The special pick from NIST 800-53r4 was about compensating controls and the conditions under which they may be employed by companies. According to NIST, compensating controls are controls that provide equivalent or comparable protection for organizational information systems and the information processed, stored, or transmitted by those systems.
Compensating controls may be employed under the following circumstances;
• If appropriate compensating controls are not available, organizations adopt suitable compensating controls from other sources.
• Organizations provide supporting rationale for how compensating controls provide equivalent security capabilities for organizational information systems and why the baseline security controls could not be employed.
• Organizations assess and accept the risk associated with implementing compensating controls in organizational information systems.
It’s very important an organization is aware of which circumstance to implement compensating controls. Amongst the different circumstances, at least it gives an organization more options/scenarios when considering to implement as confirmation.
NIST 800-53 revision 4 (Security and Privacy Controls for Federal Information Systems and Organizations) provides guidelines for selecting and specifying security controls for organization and information systems. It will be used when selecting the controls which is the second step in risk management framework to meet the requirement in accordance with FIPS 200. One key point which I took from this is the gap analysis process which apply with legacy system which some activities are already done such as security categorization or security control selection process. To perform gap analysis, organizations have to
– Reconfirm the security category and impact level and then update if there is any change.
– Review the existing security plan to reassess the risk or revise the security plan if there is any change.
– Implement the security controls aligned with NIST 800-53 along with the updated security plan in previous step.
Hello Num, The gap analysis approach enables organizations to conduct initial capability assessment to determine the types of threats they can reasonably expect to counter, and if the firm’s current defensive capabilities are insufficient, the gap analysis determines the required capabilities for the organization. This is a more reasonable approach in tackling security challenges because organizations are able to evaluate their strengths and weaknesses, increase its defensive capabilities and enhance their cyber preparedness.
The purpose of this publication is to provide guidance: For selecting security controls for organizations to meet FIBS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, and providing recommendation for selecting security controls for IS categorized according to FIBS Publication 199, Standards for Security Categorization of Federal Information and Information Systems. The security controls in this publication should be applied as a part of risk management process, which supports organization’s information security programs.
You have rightly said that this document provides the organizations with guidelines for selecting security controls for meeting the minimum security requirements of FIPS 200. Also, it is important to consider these controls during the risk management process as the risk owners can get a better idea about the risk profile of the IT systems and further controls can be implemented if required.
NIST 800-53r special publication provides guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200 which specifies the minimum-security requirements. This document provides a holistic approach to information security and risk management by providing organizations with a catalogue of security controls necessary to fundamentally strengthen their information systems. The security controls defined in this publication are to be employed as part of a well-defined risk management process that supports organizational information security programs. To assist organizations in making the appropriate selection of security controls for information systems, baseline controls are provided which are the starting point for the security control selection process. They are chosen based on the security category and associated impact level of information systems determined in accordance with FIPS Publication 199 and FIPS Publication 200, respectively.
Hi Akshay, very nice response. I like how you mentioned in your post the “risk management process” and how the categorization of Information Assets is really a cornerstone process in risk management. In addition, when classifying assets, auditors need to take a step back and look at the wholistic view of a tech environment. You also mentioned that 800-53r touches on a ‘catalog of security controls’ for — at least — a fundamental lock down on security.
A section I found interesting in NIST sp 800-53 is creating overlays. This process takes place after you have created security baselines for your given environment. An overlay is a specifically tailored alteration of the baseline to address specialized requirements, technologies, or unique areas of operation. What this gives you is still a standardized security posture and consistent implementation but documents the changes and exceptions for a given environment. Figure 4 covers the iterative process of creating tailored overlays. you start with the initial security baseline and then begin analyzing what changes need to be made. This happens by identifying common controls, applying scope considerations, selecting compensating controls, supplementing baseline security controls and providing additional specifications for implementation. While doing that documentation on reasoning and agreed upon changes needs to be made to understand why the system was configured out of the baseline. After that you then have your tailored overlay. I found this section interesting when thinking about possible situations this would be needed in.
Nice summary on creating overlays. There can definitely be a number of situations where an overlay is needed, and having that documentation can save a lot of headaches in the future when auditing a system.
As I was reading through the NIST 800-53 publication titled “Security and Privacy Controls for Federal Information Systems and Organizations”. I noted the significance of the section focusing on tailoring baseline security controls and its role in the organizational risk management process. The primary reason for this was because of what we’ve seen and read in the previous classes regarding the selection of security control baselines. Among the more interesting things I learned about the tailoring of baseline security controls is how tailoring decisions must be justified based on the organization’s mission and business needs, and must be documented the organization’s security plans.
