for Critical Information Infrastructure, Sources, Acceptable Risk Safeguards, Risk Management Plan