![Sample our Computer Science journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5928/TOC-Subject-Sample-2021-Computer-Science.jpg"})
Abstract
Public and private sector enterprises today are almost completely dependent on their information technology infrastructures to accomplish their critical missions and carry out their corporate business strategies. In order to effectively compete in a fast-paced, highly complex, global economy, organizations are employing new, more powerful information technologies at an unprecedented rate, and in most instances, either ignoring or not fully understanding the increased exposure of their enterprise operationsFootnote 1 and assets due to the aggressive use of that technology.
Notes
1. Enterprise operations include mission, functions, and reputation.
2. U.S. Patriot Act (Public Law 107-56), October 2001.
3. An information system is a discrete set of information resources (including information, information technology, personnel, equipment, and funds) organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems such as industrial/process controls systems and environmental control systems.
4. Threat sources include nation states, terrorist groups, criminals, hackers, or any individuals or groups with intentions of compromising an information system and thus, causing harm to individuals or the enterprise.
5. Information security will vary from organization to organization depending on its mission or business case. An appropriate level of information security is defined to be the application of a sufficient number of information system safeguards (i.e., security controls) to protect the enterprise mission or business case. Acceptability of mission or business case risk may also differ among enterprises that interconnect and share information. A skilled information security professional can assist and advise senior leaders in assessing enterprise risk.
6. The E-Government Act (P.L. 107-347), passed by the one hundred and seventh Congress and signed into law by the President in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), emphasizes the need for organizations to develop, document, and implement an organization-wide program to provide security for the information systems that support its operations and assets.
7. Security control effectiveness addresses the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system in its operational environment.
8. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, specifies mandatory security categories for information systems. Security categorization provides a corporate view of the criticality and sensitivity of the information system with respect to supporting enterprise missions or business case.
9. NIST Special Publication 800-53, Revision 1, Minimum Security Controls for Federal Information Systems, December 2006, provides guidance for selecting, specifying, and tailoring security controls for information systems.
10. NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002, provides guidance for conducting risk assessments and supplementing baseline security controls. This publication is being revised to align its risk management concepts more closely with the recently-developed NIST Risk Framework.
11. NIST Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, February 2006, provides guidance for documenting security controls employed in information systems.
12. NIST Special Publication 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers, May 2005, provides guidance for implementing security configuration settings for information systems and linkage to the National Vulnerability Database, patching information, and automated support tools.
13. NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (Second Public Draft), April 2006, provides guidance for assessing the effectiveness of security controls using standardized assessment methods and procedures.
14. NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004, provides guidance on determining risk to organizational operations, organizational assets, and individuals.
15. NIST Special Publications 800-37 and 800-53A provide guidance on the continuous monitoring of security controls in information systems.
16. There are typically five phases in the system development life cycle of an information system: (i) system initiation; (ii) system development and acquisition; (iii) system implementation; (iv) system operations and maintenance; and (v) system disposal. NIST Special Publication 800-64 provides guidance on the security considerations in the information system development life cycle.