INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Similar documents
MINIMUM SECURITY CONTROLS SUMMARY

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Four Deadly Traps of Using Frameworks NIST Examples

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

SAC PA Security Frameworks - FISMA and NIST

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Because Security Gives Us Freedom

Altius IT Policy Collection Compliance and Standards Matrix

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Altius IT Policy Collection Compliance and Standards Matrix

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

Building Secure Systems

Recommended Security Controls for Federal Information Systems and Organizations

FISMA-NIST SP Rev.4 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD FISMA NIST SP

NIST Risk Management Framework (RMF)

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

ENTS 650 Network Security. Dr. Edward Schneider

NIST Special Publication

NIST Special Publication

IASM Support for FISMA

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

CloudCheckr NIST Audit and Accountability

Evolving Cybersecurity Strategies

International Civil Aviation Organization and the Directorate General of Air Communication, Indonesia

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

The Common Controls Framework BY ADOBE

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Using Metrics to Gain Management Support for Cyber Security Initiatives

Information Technology General Control Review

Red Hat Enterprise Linux (RHEL) 5.3 Certified Linux Integration Platform (CLIP) Security Requirements Analysis

NIST Security Certification and Accreditation Project

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

DOT/DHS: Joint Agency Work on Vehicle Cyber Security

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Rev.1 Solution Brief

SECURITY & PRIVACY DOCUMENTATION

NIST SP , Revision 1 CNSS Instruction 1253

Executive Order 13556

SYSTEMS ASSET MANAGEMENT POLICY

HIPAA Security and Privacy Policies & Procedures

CONTINUOUS VIGILANCE POLICY

PT-BSC. PT-BSC version 0.3. Primechain Technologies Blockchain Security Controls. Version 0.4 dated 21 st October, 2017

Security Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

CSAM Support for C&A Transformation

INFORMATION ASSURANCE DIRECTORATE

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Costing Information Assurance

Fiscal Year 2013 Federal Information Security Management Act Report

Continuous Monitoring Strategy & Guide

CloudCheckr NIST Matrix

READ ME for the Agency ATO Review Template

FISMA Compliance. with O365 Manager Plus.

Standard CIP Cyber Security Critical Cyber Asset Identification

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Standard CIP Cyber Security Critical Cyber Asset Identification

INFORMATION ASSURANCE DIRECTORATE

Handbook Webinar

NIST Compliance Controls

WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Business Consulting, Inc.

BYTEGRIDR. in the GxP Context. Presentation to the FDA Cloud Working Group. Copyright 2014 ByteGrid. All Rights Reserved.

Information Security Policy

Using ACR 2 Reports. 4. Deficiency.pdf - a cross listing of missing or underperforming safeguards with risk categories for this system at this time.

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

DIACAP and the GIG IA Architecture. 10 th ICCRTS June 16, 2005 Jenifer M. Wierum (O) (C)

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

INFORMATION ASSURANCE DIRECTORATE

DoDI IA Control Checklist - MAC 1-Classified. Version 1, Release March 2008

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010

April Appendix 3. IA System Security. Sida 1 (8)

IT Security Risk Management: A Lifecycle Approach

CIP Cyber Security Configuration Management and Vulnerability Assessments

David Missouri VP- Governance ISACA

AWS alignment with Motion Picture of America Association (MPAA) Content Security Best Practices Application in the Cloud

MIS Week 9 Host Hardening

E-guide Getting your CISSP Certification

NIST SP Controls

Security Management Models And Practices Feb 5, 2008

Security Standards for Electric Market Participants

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Security Policies and Procedures Principles and Practices

Streamlined FISMA Compliance For Hosted Information Systems

Ransomware. How to protect yourself?

Trust Services Principles and Criteria

NIST Special Publication

TEL2813/IS2820 Security Management

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Transcription:

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009 Prepared by ATN ICG Security Sub-Group and Adopted by APANPIRG/20

Document Revision History Release Date Draft 1 21 April 2008 Controls from NIST SP 800-53 Identified Draft 2 25 September 2008 Controls in checklist format Version 1 4 May 2009 Checklist reduced to policy and essential check item(s) in each control family - 2 -

Table of Contents 1 Introduction... 4 1.1 Motivation... 4 1.2 References... 4 2 Security Control Overview...5 3 Catalogue of Security Control Requirements... 6-3 -

1 Introduction 1.1 Motivation The Asia/Pacific Region is implementing the Aeronautical Telecommunication Network (ATN) infrastructure in support of the ATN Message Handling Service (AMHS). In order to ensure that security measures are implemented throughout the Asia/Pac ATN, a comprehensive checklist is needed. The ATNICG Security Sub-Group decided at the first sub-group meeting in April 2008 to base the checklist on the list of security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 (SP800-53) [1]. This paper aims to provide a set of security controls in the form of a checklist. The goal is to describe each security control in a fashion suitable for an organization to verify that a set of controls sufficient for their operating environment has been implemented in accordance with the Asia/Pacific System Security Policy [2]. This checklist may be used as the basis of an organization s verification that their system is implemented with appropriate security measures. With this checklist filled in the organization s Designated Approving Authority (DAA) can provide authorization that the system may be placed into operation. 1.2 References The following documents were used in the preparation of this paper. [1] National Institute of Standards and Technology. Special Publication 800-53. Recommended Security Controls for Federal Systems. February 2005. Currently available from: http://csrc.nist.gov/publications/nistpubs/index.html. [2] Asia/Pacific ATN System Security Policy, 2 nd Edition, May 2008-4 -

