Some security practices in the listing below may not reference an organization's affiliation. These practices are provided in a generic format. Document icons specify the type of file format (Ex. MS Word, pdf, Text file, etc.). The right column contains the document title. The left column contains the date when the file was posted to this page.
NOTE: After clicking link to document, the document will open in a blank browser window and this page will be in the background.
Maintains a record of system activity by system or application processes and by user activity.
Document | Posted |
Audit Trails - Overseas Private Investment Corporation | 12/29/04 |
Provides a form of assurance of the security of the system.
How to keep an organization's critical functions operating in the event of disruption, large and small.
Document | Posted |
Contingency Plan Template | 04/16/08 |
Backup and Recovery - Overseas Private Investment Corporation | 12/29/04 |
Contingency Planning - Overseas Private Investment Corporation | 12/29/04 |
System and Data Backups - FCC | 12/29/04 |
Contingency Planning Template - DOJ | 7/03/03 |
Activities include configuration management and control of information system components, security impact analysis of changes to the system, ongoing assessment of security controls, and status reporting.
Document | Posted |
Continuous Monitoring Training | 04/16/08 |
Controls used to protect data from accidental or malicious alteration or destruction and to provide assurance to the user that the information meets expectations about its quality and integrity.
Document | Posted |
Antivirus - Overseas Private Investment Corporation | 12/29/04 |
Database Security - Overseas Private Investment Corporation | 12/29/04 |
Viruses 101 - FCC | 07/03/03 |
Controls used to monitor the installation of, and updates to, hardware and software to ensure that the system functions as expected and that a historical record is maintained of changes.
Document | Posted |
Change Control - Overseas Private Investment Corporation | 12/29/04 |
Technical measures that prevent unauthorized people (or unauthorized processes) from entering an IT system.
Document | Posted |
Encryption - Overseas Private Investment Corporation | 12/29/04 |
Identification and Authentication - Overseas Private Investment Corporation | 12/29/04 |
Password Protection - FCC | 07/03/03 |
Creating Strong Passwords - FCC | 07/03/03 |
Capability to provide help to users when a security incident occurs in a system.
IT system life cycles contain five basic phases: initiation, development and/or acquisition, implementation, operation, and disposal.
Document | Posted |
Systems Development - Overseas Private Investment Corporation | 12/30/04 |
The Project Manager's View of Security Processes Over the System Development Life Cycle - V.A. | 11/18/04 |
System-based mechanisms used to designate who or what is to have access to a specific system resource and the type of transactions and functions that are permitted.
Document | Posted |
Access Control - Overseas Private Investment Corporation | 12/29/04 |
Secure communication capability that allows one user or system to connect to another user or system.
Involves human users, designers, implementers and managers and how they interact with computers and the access and authorities they need to do their jobs.
Measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment.
Document | Posted |
Physical and Environmental Security - Overseas Private Investment Corporation | 12/30/04 |
Site Survey of Data Center - CFTC | 06/15/04 |
Securing Portable Electronic Media - FCC | 07/03/03 |
Formally documented security policies and procedures.
Covers topics ranging from a user help desk to procedures for storing, handling and destroying media.
Document | Posted |
USB Flash Drive Security - Office of Government Ethics | 05/04/06 |
Asset Management - Overseas Private Investment Corporation | 12/29/04 |
Media Management - Overseas Private Investment Corporation | 12/29/04 |
Media Sanitization Procedures - NIST | 12/08/03 |
Overall scope of the program (i.e., PD's, policies and security program plans and guidance).
Routine evaluations and response to identified vulnerabilities.
Document | Posted |
Security Assessment Summary Template | 04/16/08 |
Security Test & Evaluation Template | 04/16/08 |
PII Security Controls Assessment Plan Template - Department of Commerce | 07/28/06 |
Spreadsheet of SP 800-53 Controls - Commodity Futures Trading Commission | 06/21/06 |
The process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk.
Improves awareness of the need to protection system resources as well as develops skills and knowledge so computer users can perform their jobs more securely and build in-depth knowledge.
Provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.
* These submissions were first collected by the Federal CIO Council for their Best Security Practices initiative. That material was later passed to NIST's Computer Security Division.