Advanced Approach to Information Security Management System Model for Industrial Control System
Table 5
The List of Common Security Controls in South Korea Energy Industry for NIST SP 800-53.
Number
Main domain name
Subdomain name
Code of security control
Security control
1
Access control
Account management
AC-2
The organization manages information system accounts, including identifying account types.
2
Separation of duties
AC-5
The organization implements separation of duties through assigned information system access authorizations.
3
Least privilege
AC-6
The organization employs the concept of least privilege, allowing only authorized accesses for users which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
4
Media protection
Media access
MP-2
The organization restricts access to Assignment: organization-defined types of digital and non-digital media to Assignment: organization-defined list of authorized individuals using Assignment: organization-defined security measures.
5
Media marking
MP-3.a
The organization marks, in accordance with organizational policies and procedures, removable information system media and information system output indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.
6
MP-3.b
The organization exempts Assignment: organization-defined list of removable media types from marking as long as the exempted items remain within Assignment: organization-defined controlled areas.
7
Media storage
MP-4.a
The organization physically controls and securely stores Assignment: organization-defined types of digital and non-digital media within Assignment: organization-defined controlled areas using Assignment: organization-defined security measures.
8
MP-4.b
The organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
9
Media transport
MP-5.a
The organization protects and controls Assignment: organization-defined types of digital and non-digital media during transport outside of controlled areas using Assignment: organization-defined security measures.
10
MP-5.c
The organization restricts the activities associated with transport of such media to authorized personnel.
11
Physical and environmental protection
Physical access authorizations
PE-2
The organization develops and keeps a current list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible).
12
Monitoring physical access
PE-6.a
The organization monitors physical access to the information system to identify and respond to physical security incidents.
13
PE-6.b
The organization reviews physical access logs [Assignment: organization-defined frequency].
14
Visitor control
PE-7
The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides, other than areas designated as publicly accessible.
15
Emergency shutoff
PE-10
The organization provides the capability of shutting off power to the information system, or individual system components, in emergency situations.
16
Emergency lighting
PE-12
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
17
Fire protection
PE-13
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
18
Temperature and humidity controls
PE-14
The organization maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels].
19
Water damage protection
PE-15
The organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel.
20
Location of information system Components
PE-18
The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.
21
System and communications protection
Denial of service protection
SC-5
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].
22
Boundary protection
SC-7.a
The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system.
23
SC-7.b
The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.