2 Security Control Overview Table 2-1 is a summary list of the control classes and families. Each control family is classified as a Management, Operational, or Technical Control. Table 2-1. Security Control Classes and Families Class Family Identifier Management Risk Assessment RA Management Planning PL Management System and Services Acquisition SA Management Certification, Accreditation, and Security Assessments CA Operational Personnel Security PS Operational Physical and Environmental Protection PE Operational Contingency Planning CP Operational Configuration Management CM Operational Maintenance MA Operational System and Information Integrity SI Operational Media Protection MP Operational Incident Response IR Operational Awareness and Training AT Technical Identification and Authentication IA Technical Access Control AC Technical Audit and Accountability AU Technical System and Communications Protection SC Each family comprises one or more security controls. Each security control is sequentially numbered within the family. The following subsections describe the structure of the security controls and the organization of the security controls into baselines. 3.4E - 5

3 Catalogue of Security Control Requirements Table 3-1 identifies the developed security checklist. The ID column provides the security checklist identifier. It can be used to trace the security checklist item back to its control family. To enable traceability to the security controls, each security checklist item is assigned an identifier based on the identifier of the security control family. The Security Checklist Text column contains the language for each checklist item. The Implemented column is where an organization may indicate compliance with the checklist item. The column provides any additional information noted during the assessment of the particular item. 3.4E - 6

Table 3-1. Security Checklist ID Security Checklist Text Implemented ACCESS CONTROL (AC) CLASS: TECHNICAL ACCESS CONTROL POLICY AC.1 Does the organization have a formal, documented, access control ACCOUNT MANAGEMENT AC.2 Does the organization manage system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts? ACCESS ENFORCEMENT AC.3 Does the system enforce assigned authorizations for controlling access to the system in accordance with applicable SUPERVISION AND REVIEW ACCESS CONTROL AC.4 Does the organization review the activities of users with respect to the enforcement and usage of system access controls? REMOTE ACCESS AC.5 Does the organization document, monitor, and control all methods of remote access (e.g., dial-up, Internet) to the system? AT.1 AT.2 AU.1 AU.2 AU.3 AWARENESS AND TRAINING (AT) CLASS: OPERATIONAL SECURITY AWARENESS AND TRAINING POLICY Does the organization have a formal, documented, security awareness and training SECURITY TRAINING Does the organization provide basic security awareness training to all users? AUDIT AND ACCOUNTABILITY (AU) CLASS: TECHNICAL AUDIT AND ACCOUNTABILITY POLICY Does the organization have a formal, documented, audit and accountability AUDITABLE EVENTS Does the system generate audit records for the significant security events? AUDIT MONITORING, ANALYSIS, AND REPORTING Does the organization regularly review/analyze audit records for indications of inappropriate or unusual activity? 3.4E - 7

ID Security Checklist Text Implemented CA.1 CA.2 CA.3 CERTIFICATION, ACCREDITATION, AND SECURITY ASSESSMENTS (CA) CERTIFICATION, ACCREDITATION, AND SECURITY ASSESSMENT POLICY Does the organization have a formal, documented, security assessment and verification and accreditation SECURITY CERTIFICATION Does the organization conduct an assessment of the security controls in the system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system? SECURITY ACCREDITATION Does the organization authorize (i.e., accredit) the system for processing before operations? CLASS: MANAGEMENT CONFIGURATION MANAGEMENT (CM) CLASS: OPERATIONAL CONFIGURATION MANAGEMENT POLICY CM.1 Does the organization have a formal, documented configuration management CONFIGURATION CHANGE CONTROL CM.2 Does the organization control changes to the system? CONTINGENCY PLANNING (CP) CLASS: OPERATIONAL CONTINGENCY PLANNING POLICY CP.1 Does the organization have a formal, documented contingency planning CONTINGENCY PLAN CP.2 Does the organization develop a contingency plan? SYSTEM BACKUP CP.3 Does the organization conduct backups of user-level and system-level information? 3.4E - 8

