The National Academies Press

Currently Skimming:

Pages 94-148

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 94... ... 94 Following is a categorized and prioritized list of countermeasures that airports should consider when addressing vulnerabilities to reduce their likelihood of a successful cybersecurity attack. References refer to NIST 800-53 (Joint Task Force Transformation Initiative 2012) Read the entire page →
From page 95... ... Ref Class Type Name Priority Description Guidance PL-1 Management Planning Security Planning Policy and Procedures P1 The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency] Read the entire page →
From page 96... ... Ref Class Type Name Priority Description Guidance PL-4 Management Planning Rules of Behavior P1 The organization: a. Establishes and makes readily available to all information system users, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; and b. Read the entire page →
From page 97... ... Ref Class Type Name Priority Description Guidance PM-2 Management Program Management Senior Information Security Officer P1 The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. The security officer described in this control is an organizational official. Read the entire page →
From page 98... ... Ref Class Type Name Priority Description Guidance PM-8 Management Program Management Critical Infrastructure Plan P1 The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Read the entire page →
From page 99... ... Ref Class Type Name Priority Description Guidance RA-1 Management Risk Assessment Risk Assessment Policy and Procedures P1 The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency] Read the entire page →
From page 100... ... Ref Class Type Name Priority Description Guidance nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Read the entire page →
From page 101... ... Ref Class Type Name Priority Description Guidance b. Formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls. Read the entire page →
From page 102... ... Ref Class Type Name Priority Description Guidance protecting organizational operations and assets, individuals, other organizations, and the Nation are assessed more frequently in accordance with an organizational assessment of risk. All other controls are assessed at least once during the information system's three-year authorization cycle. Read the entire page →
From page 103... ... Ref Class Type Name Priority Description Guidance b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] Read the entire page →
From page 104... ... acquisition procedures can be developed for the security program in general and for a particular information system, when required. The organizational risk management strategy is a key factor in the development of the system and services acquisition policy. Read the entire page →
From page 105... ... Ref Class Type Name Priority Description Guidance - Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; and b. Read the entire page →
From page 106... ... Ref Class Type Name Priority Description Guidance SA-9 Management System & Services Acquisition External Information System Services P1 The organization: a. Requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Read the entire page →
From page 107... ... Ref Class Type Name Priority Description Guidance SA-12 Management System & Services Acquisition Supply Chain Protection P1 The organization protects against supply chain threats by employing: [Assignment: organization-defined list of measures to protect against supply chain threats] as part of a comprehensive, defense-in-breadth information security strategy. Read the entire page →
From page 108... ... Ref Class Type Name Priority Description Guidance functionality. Operational evidence may include flaw reporting and remediation, the results of security incident reporting, and the results of the ongoing monitoring of security controls. Read the entire page →
From page 109... ... Ref Class Type Name Priority Description Guidance AT-3 Operational Awareness & Training Security Training P1 The organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties; (ii) Read the entire page →
From page 110... ... Ref Class Type Name Priority Description Guidance CM-1 Operational Configuration Management Configuration Management Policy and Procedures P1 The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency] Read the entire page →
From page 111... ... Ref Class Type Name Priority Description Guidance CM-4 Operational Configuration Management Security Impact Analysis P2 The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. Security impact analyses are conducted by organizational personnel with information security responsibilities, including for example, Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers. Read the entire page →
From page 112... ... Ref Class Type Name Priority Description Guidance CM-6 Operational Configuration Management Configuration Settings P1 The organization: a. Establishes and documents mandatory configuration settings for IT products employed within the information system using [Assignment: organization-defined security configuration checklists] Read the entire page →
From page 113... ... Ref Class Type Name Priority Description Guidance intrusion detection and prevention systems, and endpoint protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related control: RA-5. Read the entire page →
