Select Security Controls
Nist Publications 1
-the minimum security requirements for the information and information systems -A risk-based process for selecting the security controls necessary to satisfy the minimum security requirements
General Support System (GSS)
1.This is an interconnected set of information resources under the same direct management control that shares common functionality and provides support for a variety of users and / or applications
Monitoring Strategy
>A critical aspect of the risk management is the continuous monitoring of security controls employed within or inherited by the information systems >An effective monitoring strategy is devoted early in the system devoplement life cycled should be included in the security plan!
A effective monitoring program includes
>Configuration management and control processes >Security impact analyses on proposed or actual changes to the information systems and the environment of operation >Assessment of the elected security controls employed within and inherited by the information system (including controls in dynamic subsystems) > Security status reporting to appropriate organizational officials. The continuous monitoring strategy for the information system identifies the security lintels to be monitored, the frequency of monitoring and the control assessment approach.
the minimum security requirements coverings 18 selected security controls families
>assisted in protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. >Families are assigned to their respective classes based on the main characteristics of the controls.
Control Selection
A concise statement of the specific security capabilities needed to protect a particular aspect of a information system.
References Selection
A list of applicable federal laws, Exec order, orders directives, policies, standards, and the guidelines, that are relevant to a particular security control or control enhancement.
AC
Access Control Technical
Countermeasures
Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of the information system.
Example
And electronic funds transfer
3rd
Apply Scoping guidelines
AU
Audit and Accountability Technical
AT
Awareness and Training Operational
Examples
Common Controls Enterprise Network Enterprise Windows Operating System Enterprise Linux Operating System Enterprise Desktop Browsers
CM
Configuration Management Operational
Common Control
Controls that has the capability to secure more than one system. e.g.Enterprise Access Control Policy
System Specific Control
Controls that has the capability to secure one system. e.g. Host based Anti-virus
Develop Continuous Monitoring Strategy
Develop a strategy for the continuous monitoring of security control effectiveness and any proposed or actual changes to the information system and its environment of operation.
Common Security Controls should have these properties
Developement,Implecation,assesment,authorization,and monitoring the control Can be assigned to a responsible official The results form the assessment of the control can be used to support the security authorization processes of an information system where the control has been applied
IA
Identification and Authentication Techanical
Common Control Identification
Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in the system security plan (SSP)
IR
Incident Response Operational
Responsibility
Information System Owner or Common Control Provider
MA
Maintenance Operational
Security Controls
Management, operational, and technical controls designated for and information systems to protect the confidentiality, integrity , and availability of the system and its information. Made up of safeguards and countermeasures.
MP
Media Protection Operational
Contingency Planning
Operational
Planning (PL):
Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place and the rules of behavior for individuals accessing the information systems.
Contingency Planning (CP):
Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
Identification and Authentication (IA)
Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Access Control (AC):
Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
Risk Assessment (RA):
Organizations must periodically assess the risk to organizational operations, assets, and individuals, resulting from the operation of organizational information systems, processing, or storage.
Awareness and Training (AT):
Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities. (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
System and Services Acquisition (SA):
Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.
Audit and Accountability (AU):
Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Personnel Security (PS):
Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
Incident Response (IR):
Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.
Configuration Management (CM):
Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.
System and Information Integrity (SI):
Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.
Physical and Environmental Protection (PE):
Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems and provide appropriate environmental controls in facilities containing information systems.
System and Communications Protection (SC)
Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
Maintenance (MA):
Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Assessments & Authorization (CA):
Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Media Protection (MP):
Organizations must: (i) protect information system media, both paper and digital; (ii)limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse.
Unspecified Priority Code?
P0
Priority Code 1?
P1
The priority codes order?
P1 (First) P2 (Second) P3 (Third)
Priority Code 2?
P2
Priority Code 3?
P3
PS
Personnel Security Operational
PE
Physical and Environmental Protection Operational
PL
Planning Management
NIST SP 800-53-7
Priority Code
PM
Program Management Management
Control Enhancements Section
Provides statements of security capability to -Build in additional functionality to a control -Increase the strength of the control.
Benefit of Applying common security controls -2
Rather than evaluating common security controls in every information systems. >the authorization process draws upon any pertinent results from the most current assessments of the common security controls performed at the organizational level. >Application of the common security controls can also enable accountability for the security across the organization.
RA
Risk Assessment Management
CA
Security Assessment and Authorization Management
Security Control Selection
Select the security controls for the information system and document the controls in the system security plan (SSP).
FIPS 200
Short document (15 pages) describing the minimum security requirements for information and information systems •Defines seventeen security-related areas which comprise the security control families Sets the process for using the information system's high water mark to identify the tailored set of baseline security controls to implement
SA
System and Services Acquistion Management
SC
System and communications protection Technical
SI
System and information integrity Operational
Priority And Baseline Allocation sections
The recommend priority codes used for sequencing decisions during security control implication. The initial allocation of security controls and control enhancements for low-impact, moderate impact, and high-impact information systems
NIST SP 800-53 -1
The security control structure consists of the following components •a control section •a supplemental guidance section •a control enhancements section •a references section •a priority and baseline allocation section
Operational Controls
The security controls for an information system that are primarily implemented and executed by people.
Major Applications
These are also known as major information systems that requires special management attention because of their criticality and importance to the agency's mission, goals or maintenance cost.
Security Control Families
These families represent a balanced information security program that address the management, operational , and technical aspects of protecting federal information and information systems.
Selecting Security Controls
This step requires selecting an initial set of security controls from the SP 800-53 rev 4 Security Control
Objective
Understand how to select security controls meetings the minimum security baseline commensurate with the systems high water mark
Common Security Controls
controls that can be allocated to one or more organizational information systems
Benefits of applying common security controls-1
partitioning security controls into system-specific controls and common controls as a result -In major savings to the organization in development and implication cost >Especially when the common controls serve multiple information systems -In a more reliable application of the security controls across the organization
1st
prepare for selecting security controls
safeguards
protective measures prescribed to meet the security requirements specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical sturtures, areas and devices.
Supplemental Guidance section
provides additional information related to a specific security control, but contains no requirements
NIST SP 800-53-6
required control enhancements to implement
NIST SP 800-53-9
required control enhancements to implement
NIST SP 800-53-5
required controls to implement
NIST SP 800-53-8
required controls to implement
2nd
select the initial security control baseline and minimum assurance requirements
Technical Controls
the security controls for an information system that are primarily implemented and executed by the information system through mechanism contained in the hardware, software, or firmware components of the system.
Management Controls
the security controls for an information system that focus on the management of risk and information system security.
Responsibility
• Chief Information Officer or Senior Information Security Officer • Information Security Architect • Common Control Provider
Guidance
• FIPS Publications 199, 200 • NIST Special Publications 800-30, 800-53 rev 4 • CNSS Instruction 1253
Responsibility
• Information Security Architect • Information System Owner
Guidance
• NIST Special Publications 800-30, 800-39, 800-53 rev 4, 800-53A • CNSS Instruction 1253
Guidance
•FIPS Publications 199, 200 • NIST Special Publications 800-30, 800-53 rev 4 •Committee on National Security Systems(CNSS) Instruction 1253
Nist Publications 2
•Provides guidelines for selecting and identifying security and privacy controls for information systems
Catalog for the information system based on
•The Security Categories for each data type on the system •The overall Potential Impact Level of the system •Applying tailored guidance based on risk to acquire a starting point in determining the required controls
