Defining Security Control Families:
Security control families refer to groups of related security controls that collectively address specific areas of concern within an organization’s information systems. Each control family focuses on a distinct security aspect, from access control and identification to incident response and continuity planning. The intent is to provide a granular yet cohesive approach to managing security risks comprehensively.
NIST Control Families Structure
The NIST control families are organized into distinct groups, each centered around a particular security objective. These families encompass a wide array of controls that, when effectively implemented, contribute to the overall security posture of an organization. They serve as a vital resource for security professionals, compliance officers, and IT administrators to guide security measures’ selection, implementation, and assessment.
A List of the 18 Control Families
- Access Control (AC): Ensures proper access to information and resources, preventing unauthorized access.
- Awareness and Training (AT): Educates personnel about security risks and best practices.
- Audit and Accountability (AU): Generates audit records and monitors system activity to ensure accountability.
- Configuration Management (CM): Manages system configurations to prevent unauthorized changes.
- Contingency Planning (CP): Prepares for and responds to incidents, ensuring business continuity.
- Identification and Authentication (IA): Establishes the identity of users and ensures authorized access.
- Incident Response and Management (IR): Detects, responds to, and mitigates security incidents.
- Maintenance (MA): Maintains systems and hardware for secure operations.
- Media Protection (MP): Protects physical and digital media containing sensitive information.
- Personnel Security (PS): Ensures the trustworthiness of personnel through security measures.
- Physical and Environmental Protection (PE): Protects physical assets and the environment.
- Planning (PL): Develop a comprehensive security plan aligned with business objectives.
- Program Management (PM): Oversees security initiatives and resources.
- Risk Assessment (RA): Identifies, assesses, and mitigates risks.
- Security Assessment and Authorization (CA): Evaluates and authorizes information systems.
- System and Communications Protection (SC): Protects systems against unauthorized access.
- System and Information Integrity (SI): Ensures systems and data integrity.
- System and Services Acquisition (SA): Incorporates security into system acquisition.
Please login or Register to submit your answer