The selection and implementation of appropriate security controls for an information system4 or a system-of-systems5 are important tasks that can have major implications on the operations6 and assets of an organization7 as well as the welfare of individuals and the Nation. Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems:
• What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?
• Have the selected security controls been implemented or is there a realistic plan for their implementation?
• What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective8 in their application?
• What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?
• Have the selected security controls been implemented or is there a realistic plan for their implementation?
• What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective8 in their application?
Download NIST 800-53:
