68

Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Embed Size (px)

Citation preview

Page 1: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
© 2016 Maze & Associates Revision 10 (April 2016) Images from Microsoft Clipart unless otherwise noted, Other Sources: NIST and Donald E. Hester Picture: Muir Beach, North of San Francisco, CA, Photo by Donald E. Hester all rights reserved
Page 2: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Categorize

Select

Implement

Assess

Authorize

Monitor

Page 3: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Security Control Selection and Documentation Minimum Security Baselines & System Security Plan (SSP) Picture: Devil’s Tower, WY; Photo by Donald E. Hester all rights reserved Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 3 pg 139-149 Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 3 pg 167-186
Page 4: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Categorize

Select

Implement

Assess

Authorize

Monitor

Presenter
Presentation Notes
RMF Step 2 Select Security Controls Identify Common Controls Security Control Selection Monitoring Strategy Security Plan Approval FIPS Publications 199, 200; NIST Special Publications 800-30, 800-53; CNSS Instruction 1253.
Page 5: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
RMF Step 2 Select Security Controls Identify Common Controls Document the inherited controls Document any hybrid controls as well Security Control Selection Chose baseline Tailor baseline (apply scoping guidance) Document compensating controls & control enhancements Specify minimum assurance requirements Monitoring Strategy How will control be monitored on an ongoing basis How will changes in risk be evaluated and controls adjusted Security Plan Approval Review the plan to see if it meets organizations requirements Approval allows the process to continue FIPS Publications 199, 200; NIST Special Publications 800-30, 800-53; CNSS Instruction 1253.
Page 6: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Page 7: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Page 8: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Page 9: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Page 10: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Minimum Security Baselines and Best Practices Picture: Lincoln Memorial, Washington DC; Photo by Donald E. Hester all rights reserved
Page 11: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Levels of control NIST SP 800-100 and NIST SP 800-53
Page 12: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

NIST SP 800-53

Presenter
Presentation Notes
Selecting baseline controls Minimum security baselines Based on business needs Must be realistic Must be based on risk (Don’t implement a control for the sake of the control) Samples ISO 17799 (27002) GASSP NIST SP 800-26 NIST SP 800-53 Sometimes called a “control catalog”
Page 13: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Use of the minimum security baseline set The idea is that the entire system will meet these minimum controls May have more controls as business needs and risks require If a control is not applicable, it should be justified and documented (Risk analysis) Also should document if the control cannot be implemented and risk it to be accepted, management sign-off
Page 14: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
NIST 800-60
Page 15: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Data TypeData

Description Data Sensitivity

Presenter
Presentation Notes
NIST SP 800-60
Page 16: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Data Type Confidentiality Integrity Availability

Personal Identity and Authentication Moderate Moderate Moderate

Help Desk Services Low Low Low

Budget & Finance Moderate Moderate Low

Accounting Low Moderate Low

Space Operations Low High High

High Watermark Moderate High High

Overall High Watermark High

Presenter
Presentation Notes
Document All Data Forms High watermark not used for National Security Systems
Page 17: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
NIST SP 800-60 & 800-53 rev 3
Page 18: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Security Control Selection Process NIST SP 800-39 (Draft)
Page 19: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
DIARMF http://www.doncio.navy.mil/ContentView.aspx?ID=1733 Department of the Navy CIO & the Assistant Secretary of Defense Networks & Information Integration ASD(NII) have been working on the project to transition from DIACAP to some sort of DoD Risk Management Framework. They have mapped the DoDI 8500.2 IA controls to the NIST SP 800-53 Controls
Page 20: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
PRISMA Program Review for Information Security Management Assistance 3 Objectives To assist agencies in improving their information security programs To support Critical Infrastructure Protection (CIP) Planning To facilitate exchange of effective security practices within the federal community PRISMA provides an independent review of the maturity of an agency's information security program NIST IR 7358 PRISMA http://csrc.nist.gov/groups/SMA/prisma/index.html The PRISMA Maturity Levels are similar to the CMM - Capability Maturity Model (CMM is a service mark owned by Carnegie Mellon University (CMU)) PRISMA Maturity Level 1: Policies Maturity Level 2: Procedures, Maturity Level 3: Implementation, Maturity Level 4: Testing, and Maturity Level 5: Integration CMM 1. Initial (chaotic, ad hoc, individual heroics) - the starting point for use of a new process. 2. Managed - the process is managed in accordance with agreed metrics. 3. Defined - the process is defined/confirmed as a standard business process, and decomposed to levels 0, 1 and 2 (the latter being Work Instructions). 4. Quantitatively managed (Automated) 5. Optimizing - process management includes deliberate process optimization/improvement. (Quality management)
Page 21: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Minimum Assurance Controls Minimum Assurance Controls for Low-impact Systems NIST SP 800-53 Rev 4 Draft CNSS Instruction 1253 provides security control baselines for national security systems. Therefore, the assurance-related controls in the baselines established for the national security community, if so designated, may differ from those controls designated
Page 22: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Minimum Assurance Controls Minimum Assurance Controls for Moderate-impact Systems NIST SP 800-53 Rev 4 Draft CNSS Instruction 1253 provides security control baselines for national security systems. Therefore, the assurance-related controls in the baselines established for the national security community, if so designated, may differ from those controls designated
Page 23: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Minimum Assurance Controls Minimum Assurance Controls for High-impact Systems NIST SP 800-53 Rev 4 Draft CNSS Instruction 1253 provides security control baselines for national security systems. Therefore, the assurance-related controls in the baselines established for the national security community, if so designated, may differ from those controls designated
Page 24: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Enhanced Assurance Controls Enhanced Assurance Controls for High-impact Systems NIST SP 800-53 Rev 4 Draft CNSS Instruction 1253 provides security control baselines for national security systems. Therefore, the assurance-related controls in the baselines established for the national security community, if so designated, may differ from those controls designated
Page 25: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Privacy Controls Special Publication 800-53 Rev 4 Appendix J AP – Authority and Purpose AR – Accountability, Audit, and Risk Management DI – Data Quality and Integrity DM – Data Minimization and Retention IP – Individual Participation and Redress SE – Security TR – Transparency UL – Use Limitation
Page 26: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Summary Have to have a place to start Categorize the system based on the data in the system This helps you select a minimum set of security controls Document and justify any deviations for the minimum security base line Update security controls as needed
Page 27: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Class Discussion: Security Baseline A business unit manager does not understand what a minimum security baseline is and why it is necessary. What do you tell them? What reasons might you have for tailoring the security baseline?
Page 28: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Picture: Golden Gate Park, San Francisco, CA; Photo by Donald E. Hester all rights reserved System Security Plan (SSP)
Page 29: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Primary Guidance NIST SP 800-18 Rev 1 Feb 2006, Guide for Developing Security Plans for Federal Information Systems “Agencies should develop policy on the system security planning process.” “Organizational policy should clearly define who is responsible for system security plan approval and procedures developed for plan submission, including any special memorandum language or other documentation required by the agency.” “…this document guides the reader in writing a system security plan, including logical steps which should be followed in approaching plan development, recommended structure and content, and how to maximize the use of current NIST publications to effectively support system security planning activity.”
Page 30: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
DIACAP System Identification Profile (SIP) System characteristics required to register an information system with the governing DoD Component IA program DIACAP Implementation Plan (DIP) Assigned 8500.2 IA controls & their implementation status Responsible entities and necessary resources Estimated completion date for each assigned IA control System Security Plan The SSP is one of the documents that your DAA may require in a DIACAP comprehensive package. It describes the technical, administrative, and procedural IA program and policies that govern the DoD information system and identifies all IA personnel and specific IA requirements and objectives. DIACAP Info: System Identification Profile (SIP) System characteristics required to register an information system with the governing DoD Component IA program DIACAP Implementation Plan (DIP) Assigned 8500.2 IA controls & their implementation status Responsible entities and necessary resources Estimated completion date for each assigned IA control The SSP is one of the documents that your DAA may require in a DIACAP comprehensive package. It describes the technical, administrative, and procedural IA program and policies that govern the DoD information system and identifies all IA personnel and specific IA requirements and objectives.
Page 31: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

NSTISSI No. 1000

Presenter
Presentation Notes
NIACAP NIACAP uses the Systems Security Authorization Agreement (SSAA) to document accreditation requirements It is similar to the NIST RMF package which includes the SSP “The SSAA documents the conditions of the C&A for an IS” “The SSAA is a formal agreement among the DAA(s), certifier, user representative, and program manager” “Each information system must be covered by an SSAA” “The DAA, certifier, program manager, and user representative have the authority to tailor the SSAA to meet the characteristics of the IS, operational requirements, security policy, and prudent risk management.” NSTISSI No. 1000
Page 32: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
SSP a Paper Tiger? GCN, February 2007, Reported a pair of security experts say FISMA is fundamentally flawed. “FISMA wasn’t written badly, but the measuring system they are using is broken. What we measure now is, ‘Do you have a plan?’ Not whether the plan actually improves security. Too often, the plans do not improve security” The danger is the plan could be treated as ‘check box’ and not given proper place. SAN FRANCISCO — A pair of security experts, one of them a former federal chief information security officer, gave a harsh critique Tuesday of the Federal Information Security Management Act as a well-intentioned but fundamentally flawed tool. “A lot of your money is being thrown away,” Alan Paller, director of research for the SANS Institute, told an audience at the RSA IT security conference. The 2002 act mandates security planning for agencies, requiring a risk analysis of IT systems, and certification and accreditation of those systems. “FISMA wasn’t written badly, but the measuring system they are using is broken,” Paller said. “What we measure now is, ‘Do you have a plan?’ ” Not whether the plan actually improves security. Too often, the plans do not improve security, said Bruce Brody, vice president of information assurance at CACI International Inc. and formerly with the Veterans Affairs and Energy departments “Federal systems and networks are like Swiss cheese,” Brody said. “FISMA over five years has not helped us to be appreciably more secure.” The speakers described the risk analysis and C&A processes as paperwork drills that let agencies comply with the letter of the law without doing anything to improve actual security. Even so, many agencies routinely receive failing grades in the annual FISMA report cards handed out by Congress, and government as a whole has not risen above D. Brody said he received four Fs and one C during his term in government. Paller offered two broad fixes for the security challenge facing government. The first is to stop blaming the user for problems, and require that vendors ship well designed products that are securely configured by default. He also called for using “attack-based” metrics in measuring security compliance. These metrics include: How quickly penetrations of the system are identified The length of time it takes to deploy needed security patches The number of accounts remaining active after employees or consultants have left an agency Whether programming teams are including errors in code How quickly malicious code can be found on a system. Brody defined five things a CIO must know about his systems to ensure security: The boundaries and topologies of the interconnected enterprise The devices that are connected to the enterprise and the channels they use to connect to it The configuration of these devices Who is accessing these devices and whether that access is authorized What these users are doing on the system. “You can measure good security, but it’s not being measured today,” Brody said. Brody and Paller were hopeful that changes in FISMA could be made in the new Congress.
Page 33: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
No Paper Tiger Avoid the danger of turning your security plan into a bureaucratic ‘check the box’ Should be Single reference for what needs to be secured Documents controls Support oversight, planning and budget Document compliance
Page 34: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

