The following catalog of security controls provides a range of safeguards and countermeasures for information systems. The security controls are organized into families for ease of use in the control selection and specification process. Each family contains security controls related to the security function of the family. A standardized, two-character identifier is assigned to uniquely identify each control family. To uniquely identify each control, a numeric identifier is appended to the family identifier to indicate the number of the control within the control family.
The security control structure consists of three key components:
A control section
A supplemental guidance section
A control enhancements section
The control section provides a concise statement of the specific security capability needed to protect a particular aspect of an information system. The control statement describes specific security-related activities or actions to be carried out by the organization or by the information system. For some controls in the control catalog, a degree of flexibility is provided by allowing organizations to selectively define input values for certain parameters associated with the controls. This flexibility is achieved through the use of assignment and selection operations within the main body of the control.
The supplemental guidance section provides additional information related ...