ABSTRACT
There are three distinct aspects to the selection of security controls for an information system. First, control selection relies on the results of the security categorization as described in Chapter 2. Then, based on the category of the system, the system owner makes use of a catalog of security controls accepted by the organization to provide a starting point for the selection process; this is known as a minimum security baseline (MSB). Finally, using this catalog, the system owner then chooses controls from the catalog and tailors them to meet the requirements for protecting the system. This nal step relies on risk assessment to determine risks to the condentiality, integrity, and availability of the data the system processes. This chapter describes the minimum security baseline establishment and use and the risk assessment process. In addition, an overview of the guidance of the National Institute of Standards and Technology (NIST) on security control selection is provided.