Great point, Imran. As IT Auditing & Cybersecurity professionals, it is important for us to understand the Risk Management Framework security life cycle and its application procedures which are as follows: The first step is to Categorize the information system based on a FIPS Publication 199 impact assessment. The next is selection of applicable security control baseline based on the results of the security categorization. After this, we can Implement the security controls and document the design, development, and implementation details for the controls. We have to assess implemented security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. After assessing the security controls, we can authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable. The last step is monitoring of the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance to legislation, Executive Orders, directives, policies, regulations, and standards.
One important aspect of the NIST 53r4 Security and Privacy Controls for Federal Information Systems and Organizations is the Processes for Identifying Additional Needed Security Controls. Organizations can employ a requirements definition approach or a gap analysis approach in selecting controls and control enhancements to supplement initial baselines. For the requirements definitions approach, organizations obtain specific and credible threat information or make reasonable assumptions about the activities of adversaries with certain capabilities like skills level, expertise, available resources. Understanding the capabilities of the adversary will enable organizations strive to achieve a certain level of defensive capability or cyber preparedness.
However, the gap analysis approach begins with an organizational assessment of its current defensive capability or level of cyber preparedness. Through the initial capability assessment, organizations determine the types of threats they can reasonably expect to counter, and if its current defensive capabilities are insufficient, the gap analysis determines the required capabilities for the organization. Both of the approaches described above require timely and accurate threat information, and as IT security professionals, it’s necessary for us to familiarize ourselves with these procedures so we may properly guide the organizations we serve.
Hello,
As I was reading through your takeaway from the NIST publication 800-53 titled “Security and Privacy Controls for Federal Information Systems and Organizations”, I found myself enjoying reading through your holistic summary of the two approaches to enhancing baseline controls. Personally, I favor the the gap analysis approach, as I find it easier for organizations to self-reflect on their own information systems and newly implemented baseline controls. It also benefits organizations to compare their implemented controls to other organizations in the industry, to compare cyber preparedness.
The section I found interesting was the one regarding assurance and trustworthiness. It has become increasingly important that organizations hold a great deal of trust in the systems that is implemented within the organization. The two fundamental components that affect trustworthiness is security functionality and security assurance. Security functionality deals with the security features, functions, mechanisms, etc., while security assurance deals with the measure of confidence that the security functionality is implemented correctly. It would make sense as to why these two concepts would be the fundamental components of trustworthiness because they correlate with one another, which is how assurance in the information systems comes into play.
One point from NIST 800-53r4 that I found interesting was the section regarding security control baselines and tailoring the controls to fit the needs of the business based on risk. Determining the control baseline appears comprehensive and based on a series of assumptions, with a separate list of assumptions to assist in determining if additional security controls are necessary. This also reminded me of the reading from the book and the need for there to be a sort of controls-for-the-controls in order to mitigate insider threats to the system.
The right controls correspond to the right business.IT security itself is a long-term capital consumption project, cost and benefit control adjustment is very important.The set of assumptions in NIST 800-53r4 can help organizations make good predictions.
NIST 800 53r4 focuses on one of my favorite entities to study the security of — Federal Information Systems and Organizations. The security of the US federal information assets means the security of 350 Million+ citizens, government officials, and foreign entities. The aspect that fascinates me the most is the intertwining of the several different policies and frameworks. The reliance of the FIPS guidelines and regulations amazes me. You can truly see how the framers of the documents truly worked to write a story and make the most sense with all of the security related documents, ; and finding the nuances in the ‘why’ will separate the good from the great.
Thanks for giving the overview of nist800 53r4. FIPS are like the first story of a tall building. With the basis, other documents are just like based on it and make the solution and guides based on the base guide, FIPS.
I found the additional appendix E PENETRATION TESTING interesting. Appendix E was not in the previous version (800-53r4). Here in the 800-53Ar4, more details, considerations, and criteria are specified for developing/implementing an effective pen-test.
Given the fact that pentesters was jailed for the work they were paid for (see in the news section), I ve been wondering if they had any – definiton of the rules of engagement – that is recommended in NIST.
They also changed the format in case you make a search. For example, IA-2[1] in the 800-53Ar4 would be IA-2(1) in the 800-53r4.
The nist-800-53r4 refers to the relationship between security control and risk.All security controls go through three problems.1. What kind of control can effectively reduce the risk? 2.3. What level of control is effective?There are a little multitiered risk management.Divide risk into three layers: organization, task/business process/information system.The primary enforcement location for risk is layer 3 of the risk management framework (RMF).
The key point I want to point out is the multi-tiered risk management. The given tier can help us easier to identify the risk and manage risks accordingly. And as different level risks have different influence and managing strategy. With different level risks, each level risks can create feedback loop with each other, which will make the whole process have synergy together.
