NIH | National Cancer Institute | NCI Wiki  

Versions Compared

Old Version 4

changes.mady.by.user Unknown User (scotterr)

Saved on

compared with

New Version 5

changes.mady.by.user Unknown User (scotterr)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

NSAT is NIH's central repository and tracking tool for all security assessment and authorization (SA&A) information and artifacts. All NIH-operated systems and externally operated systems are required to store their information directly in NSAT to help automate information gathering and streamline reporting. Contact your Information Systems Security Officer (ISSO (link sends e-mail)) to for assistance entering your system/application into NSAT.

...

The National Institute of Standards and Technology (NIST) Guide for Applying the RMF to Federal Information Systems (link is external)describes a structured, yet flexible approach that can be used to determine the level of risk mitigation needed to protect information systems, information, and infrastructure supporting organizational mission and business processes from serious threats. The RMF is designed to help leadership understand the current status of security programs and the security controls planned or in place to protect federal information and information systems. The RMF provides a methodology that can be applied in an iterative manner to both new and legacy information systems within the context of the system-development life cycle (SDLC) and federal enterprise architecture (FEA).

SANS Top 20 Critical Security Controls

The SANS (link is external) Critical Security Controls (link is external), which are also commonly referred to as the SANS Top 20, comprise best-practice guidelines for computer security formulated through industry consensus. The Controls focus first on prioritizing security functions that are effective against the latest advanced targeted threats, emphasizing security controls where products, processes, architectures, and services that have demonstrated real-world effectiveness are employed. They also focus on a smaller number of actionable controls with high-payoff, embodying a "must do first" philosophy. Since the Controls were derived from the most common attack patterns and vetted across a broad community of government and industry organizations, they can serve as the basis for immediate high-value action.

Security Assessment and Authorization (SA&A)

...