Abstract
NIST 800-53 presents an integrated yet potentially overwhelming methodology for mapping adequate security controls to security requirements. Integration is achieved by considering technical, operational, and management aspects of security requirements as a whole. Yet difficulties result from site- or enterprise-specific combinations of factors, including evolving technologies and hardware and software infrastructures, limited time and resources, differences in perception by and impact prioritization between management and technical staff, and the necessity of dealing with a massive set of forms. This session will address ESnet's wiki-based approach to motivating and implementing a maintainable security audit process.