From page 114... ... Ref Class Type Name Priority Description Guidance CP-2 Operational Contingency Planning Contingency Plan P1 The organization: a. Develops a contingency plan for the information system that: - Identifies essential missions and business functions and associated contingency requirements; - Provides recovery objectives, restoration priorities, and metrics; - Addresses contingency roles, responsibilities, assigned individuals with contact information; - Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; - Addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented; and - Is reviewed and approved by designated officials within the organization; b. Read the entire page →
From page 115... ... Ref Class Type Name Priority Description Guidance CP-7 Operational Contingency Planning Alternate Processing Site P1 The organization: a. Establishes an alternate processing site including necessary agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: organizationdefined time period consistent with recovery time objectives] Read the entire page →
From page 116... ... Ref Class Type Name Priority Description Guidance IR-1 Operational Incident Response Incident Response Policy and Procedures P1 The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency] Read the entire page →
From page 117... ... Ref Class Type Name Priority Description Guidance IR-6 Operational Incident Response Incident Reporting P1 The organization: a. Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time-period] Read the entire page →
From page 118... ... Ref Class Type Name Priority Description Guidance MA-1 Operational Maintenance System Maintenance Policy and Procedures P1 The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency] Read the entire page →
From page 119... ... Ref Class Type Name Priority Description Guidance MA-4 Operational Maintenance Non-Local Maintenance P1 The organization: a. Authorizes, monitors, and controls non-local maintenance and diagnostic activities; b. Read the entire page →
From page 120... ... Ref Class Type Name Priority Description Guidance MP-2 Operational Media Protection Media Access P1 The organization restricts access to [Assignment: organization-defined types of digital and non-digital media] to [Assignment: organization-defined list of authorized individuals] Read the entire page →
From page 121... ... Ref Class Type Name Priority Description Guidance also considered information systems and may have the capability to store information on internal media (e.g., on voicemail systems) Read the entire page →
From page 122... ... Ref Class Type Name Priority Description Guidance Physical and technical security measures for the protection of digital and non-digital media are commensurate with the classification or sensitivity of the information residing on the media, and consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Locked containers and cryptography are examples of security measures available to protect digital and non-digital media during transport. Read the entire page →
From page 123... ... Ref Class Type Name Priority Description Guidance PS-3 Operational Personnel Security Personnel Screening P1 The organization: a. Screens individuals prior to authorizing access to the information system; and b. Read the entire page →
From page 124... ... Ref Class Type Name Priority Description Guidance PE-1 Operational Physical & Environmental Protection Physical and Environmental Protection Policy and Procedures P1 The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency] Read the entire page →
From page 125... ... Ref Class Type Name Priority Description Guidance PE-4 Operational Physical & Environmental Protection Access Control for Transmission Medium P1 The organization controls physical access to information system distribution and transmission lines within organizational facilities. Physical protections applied to information system distribution and transmission lines help prevent accidental damage, disruption, and physical tampering. Read the entire page →
From page 126... ... Ref Class Type Name Priority Description Guidance PE-12 Operational Physical & Environmental Protection Emergency Lighting P1 The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility. This control, to include any enhancements specified, may be satisfied by similar requirements fulfilled by another organizational entity other than the information security program. Read the entire page →
From page 127... ... Ref Class Type Name Priority Description Guidance PE-19 Operational Physical & Environmental Protection Information Leakage P0 The organization protects the information system from information leakage due to electromagnetic signals emanations. The security categorization of the information system (with respect to confidentiality) Read the entire page →
From page 128... ... Ref Class Type Name Priority Description Guidance SI-3 Operational System & Information Integrity Malicious Code Protection P1 The organization: a. Employs malicious code protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: - Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or - Inserted through the exploitation of information system vulnerabilities; b. Read the entire page →
From page 129... ... Ref Class Type Name Priority Description Guidance SI-5 Operational System & Information Integrity Security Alerts, Advisories, and Directives P1 The organization: a. Receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis; b. Read the entire page →
From page 130... ... Ref Class Type Name Priority Description Guidance SI-11 Operational System & Information Integrity Error Handling P2 The information system: a. Identifies potentially security-relevant error conditions; b. Read the entire page →
