Idea Transcript
r.wikispaces.com/) | Sign In (http://www.utahta.wikispaces.net/site/signin?goto=http%3A%2F%2Fsecurity.utahta.wikispaces.net%2FControl%2BFramework%3FresponseToken%3D1c743e53f1a4ffad7fc2068123e7caac) You are not a member of this wiki. Join now (http://security.utahta.wikispaces.net/space/join) Dismiss
Actions
Wiki Home Recent Changes Pages and Files Members
Control Framework (/Control+Framework) Edit (/page/edit/Control+Framework?goto=http%3A%2F%2Fsecurity.utahta.wikispaces.net%2FControl%2BFramework) 0 (/Control+Framework#discussion)
17 (/page/history/Control+Framework)
… (/page/menu/Control+Framework)
Search
Enterprise Information Security - Control Framework
Navigation
Home News Events EISO Security Report Security Framework Overview & Methodology Terms & Concepts Framework Model Organization Services Threat Management Management Process Controls Maturity Councils & Committees —————— Plans Strategic Operations —————— Controls Framework Requirements Rules Policies Standards Checklists Guidelines Procedures Bulletins Forms —————— Programs Enterprise Risk Vulnerability Awareness Incident Response Patch Management —————— Reports Annual Report Scorecard Other —————— Resources Web Links —————— Tools PGP Support PGP FAQ
The enterprise faces a changing security landscape. The openness of the network, while inviting and welcoming, if not effectively secured, allows a growing number of uninvited users and attacks against its information resources. Today’s connected environment introduces various ethical, financial and regulatory pressures to protect the privacy of individuals and the information assets of institutions from internal and external threats and unauthorized access. Successful attacks, whether deliberate or inadvertent, are an increasingly more costly and damaging, both to the State and its partners and constituents. To meet these challenges, Information security must be a fundamental strategic driver of the State’s business or mission. The State must encourage and inculcate a culture of security. To be effective, a comprehensive risk driven structure, or framework, for information security should be identified and established for the enterprise. An information security framework defines a conceptual, physical and procedural model of best practices for end-to-end enterprise security. Contained within the framework are: The approach for determining and setting the baseline or threshold of acceptable risk to the business; Standard methods for ascertaining appropriate classification of information assets; A base set of policies, processes, standards, and procedures for achieving and maintaining an integrated defense of enterprise information resources and assets; The security functions, roles and responsibilities appropriate for each member of the organization; and The essential skills and knowledge needed to perform information security effectively. Finally, a framework provides the roadmap for implementing, evaluating, and managing improvement of information security across the enterprise. The objective here is to identify the various components of the security controls framework along with their scope. Since the DTS information security framework is based, in large part, on the National Institute of Standards and Technology's (NIST) Special Publication 800-53 A, the appropriate SP800-53 control family and group are identified for each DTS security control..
Enterprise Control Framework Family This table identifies the number scheme used to identify the families of security control and their associated NIST nomenclature that make up the DTS Enterprise Information Security Controls Framework. The controls are broken into three classes of controls: management, operational and technical.
DTS #
Description
800-53 A 800-53 A Type Category
5000-00xx-xx Enterprise Foundation
Management
FF
500X-01xx-xx Risk Assessment
Management
RA
500X-02xx-xx Planning
Management
PL
500X-03xx-xx System and Services Acquisition
Management
SA
500X-04xx-xx Security Assessments and AuthorizationManagement
CA
500X-05xx-xx Personnel Security
Operational
PS
500X-06xx-xx Physical and Environmental Protection Operational
PE
500X-07xx-xx Contingency Planning
Operational
CP
500X-08xx-xx Configuration Management
Operational
CM
500X-09xx-xx Maintenance
Operational
MA
500X-10xx-xx System and Information Integrity
Operational
SI
500X-11xx-xx Media Protection
Operational
MP
500X-12xx-xx Incident Response
Operational
IR
500X-13xx-xx Awareness and Training
Operational
AT
500X-14xx-xx Identification and Authentication
Technical
IA
500X-15xx-xx Access Control
Technical
AC
500X-16xx-xx Audit and Accountability
Technical
AU
500X-17xx-xx System and Communications Protection Technical
SC
500X-18xx-xx Program Management
PM
Management
Enterprise Control Scope This table identifies the numbering scheme used to identify the audience and scope for each DTS information security control. DTS #
Scope
5000-xxxx Enterprise wide control R895-xx
DTS Administrative Rule - Enterprise wide control
Enterprise Control Type This table identifies the numbering scheme used to identify the various components (policies, standards, procedures, etc.) employed within the enterprise security framework. DTS #
Type
5000-xxxx
Policy
5000-xxxx-Sx
Security Standard
5000-xxxx-PRxx Security Procedure 5000-xxxx-GLxx Security Guide Line 5000-xxxx-CLxx Security Checklist
Utah.gov Home
Utah.gov Terms of Use
Utah.gov Privacy Policy
Copyright © 2018 State of Utah - All rights reserved.
Translate Utah.gov