NIST SP 800-18 Rev 1

Presenter
Presentation Notes
Applicability System Security Plans are required Helps to implement needed controls Documents how the controls are in place NIST SP 800-18 Rev 1
Page 35: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Responsible for the Plan System Owner, is responsible for the plan Can delegate preparation of the plan Cannot delegate responsibility Should be familiar with the system Multiple people will contribute Procedures should be in place outlining who reviews the plans, keeps the plan current, and follows up on planned security controls.
Page 36: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Plan Contents System Description Description of Controls System Security Roles & Responsibilities External Requirements Information Categories Interconnectivity with the system Certification Level Plan Information
Page 37: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Plan Contents per NIST SP 800-18 Rev 1 System Name and Identifier System Categorization System Owner Authorizing Official Other Designated Contacts Assignment of Security Responsibility System Operational Status Information System Type General Description/Purpose System Environment
Page 38: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Appendix A: Sample Information System Security Plan Template

Presenter
Presentation Notes
Plan Contents per NIST SP 800-18 Rev 1 System Interconnection/Information Sharing Laws, Regulations, and Policies Affecting the System Security Control Selection Minimum Security Controls Completion and Approval Dates Appendix A: Sample Information System Security Plan Template
Page 39: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

NSTISSI No. 1000

Presenter
Presentation Notes
The SSAA should: Describes the operating environment and threat Describes the system security architecture Establishes the C&A boundary of the system to be accredited. Documents the formal agreement among the DAA(s), certifier, program manager, and user representative Documents all requirements necessary for accreditation Minimizes documentation requirements by consolidating applicable information into the SSAA (security policy, concept of operations, architecture description, test procedures, etc) Documents the NIACAP plan Documents test plans and procedures, certification results, and residual risk Forms the baseline security configuration document NSTISSI No. 1000
Page 40: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
What SSP is not The System Security Plan is not proof of the existence of controls It is not a security procedures manual Cross reference procedures do not duplicate them (Hyperlink and name and location of documentation) Plan should not be lengthy and unusable Procedures should be in SOP or Rules of Behavior (external document) It should be a summary The plan should be brief and useable Consider hyperlinks to external documents
Page 41: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Plan Initiation

Plan Development

Plan Implementation

Plan Maintenance

Recertification or Retirement

Presenter
Presentation Notes
Plan initiation (SSP Lifecycle) Can start at any time Generally started early Needs to be complete before an accreditation decision is made Notice that the cycle follows the System Development Lifecycle (SDLC)
Page 42: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Information sources Information sources Generally comes from existing documentation May need to develop from scratch SSP development tools Automated systems Databases Document repositories Forms (may be web-based)
Page 43: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Plan format Should be flexible There are a number of different forms
Page 44: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Plan approval Part of the certification and accreditation package Signed by the person who prepared plan Approved by the system owner
Page 45: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Plan Maintenance Keep the plan up-to-date Don’t wait until recertification to update the plan Review of the plan should occur prior to any major change It has to be a living document May trigger a recertification Once the information system security plan is accredited, it is important to periodically assess the plan; review any change in system status, functionality, design, etc.; and ensure that the plan continues to reflect the correct information about the system. This documentation and its accuracy are imperative for system recertification and reaccreditation activity. All plans should be reviewed and updated, if appropriate, at least annually. Some items to include in the review are: Change in information system owner; Change in information security representative; Major change in system architecture; Change in system status; Additions/deletions of system interconnections; Change in system scope; and Change in authorizing official. NIST SP 800-100 Sec. 8.7
Page 46: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Plan specifics Plan Security Sensitive information Limit to need to know Should be labeled Plan Metrics Documented Plans Use of Defined Formats Approved Plans Consistent Plans Documented Implementation Planning
Page 47: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

System 1Subsystem A

Subsystem B

Subsystem C

Presenter
Presentation Notes
System Boundary Flexibility in determination of the system Generally under the same management control & usually locally group systems May contain multiple components System Security Plan will have diagrams showing the system boundary Components adds clarity to system security plan Direct management control does not necessarily imply that there is no intervening management. NIST SP 800-100 sec. 8.4.1
Page 48: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Subsystem can be labeled Component or Element
Page 49: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Information Criteria Security ImpactConfidentiality Low / Moderate / HighIntegrity Low / Moderate / HighAvailability Low / Moderate / High

