The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.
SOURCE: SP 800-37; SP 800-53; SP 800-53A; FIPS 200
Actions taken to manage the development, maintenance, and use of the system, including system-specific policies, procedures and rules of behavior, individual roles and responsibilities, individual accountability, and personnel security decisions.
SOURCE: CNSSI-4009