From page 131... ... Ref Class Type Name Priority Description Guidance g. Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes; h. Read the entire page →
From page 132... ... Ref Class Type Name Priority Description Guidance and/or the information path. Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards, encrypted tunnels, firewalls, and routers) Read the entire page →
From page 133... ... Ref Class Type Name Priority Description Guidance the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording; b. Read the entire page →
From page 134... ... Ref Class Type Name Priority Description Guidance AC-16 Technical Access Control Security Attributes P0 The information system supports and maintains the binding of [Assignment: organization-defined security attributes] to information in storage, in process, and in transmission. Read the entire page →
From page 135... ... Ref Class Type Name Priority Description Guidance AC-19 Technical Access Control Access Control for Mobile Devices P1 The organization: a. Establishes usage restrictions and implementation guidance for organization-controlled mobile devices; b. Read the entire page →
From page 136... ... Ref Class Type Name Priority Description Guidance are not owned by, operated by, or under the direct supervision and authority of the organization. For some external systems, in particular those systems operated by other federal agencies, including organizations subordinate to those agencies, the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Read the entire page →
From page 137... ... Ref Class Type Name Priority Description Guidance AC-22 Technical Access Control Publicly Accessible Content P2 The organization: a. Designates individuals authorized to post information onto an organizational information system that is publicly accessible; b. Read the entire page →
From page 138... ... Ref Class Type Name Priority Description Guidance AU-4 Technical Audit & Accountability Audit Storage Capacity P1 The organization allocates audit record storage capacity and configures auditing IN CONSULTATION WITH LEGAL TEAMS to reduce the likelihood of such capacity being exceeded. The organization considers the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Read the entire page →
From page 139... ... Ref Class Type Name Priority Description Guidance AU-11 Technical Audit & Accountability Audit Record Retention P3 The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. Read the entire page →
From page 140... ... Ref Class Type Name Priority Description Guidance accountability of activity. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof. Read the entire page →
From page 141... ... Ref Class Type Name Priority Description Guidance IA-4 Technical Identification & Authentication Identifier Management P1 The organization manages information system identifiers for users and devices by: a. Receiving authorization from a designated organizational official to assign a user or device identifier; b. Read the entire page →
From page 142... ... Ref Class Type Name Priority Description Guidance IA-8 Technical Identification & Authentication Identification and Authentication (NonOrganizational Users) P1 The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users) Read the entire page →
From page 143... ... Ref Class Type Name Priority Description Guidance SC-3 Technical System & Communications Protection Security Function Isolation P1 The information system isolates security functions from non-security functions. The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains) Read the entire page →
From page 144... ... Ref Class Type Name Priority Description Guidance attached commercial customers, and may include thirdparty provided access lines and other service elements. Consequently, such interconnecting transmission services may represent sources of increased risk despite contract security provisions. Read the entire page →
From page 145... ... Ref Class Type Name Priority Description Guidance SC-13 Technical System & Communications Protection Use of Cryptography P1 The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Read the entire page →
From page 146... ... Ref Class Type Name Priority Description Guidance SC-20 Technical System & Communications Protection Secure Name / Address Resolution Service (Authoritative Source) P1 The information system provides additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries. Read the entire page →
From page 147... ... Ref Class Type Name Priority Description Guidance SC-24 Technical System & Communications Protection Fail In Known State P1 The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] Read the entire page →
From page 148... ... Ref Class Type Name Priority Description Guidance SC-31 Technical System & Communications Protection Covert Channel Analysis P0 The organization requires that information system developers/integrators perform a covert channel analysis to identify those aspects of system communication that are potential avenues for covert storage and timing channels. Information system developers/integrators are in the best position to identify potential avenues within the system that might lead to covert channels. Read the entire page →

From page 94...

... 94 Following is a categorized and prioritized list of countermeasures that airports should consider when addressing vulnerabilities to reduce their likelihood of a successful cybersecurity attack. References refer to NIST 800-53 (Joint Task Force Transformation Initiative 2012)