Based on: NIST SP 800-60 and FIPS Pub 199

Presenter
Presentation Notes
Baseline Security Controls Selection of baseline security controls is based on system categorization For this system you would select Moderate controls from NIST SP 800-53 Rev. 1 (High watermark) Based on: NIST SP 800-60 and FIPS Pub 199 The tables also identify the security impact levels for confidentiality, integrity, and availability for each of the information types expressed as low, moderate, or high. The security impact levels are based on the potential impact definitions for each of the security objectives (i.e., confidentiality, integrity, and availability) discussed in NIST SP 800-60 and FIPS Pub 199. High Water Mark
Page 50: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Control Catalog NIST SP 800-53 Image from NIST SP 800-53 Rev 3 pg 6
Page 51: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Control Catalog DODI 8500.2 Image from DODI 8500.2
Page 52: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
CNSS Instruction 1253 March 2012 “This Instruction is formatted to align with the section numbering scheme used in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 3, August 2009, “Recommended Security Controls for Federal Information Systems and Organizations,” (Reference 3) to ensure CNSSI No. 1253 serves as a companion document to NIST SP 800-53.” CNSS Instruction 1253 provides security categorization guidance for national security systems.
Page 53: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Implementation Detail Control selection based on Risk Assessment Fully describe the how the control is implemented Document differences with ‘subsystems’ Systems Specific Controls Compensating Controls Common Controls Hybrid Controls Tailored Controls Document differences between subsystems (‘components’ or ‘elements’) in the same System Security Plan
Page 54: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Common Controls

System-specific Controls

Hybrid Controls

NIST SP 800-37 Rev 1

Presenter
Presentation Notes
System-specific Controls are controls that are under the direct control of the information system owner and authorizing official and typically existed within the system boundaries of any given system. Common Controls are controls that are under the auspices of the agency or organization and are implemented, assessed and monitored for multiple systems and not under the direct control of an information system owner and authorizing official for a given system, yet those controls are inherited and directly protect the system. Organizational wide policies are a good example of common controls. Hybrid Controls are those controls with shared responsibility in implementation, assessment and monitoring. Typically the information system owner may perform a portion of the control function or process while a different individual or group handles another portion of the control.
Page 55: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Page 56: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Page 57: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Component (Subsystem) Example Implementation Detail: Component 1 (Network Devices) Control satisfied via the following: A configuration management system retrieves a baseline configuration from all network devices and reports changes via a version control system. The checklist for installation includes a requirement to register new devices in the version control system. The system compares deltas in configurations and notifies technical staff about changes. Component 2 (Workstations) Control satisfied via the workstation benchmark documentation which records what has changed in the baseline. Agency Incident Response team performs vulnerability Scans on a regular basis. Information Technology Department reports changes system admin evaluates materiality.
Page 58: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

“Compensating security controls are the management, operational, or technical controls used by an agency in lieu of prescribed controls in the low, moderate, or high security control baselines, which provide equivalent or comparable protection for an information system.” Source: NIST SP 800-100 § 8.4.4

Presenter
Presentation Notes
Compensating Controls “Compensating security controls are the management, operational, or technical controls used by an agency in lieu of prescribed controls in the low, moderate, or high security control baselines, which provide equivalent or comparable protection for an information system.” Source: NIST SP 800-100 § 8.4.4
Page 59: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

1• Select controls from 800-53

2• Complete and convincing rationale

3• Assess and formally accept risk

Presenter
Presentation Notes
Compensating Controls The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high security control baselines, that provide equivalent or comparable protection for an information system. SOURCE: FIPS 200 The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST Special Publication 800-53, that provide equivalent or comparable protection for an information system. SOURCE: SP 800-53
Page 60: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

