The Scientific World Journal

Research Article

Advanced Approach to Information Security Management System Model for Industrial Control System

Table 5

The List of Common Security Controls in South Korea Energy Industry for NIST SP 800-53.


Number	Main domain name	Subdomain name	Code of security control	Security control

1	Access control	Account management	AC-2	The organization manages information system accounts, including identifying account types.
2		Separation of duties	AC-5	The organization implements separation of duties through assigned information system access authorizations.
3		Least privilege	AC-6	The organization employs the concept of least privilege, allowing only authorized accesses for users which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

4	Media protection	Media access	MP-2	The organization restricts access to Assignment: organization-defined types of digital and non-digital media to Assignment: organization-defined list of authorized individuals using Assignment: organization-defined security measures.
5		Media marking	MP-3.a	The organization marks, in accordance with organizational policies and procedures, removable information system media and information system output indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.
6		Media marking	MP-3.b	The organization exempts Assignment: organization-defined list of removable media types from marking as long as the exempted items remain within Assignment: organization-defined controlled areas.
7		Media storage	MP-4.a	The organization physically controls and securely stores Assignment: organization-defined types of digital and non-digital media within Assignment: organization-defined controlled areas using Assignment: organization-defined security measures.
8		Media storage	MP-4.b	The organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
9		Media transport	MP-5.a	The organization protects and controls Assignment: organization-defined types of digital and non-digital media during transport outside of controlled areas using Assignment: organization-defined security measures.
10		Media transport	MP-5.c	The organization restricts the activities associated with transport of such media to authorized personnel.

11	Physical and environmental protection	Physical access authorizations	PE-2	The organization develops and keeps a current list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible).
12		Monitoring physical access	PE-6.a	The organization monitors physical access to the information system to identify and respond to physical security incidents.
13		Monitoring physical access	PE-6.b	The organization reviews physical access logs [Assignment: organization-defined frequency].
14		Visitor control	PE-7	The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides, other than areas designated as publicly accessible.
15		Emergency shutoff	PE-10	The organization provides the capability of shutting off power to the information system, or individual system components, in emergency situations.
16		Emergency lighting	PE-12	The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
17		Fire protection	PE-13	The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
18		Temperature and humidity controls	PE-14	The organization maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels].
19		Water damage protection	PE-15	The organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel.
20		Location of information system Components	PE-18	The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.

21	System and communications protection	Denial of service protection	SC-5	The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].
22		Boundary protection	SC-7.a	The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
23		Boundary protection	SC-7.b	The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.