**2.6 NIST**

120 Security Enhanced Applications for Information Systems



A risk scenario is created with the different element, and risk treatment measures effective

BS7799 part1 based ISO/IEC 27002 defines a security control to be a control which should ensure risks are reduced to an acceptable level. The selection of appropriate controls is dependent on organizational decisions based on the criteria for risk acceptance and the general risk management approach. Thus the acceptance level for the organization should

The categorization of controls in the document is shown below with corresponding number

Organization of Information Security(01): "Internal organization", "External

 Physical and Environmental Security (02): "Secure areas", "Equipment security (03C)" Communications and Operations Management: "Operational procedures and responsibilities (08A)", "Third party services delivery management", "System planning and acceptance", "Protection against malicious and mobiles code", "Bach-up", "Network security management", "Media handling, Exchange of Information",

 Access Control (05B): "Business requirement for access control", "User access management", "User responsibilities", "Network system access control (04B)", "Operating system access control", "Application and information access control",

 Information Systems Acquisition, Development and Maintenance: "Security requirement", "Correct processing in application", "Cryptographic controls (13G)", "Security of system files", "Security in development and support processes", "Technical

 Information Security Incident Management: "Reporting information security events and weakness", "Management of information security incidents and improvement" Business Continuity Management (01E, 01D): "Information security aspects of business

 Asset Management: "Responsibility for assets (11E)", "Information classification" Human Resources Security (01C): "Prior to employment", "During employment",


Actors: rights and privileges,

organization,

to the scenario are selected.

of controls in MEHARIT.

organization"

**2.5 ISO/IEC** 

Circumstances in which the risk occurs,

be discussed and determined previously.

Security Policy: "Information security policy (14)"

"Termination or changes of employment"

"Mobile computing and tele-working"

vulnerability management"

continuity management"

"Electronic commerce services (09H)", "Monitoring"

We refer to NIST SP800--30, where the total process of risk mitigation is described in four phases such as "risk mitigation options", "risk mitigation strategy", "an approach for control implementation, control categories, the cost--benefit analysis", and "residual risk".

The followings are risk mitigation options.


NIST also provides SP800--53, which includes a list of more than 170 recommended security controls for Federal Information Systems.

The classes of controls and their families are shown as follows.

