SANS IT Security Policy

Information Security Policy Templates


NIST RMF(Risk Management ) Link


Risk Management


Risk Management Framework (RMF) Overview

The selection and specification of security controls for a system is accomplished as part of an organization-wide information security program that involves the management of organizational risk—that is, the risk to the organization or to individuals associated with the operation of a system. The management of organizational risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for a system—the security controls necessary to protect individuals and the operations and assets of the organization.


Risk-Based Approach

The Risk Management Framework provides a process that integrates security and risk management activities into the system development life cycle. The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk are paramount to an effective information security program and can be applied to both new and legacy systems within the context of the system development life cycle and the Federal Enterprise Architecture:

Step 1: Categorize

Categorize the system and the information processed, stored, and transmitted by that system based on an impact analysis1

Step 2: Select

Select an initial set of baseline security controls for the system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions2 .

Step 3: Implement

Implement the security controls and document how the controls are deployed within the system and environment of operation3.

See appropriate NIST publication in the publications section.

Step 4: Assess

Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system .

Step 5: Authorize

Authorize system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the system and the decision that this risk is acceptable 4.

Step 6: Monitor

Monitor and assess selected security controls in the system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials 5.


See the Risk Management Framework presentation slides  with associated security standards and guidance documents. A black and white version is also available for printing.


1. The RMF categorization step, including consideration of legislation, policies, directives, regulations, standards, and organizational mission/business/operational requirements, facilitates the identification of security requirements. FIPS 199provides security categorization guidance for nonnational security systems. CNSS Instruction 1253 provides similar guidance for national security systems.

2. NIST Special Publication 800-53 Revision 4 provides security control selection guidance for nonnational security systems. CNSS Instruction 1253 provides similar guidance for national security systems.

3. NIST Special Publication 800-53A Revision 4 provides security control assessment procedures for security controls defined in NIST Special Publication 800-53.

4. NIST Special Publication 800-37 Revision 1 provides guidance on authorizing system to operate.

5. NIST Special Publication 800-37 Revision 1 provides guidance on monitoring the security controls in the environment of operation, the ongoing risk determination and acceptance, and the approved system authorization to operated status.

References -Info Gathering

Python module : google, shodan

from Pastebin import PastebinAPI
x = PastebinAPI()
url = x.paste('1f2bcfc951d60cfc9c650f807173a207' ,'Snippet of code to paste goes here',paste_name = 'title of paste2',api_user_key = '4f95b64d1969e3f177f9492e3a5efc49', paste_format = 'python',
paste_private = 'unlisted',paste_expire_date = '10M')
print (url)
from google import search

for url in search('lgdisplay', stop=20):
import shodan


api = shodan.Shodan(SHODAN_API_KEY)

    results ='net:')
   # results ='')
    print ('Results found: %s' % results['total'])
    for result in results['matches']:
        print ('IP:%s' % result['ip_str'])
        print (result['data'])
        print ('')

except shodan.APIError(e):
        print ('Error:%s' % e)

Korea Privacy Protection Law Link

개인정보보호법 시행령
시행 규칙

3단 비교로 쉽게 보기

개인정보_영향평가_수행안내서(참고 문서- Checklist)+ 안전성 확보조치 기준 문서


​​정보통신 이용촉진 및 정보보호 등에 관한 법률/시행령/시행규칙
2. ​​개인정보 보호법/시행령/시행규칙
3. 부정경쟁방지 및 영업비밀에 관한 법률/시행령
4. 산업기술의 유출방지 및 보호에 관한 법률/시행령/시행규칙
5. 전자금융 거래법/시행령
6. 정보통신기반 보호법/시행령/시행규칙
7. 정보통신산업 진흥법
8.집적정보통신 시설 보호지침
9.본인확인기관의 지정 등에 관한 기준
10.개인정보의 기술적 관리적 보호조치 기준
11.정보보호 조치에 관한 지침
12. 정보보호 관리체계 인증에 관한 고시
13. 정보보호 사전 점검에 관한 고시
14. 개인정보 위험도 분석 기준
15. 개인정보의 안전성 확보조치 기준
16. 개인정보 암호화 조치