1• Agency has developed on documented common controls

2• Agency has assigned responsibility of the common control

3• Systems owners should be made aware

4• Expert in the common control consulted

5• Agency, Campus or Center Common Control

Presenter
Presentation Notes
Common Controls Common Controls are controls that are under the auspices of the agency or organization and are implemented, assessed and monitored for multiple systems and not under the direct control of an information system owner and authorizing official for a given system, yet those controls are inherited and directly protect the system. Organizational wide policies are a good example of common controls. Security control that can be applied to one or more agency information systems and has the following properties: 1) the development, implementation, and assessment of the control can be assigned to a responsible official or organizational element (other than the information system owner); and 2) the results from the assessment of the control can be used to support the security certification and accreditation processes of an agency information system where that control has been applied. SOURCE: SP 800-53; FIPS 200
Page 61: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Common Control Example Implementation Detail: Common Control: Item (i) Control satisfied via Security of Information Technology Policy, Chapter 19 – Identification and Authentication, and Chapter 20 – Logical Access Controls. Item(ii) defined by Common Access Controls Procedures for IT Systems Policy (when finalized).
Page 62: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Hybrid Controls A portion of the control is outside the control or scope of the system owner For example physical security may be handled at the gate and building level by guard service, while access to the computer room is handled by system staff. Document what is done by whom Coordination between responsible parties Hybrid Controls are those controls with shared responsibility in implementation, assessment and monitoring. Typically the information system owner may perform a portion of the control function or process while a different individual or group handles another portion of the control.
Page 63: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Hybrid Control Example PS-3 PERSONNEL SCREENING Control: The organization screens individuals requiring access to organizational information and information systems before authorizing access. Implementation Detail: Center Hybrid Control; see System Owner action(s) needed Control is satisfied via the following:   Guard Service Actions: All Center Level access is managed by Guard Service.   Human Resources Actions: Civil Servants and contractors are screened by Human Resources.   System Owner Action: Access is not granted to users until screening by Guard Service and Human Resources. No screening beyond what is provided by Guard Service and Human Resources.
Page 64: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Source: NIST SP 800-100 § 8.4.1

Presenter
Presentation Notes
Scoping Guidance System security plans should clearly identify which security controls used scoping guidance and include a description of the type of considerations that were made. Reasons for tailored controls Assessment of risk Organization-specific security requirements Specific threat information Cost-benefit analyses Availability of compensating controls Special circumstances Source: NIST SP 800-100 § 8.4.1 An agency has the flexibility to tailor the security control baseline in accordance with the terms and conditions set forth in the standard. Tailoring activities include (1) the application of scoping guidance, (2) the specification of compensating controls, and (3) the specification of agency-defined parameters in the security controls, where allowed. The system security plan should document all tailoring activities. NIST SP 800-100 sec. 8.4.2 System security plans should clearly identify which security controls used scoping guidance and include a description of the type of considerations that were made. NIST SP 800-100 sec. 8.4.3 The application of scoping guidance must be reviewed and approved by the authorizing official for the information system. NIST SP 800-100 sec. 8.4.3
Page 65: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls

Criteria RatingConfidentiality ModerateAvailability LowIntegrity Low

Presenter
Presentation Notes
Scoping Guidance Example PE-11 EMERGENCY POWER Control: The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss. System consists of desktop computers
Page 66: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Scoping Guidance Example Implementation Detail: Control not implemented, applied scoping guidance per NIST SP 800-53 rev.1 pages 18-20. Desktop systems do not need uninterruptible power supply. Removing this control does not affect the security-relevant information within the system. System rated moderate for confidentiality and low for availability, control addresses availability not confidentiality. Systems with low availability do not require uninterruptible power supplies.
Page 67: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Summary A single reference for documenting the controls in place Documents current security posture of the system Supports oversight and review Documents system boundaries Helps with planning and budget Integrates security into the system Does not mean the controls are in place
Page 68: Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
Presenter
Presentation Notes
Class Discussion: System Security Plans Are your system security plans kept up-to-date? How often are they updated? How would you ensure the system security plan was keep up-to-date? How does your organization use common controls, compensating controls, hybrid controls and tailored controls? An auditor/assessor has come to you a number of times with questions about your control implementation detail. Is this an indication of something? If so, what? How would you use components in a system security plan?