ID Security Checklist Text Implemented IDENTIFICATION AND AUTHENTICATION (IA) CLASS: TECHNICAL IDENTIFICATION AND AUTHENTICATION POLICY IA.1 Does the organization have a formal, documented identification and authentication USER IDENTIFICATION AND AUTHENTICATION IA.2 Does the system uniquely identify users (or processes acting on behalf of users)? IA.3 Does the system authenticate users (or processes acting on behalf of users)? DEVICE IDENTIFICATION AND AUTHENTICATION IA.4 Does the system identify specific devices before establishing a connection? IA.5 Does the system authenticate specific devices before establishing a connection? IR.1 IR.2 MA.1 MA.2 MP.1 INCIDENT RESPONSE (IR) CLASS: OPERATIONAL INCIDENT RESPONSE POLICY Does the organization have a formal, documented incident response INCIDENT HANDLING Does the organization implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery? MAINTENANCE (MA) CLASS: OPERATIONAL SYSTEM MAINTENANCE POLICY Does the organization have a formal, documented system maintenance CONTROLLED MAINTENANCE Does the organization perform routine preventative and regular maintenance on the components of the system? MEDIA PROTECTION (MP) CLASS: OPERATIONAL MEDIA PROTECTION POLICY Does the organization have a formal, documented media protection 3.4E - 9

ID Security Checklist Text Implemented MEDIA ACCESS MP.2 Does the organization restrict access to system media to authorized individuals? MEDIA STORAGE MP.3 Does the organization physically control system media within controlled areas? PE.1 PE.2 PE.3 PE.4 PL.1 PL.2 PS.1 PHYSICAL AND ENVIRONMENTAL PROTECTION (PE) CLASS: OPERATIONAL PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY Does the organization have a formal, documented physical and environmental protection PHYSICAL ACCESS CONTROL Does the organization control all physical access points to facilities containing systems? EMERGENCY POWER Does the organization provide a short-term uninterruptible power supply to facilitate an orderly shutdown of the system in the event of a primary power source loss? FIRE PROTECTION Does the organization employ and maintain fire suppression and detection devices/systems that can be activated in the event of a fire? PLANNING (PL) CLASS: MANAGEMENT SECURITY PLANNING POLICY Does the organization have a formal, documented security planning SYSTEM SECURITY PLAN Does the organization develop and implement a security plan for the system? PERSONNEL SECURITY (PS) CLASS: OPERATIONAL PERSONNEL SECURITY POLICY Does the organization have a formal, documented personnel security PERSONNEL SCREENING 3.4E - 10

ID Security Checklist Text Implemented PS.2 Does the organization screen individuals requiring access to organizational information and systems? RISK ASSESSMENT (RA) CLASS: MANAGEMENT RISK ASSESSMENT POLICY RA.1 Does the organization have a formal, documented risk assessment RISK ASSESSMENT RA.2 Does the organization conduct assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and systems that support the operations and assets of the organization? VULNERABILITY SCANNING RA.3 Does the organization scan for vulnerabilities in the system? SA.1 SA.2 SC.1 SC.2 SC.3 SYSTEM AND SERVICES ACQUISITION (SA) CLASS: MANAGEMENT SYSTEM AND SERVICES ACQUISITION POLICY Does the organization have a formal, documented system and services acquisition ALLOCATION OF RESOURCES Does the organization determine, document, and allocate as part of its capital planning and investment control process the resources required to adequately protect the system? SYSTEM AND COMMUNICATIONS PROTECTION (SC) CLASS: TECHNICAL SYSTEM AND COMMUNICATIONS PROTECTION POLICY Does the organization have a formal, documented system and communications protection DENIAL OF SERVICE PROTECTION Does the system protect against or limit the effects of denial of service attacks? BOUNDARY PROTECTION Does the system monitor and control communications at the external boundary of the system and at key internal boundaries within the system? TRANSMISSION INTEGRITY 3.4E - 11

ID Security Checklist Text Implemented SC.4 Does the system protect the integrity of transmitted information? TRANSMISSION CONFIDENTIALITY SC.5 Does the system protect the confidentiality of transmitted information? CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT SC.6 Does the system employ automated mechanisms with supporting procedures or manual procedures for cryptographic key establishment and key management? PUBLIC KEY INFRASTRUCTURE CERTIFICATES SC.7 Does the organization develop and implement a certificate policy and certification practice statement for the issuance of public key certificates used in the system? SESSION AUTENTICITY SC.8 Does the system provide mechanisms to protect the authenticity of communications sessions? SYSTEM AND INFORMATION INTEGRITY (SI) CLASS: OPERATIONAL SYSTEM AND INFORMATION INTEGRITY POLICY SI.1 Does the organization have a formal, documented system and information integrity FLAW REMEDIATION SI.2 Does the organization identify, report, and correct system flaws? MALICIOUS CODE PROTECTION SI.3 Does the system implement malicious code protection that includes a capability for automatic updates? SYSTEM MONITORING TOOLS AND TECHNIQUES SI.4 Does the organization employ tools and techniques to monitor events on the system, detect attacks, and provide identification of unauthorized use of the system? SECURITY ALERTS AND ADVISORIES SI.5 Does the organization receive system security alerts/advisories on a regular basis, issue alerts/advisories to appropriate personnel, and take appropriate actions in response? SOFTWARE AND INFORMATION INTEGRITY 3.4E - 12

ID Security Checklist Text Implemented SI.6 Does the system detect and protect against unauthorized changes to software and information? SPAM AND SPYWARE PROTECTION SI.7 Does the system implement spam and spyware protection? 3.4E - 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback