Topics Map > UW-Madison > Cybersecurity
UW-Madison - Policy Portfolio - Cybersecurity Portfolio NIST Control Mappings
For cybersecurity experts: All the policy portfolios into which cybersecurity policies are collected, showing the NIST security and privacy controls associated with each portfolio.
Cybersecurity Portfolios
Mapping of Cybersecurity Portfolios to NIST Privacy and Security Control Families-
- Security families: SA.
- Privacy families: AR(3,7).
-
- Security families: CM, MA, SC(various)*, SI(various)*.
- Privacy families: DM(1-2), SE(1).
-
- Security families: CP, PE(1,9-19)
- Privacy families: none.
Education Training and Awareness
- Security families: AT, MP.
- Privacy families: AR(5).
Identity and Access Management
- Security families: AC, IA, PE(1-8), PS(1,4-7), SC(various)*, SI(various)*
- Privacy families: none.
-
- Security families: AU, CA(1,7-8), IR, SC(various)*, SI(various)*.
- Privacy families: AR(6,8), SE(2).
-
- Security families: none.
- Privacy families: AP, DI, DM(3), IP, DR, UL.
-
- Security families: CA(1-6,9), PL, PS(1-3,8), PM, RA.
- Privacy families: AR(1-2,4).
NIST Control Families
Security Control Families
| Abbr. | Control Family Name | Controls in Family | Cybersecurity Portfolio |
|---|---|---|---|
| AC | Access Control | All | Identity and Access Management (IAM) Portfolio |
| AT | Awareness and Training | All | Education, Training and Awareness Porfolio |
| AU | Audit and Accountability | All | Monitoring and Mitigation Portfolio |
| CA | Security Assessment and Authorization | 1 to 6, 9 (end) | Risk Management Portfolio |
| CA | Security Assessment and Authorization | 1, 7 to 8 | Monitoring and Mitigation Portfolio |
| CM | Configuration Management | All | Configuration and Maintenance Portfolio |
| CP | Contingency Planning | All | Contingency Planning Portfolio |
| IA | Identification and Authentication | All | Identity and Access Management (IAM) Portfolio |
| IR | Incident Response | All | Monitoring and Mitigation Portfolio |
| MA | Maintenance | All | Configuration and Maintenance Portfolio |
| MP | Media Protection | All | Education, Training and Awareness Portfolio |
| PE | Physical and Environmental Protection | 1 to 8 | Identity and Access Management (IAM) Portfolio |
| PE | Physical and Environmental Protection | 1, 9 to 20 (end) | Contingency Planning Portfolio |
| PL | Planning | All | Risk Management Portfolio |
| PM | Project Management | All | Risk Management Portfolio |
| PS | Personnel Security | 1 to 3, 8 (end) | Risk Management Portfolio |
| PS | Personnel Security | 4 to 7 | Identity and Access Management (IAM) Portfolio |
| RA | Risk Assessment | All | Risk Management Portfolio |
| SA | Systems and Services Acquisition | All | Acquisition and Development Portfolio |
| SC | System and Communications Protection | Subject to interpretation * | Configuration and Maintenance Portfolio, or Identity and Access Management (IAM) Portfolio, or Monitoring and Mitigation Portfolio * |
| SI | System and Information Integrity | Subject to interpretation * | Configuration and Maintenance Portfolio, or Identity and Access Management (IAM) Portfolio, or Monitoring and Mitigation Portfolio * |
Privacy Control Families
| Abbr. | Control Family Name | Controls in Family | Cybersecurity Portfolio |
|---|---|---|---|
| AP | Authority and Purpose | All | Privacy Portfolio |
| AR | Accountability, Audit, and Risk Management | 1 to 2, 4 | Risk Management Portfolio |
| AR | Accountability, Audit, and Risk Management | 3, 7 | Acquisition and Development Portfolio |
| AR | Accountability, Audit, and Risk Management | 5 | Education, Training and Awareness Portfolio |
| AR | Accountability, Audit, and Risk Management | 6, 8 (end) | Monitoring and Mitigation Portfolio |
| DI | Data Quality and Integrity | All | Privacy Portfolio |
| DM | Data Minimization and Retention | 1 to 2 | Configuration and Maintenance Portfolio |
| DM | Data Minimization and Retention | 3 (end) | Privacy Portfolio |
| IP | Individual Participation and Redress | All | Privacy Portfolio |
| SE | Security | 1 | Configuration and Maintenance Portfolio |
| SE | Security | 2 (end) | Monitoring and Mitigation Portfolio |
| TR | Transparency | All | Privacy Portfolio |
| UL | Use Limitation | All | Privacy Portfolio |
Notes
* Some SC (System and Communications Protection) and SI (System and Information Integrity) controls are difficult to characterize unambiguously. They could be viewed as a means of ensuring that access is limited to authorized persons, similar to the Identity and Access Management Portfolio, or as system or network configuration, similar to the Configuration and Maintenance Portfolio, or as a means of detecting and countering malicious activity, similar to the Monitoring and Mitigation Portfolio. When a policy or related document is associated with SC or SI controls, the overall emphasis of the document needs to be considered.