The special pick from NIST 800-53r4 was about compensating controls and the conditions under which they may be employed by companies. According to NIST, compensating controls are controls that provide equivalent or comparable protection for organizational information systems and the information processed, stored, or transmitted by those systems.
Compensating controls may be employed under the following circumstances;
• If appropriate compensating controls are not available, organizations adopt suitable compensating controls from other sources.
• Organizations provide supporting rationale for how compensating controls provide equivalent security capabilities for organizational information systems and why the baseline security controls could not be employed.
• Organizations assess and accept the risk associated with implementing compensating controls in organizational information systems.
Hi Percy,
It’s very important an organization is aware of which circumstance to implement compensating controls. Amongst the different circumstances, at least it gives an organization more options/scenarios when considering to implement as confirmation.
Best,
Natalie Dorely
NIST 800-53 revision 4 (Security and Privacy Controls for Federal Information Systems and Organizations) provides guidelines for selecting and specifying security controls for organization and information systems. It will be used when selecting the controls which is the second step in risk management framework to meet the requirement in accordance with FIPS 200. One key point which I took from this is the gap analysis process which apply with legacy system which some activities are already done such as security categorization or security control selection process. To perform gap analysis, organizations have to
– Reconfirm the security category and impact level and then update if there is any change.
– Review the existing security plan to reassess the risk or revise the security plan if there is any change.
– Implement the security controls aligned with NIST 800-53 along with the updated security plan in previous step.
Hello Num, The gap analysis approach enables organizations to conduct initial capability assessment to determine the types of threats they can reasonably expect to counter, and if the firm’s current defensive capabilities are insufficient, the gap analysis determines the required capabilities for the organization. This is a more reasonable approach in tackling security challenges because organizations are able to evaluate their strengths and weaknesses, increase its defensive capabilities and enhance their cyber preparedness.
The purpose of this publication is to provide guidance: For selecting security controls for organizations to meet FIBS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, and providing recommendation for selecting security controls for IS categorized according to FIBS Publication 199, Standards for Security Categorization of Federal Information and Information Systems. The security controls in this publication should be applied as a part of risk management process, which supports organization’s information security programs.
Hello Zeynep,
You have rightly said that this document provides the organizations with guidelines for selecting security controls for meeting the minimum security requirements of FIPS 200. Also, it is important to consider these controls during the risk management process as the risk owners can get a better idea about the risk profile of the IT systems and further controls can be implemented if required.
NIST 800-53r special publication provides guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200 which specifies the minimum-security requirements. This document provides a holistic approach to information security and risk management by providing organizations with a catalogue of security controls necessary to fundamentally strengthen their information systems. The security controls defined in this publication are to be employed as part of a well-defined risk management process that supports organizational information security programs. To assist organizations in making the appropriate selection of security controls for information systems, baseline controls are provided which are the starting point for the security control selection process. They are chosen based on the security category and associated impact level of information systems determined in accordance with FIPS Publication 199 and FIPS Publication 200, respectively.
Hi Akshay, very nice response. I like how you mentioned in your post the “risk management process” and how the categorization of Information Assets is really a cornerstone process in risk management. In addition, when classifying assets, auditors need to take a step back and look at the wholistic view of a tech environment. You also mentioned that 800-53r touches on a ‘catalog of security controls’ for — at least — a fundamental lock down on security.
A section I found interesting in NIST sp 800-53 is creating overlays. This process takes place after you have created security baselines for your given environment. An overlay is a specifically tailored alteration of the baseline to address specialized requirements, technologies, or unique areas of operation. What this gives you is still a standardized security posture and consistent implementation but documents the changes and exceptions for a given environment. Figure 4 covers the iterative process of creating tailored overlays. you start with the initial security baseline and then begin analyzing what changes need to be made. This happens by identifying common controls, applying scope considerations, selecting compensating controls, supplementing baseline security controls and providing additional specifications for implementation. While doing that documentation on reasoning and agreed upon changes needs to be made to understand why the system was configured out of the baseline. After that you then have your tailored overlay. I found this section interesting when thinking about possible situations this would be needed in.
Nice summary on creating overlays. There can definitely be a number of situations where an overlay is needed, and having that documentation can save a lot of headaches in the future when auditing a system.
As I was reading through the NIST 800-53 publication titled “Security and Privacy Controls for Federal Information Systems and Organizations”. I noted the significance of the section focusing on tailoring baseline security controls and its role in the organizational risk management process. The primary reason for this was because of what we’ve seen and read in the previous classes regarding the selection of security control baselines. Among the more interesting things I learned about the tailoring of baseline security controls is how tailoring decisions must be justified based on the organization’s mission and business needs, and must be documented the organization’s security plans.
Great point, Imran. As IT Auditing & Cybersecurity professionals, it is important for us to understand the Risk Management Framework security life cycle and its application procedures which are as follows: The first step is to Categorize the information system based on a FIPS Publication 199 impact assessment. The next is selection of applicable security control baseline based on the results of the security categorization. After this, we can Implement the security controls and document the design, development, and implementation details for the controls. We have to assess implemented security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. After assessing the security controls, we can authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable. The last step is monitoring of the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance to legislation, Executive Orders, directives, policies, regulations, and standards.
One important aspect of the NIST 53r4 Security and Privacy Controls for Federal Information Systems and Organizations is the Processes for Identifying Additional Needed Security Controls. Organizations can employ a requirements definition approach or a gap analysis approach in selecting controls and control enhancements to supplement initial baselines. For the requirements definitions approach, organizations obtain specific and credible threat information or make reasonable assumptions about the activities of adversaries with certain capabilities like skills level, expertise, available resources. Understanding the capabilities of the adversary will enable organizations strive to achieve a certain level of defensive capability or cyber preparedness.
However, the gap analysis approach begins with an organizational assessment of its current defensive capability or level of cyber preparedness. Through the initial capability assessment, organizations determine the types of threats they can reasonably expect to counter, and if its current defensive capabilities are insufficient, the gap analysis determines the required capabilities for the organization. Both of the approaches described above require timely and accurate threat information, and as IT security professionals, it’s necessary for us to familiarize ourselves with these procedures so we may properly guide the organizations we serve.
Hello,
As I was reading through your takeaway from the NIST publication 800-53 titled “Security and Privacy Controls for Federal Information Systems and Organizations”, I found myself enjoying reading through your holistic summary of the two approaches to enhancing baseline controls. Personally, I favor the the gap analysis approach, as I find it easier for organizations to self-reflect on their own information systems and newly implemented baseline controls. It also benefits organizations to compare their implemented controls to other organizations in the industry, to compare cyber preparedness.
The section I found interesting was the one regarding assurance and trustworthiness. It has become increasingly important that organizations hold a great deal of trust in the systems that is implemented within the organization. The two fundamental components that affect trustworthiness is security functionality and security assurance. Security functionality deals with the security features, functions, mechanisms, etc., while security assurance deals with the measure of confidence that the security functionality is implemented correctly. It would make sense as to why these two concepts would be the fundamental components of trustworthiness because they correlate with one another, which is how assurance in the information systems comes into play.
One point from NIST 800-53r4 that I found interesting was the section regarding security control baselines and tailoring the controls to fit the needs of the business based on risk. Determining the control baseline appears comprehensive and based on a series of assumptions, with a separate list of assumptions to assist in determining if additional security controls are necessary. This also reminded me of the reading from the book and the need for there to be a sort of controls-for-the-controls in order to mitigate insider threats to the system.
Hi, Puffen
The right controls correspond to the right business.IT security itself is a long-term capital consumption project, cost and benefit control adjustment is very important.The set of assumptions in NIST 800-53r4 can help organizations make good predictions.
NIST 800 53r4 focuses on one of my favorite entities to study the security of — Federal Information Systems and Organizations. The security of the US federal information assets means the security of 350 Million+ citizens, government officials, and foreign entities. The aspect that fascinates me the most is the intertwining of the several different policies and frameworks. The reliance of the FIPS guidelines and regulations amazes me. You can truly see how the framers of the documents truly worked to write a story and make the most sense with all of the security related documents, ; and finding the nuances in the ‘why’ will separate the good from the great.
HI Alexander,
Thanks for giving the overview of nist800 53r4. FIPS are like the first story of a tall building. With the basis, other documents are just like based on it and make the solution and guides based on the base guide, FIPS.
I found the additional appendix E PENETRATION TESTING interesting. Appendix E was not in the previous version (800-53r4). Here in the 800-53Ar4, more details, considerations, and criteria are specified for developing/implementing an effective pen-test.
Given the fact that pentesters was jailed for the work they were paid for (see in the news section), I ve been wondering if they had any – definiton of the rules of engagement – that is recommended in NIST.
They also changed the format in case you make a search. For example, IA-2[1] in the 800-53Ar4 would be IA-2(1) in the 800-53r4.
The nist-800-53r4 refers to the relationship between security control and risk.All security controls go through three problems.1. What kind of control can effectively reduce the risk? 2.3. What level of control is effective?There are a little multitiered risk management.Divide risk into three layers: organization, task/business process/information system.The primary enforcement location for risk is layer 3 of the risk management framework (RMF).
The key point I want to point out is the multi-tiered risk management. The given tier can help us easier to identify the risk and manage risks accordingly. And as different level risks have different influence and managing strategy. With different level risks, each level risks can create feedback loop with each other, which will make the whole process have synergy together.