The key takes away I find, is selecting a security baseline. The security baseline is a series of security configuration benchmarks formulated to clarify that the enterprise network environment’s relevant equipment and systems have reached the most basic protection capabilities. The security baseline is the minimum security guarantee of an information system, the most basic security requirements that the information system needs to meet.
First of all, corporate information or technology departments should formulate corporate security baseline management systems from a macro level to ensure security baselines. The management system should clearly specify the division of responsibilities for implementing the safety baseline work, the requirements for using the baseline and implementing the baseline system for supervision and inspection. In the division of responsibilities, define the baseline formulation department, revision and review department; specify the operators of specific baselines such as network equipment, servers, middleware, and databases; monitor and inspect the equipment security baseline configuration results; specify the Internet and intranet in the baseline usage requirements System baseline applicable requirements, and applicable requirements of different levels of system baselines. It also clearly stipulates the requirements for new online systems, third-party system access, important system changes, and baseline application requirements for major system changes. For situations where the baseline standard cannot be met due to business needs, the approval process and alternate handling measures should also be specified in the baseline use requirements.
Hi Zibai, i agree with your point of view. the IT commetiee and management should form a coporation security baseline, so the employee has a direction to execute the actual policies and rules.
Hi Zibai,
I agree with your point of view. I appreciate your view on when and when to not use baseline control. One size is not suitable for all sizes. When evaluating baseline control, the tailoring process and/or compensation control are very important. It seems that smaller organizations tend to rely entirely on cloud-based security control, and they may or may not get enough information to realize that they should consider other controls, depending on the sensitivity of their data/business nature.
The purpose of this publication IS to provide guidance for the selection of organizational security controls in accordance with FIBS Publication 200, Federal Minimum Security Requirements for Information and Information Systems, and to provide recommendations for the selection of security controls for IS in accordance with FIBS Publication 199, Standard. Guidelines are also provided for organizations to select secure controls to meet the minimum security requirements of FIPS 200. In addition, it is important to consider these controls in the risk management process because the risk owner can better understand the risk profile of the IT system and further control measures that can be implemented if needed.
Great summary on this publication. Essentially, this helps an organization establish a baseline for their system. The baseline should be evaluated and may need additional modification to mitigate risk to an acceptable level. Additionally, the security controls should be reviewed periodically to ensure adequate security.
Multitiered risk management is a process and a approach to security control. The main logic is to mitigate risk, and consider all aspect of the operation. What kind of risk will occur during the operation, and what will it cost the organization to be back at normal. Risk-based approaches to security control selection and specification consider effectiveness, efficiency, and constraints due to applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines. Three tier approach is one of the ways to dive in. Tier 1 provides a prioritization of organizational missions/business functions which in turn drives investment strategies and funding decisions. Tier 2 includes defining the mission, determine the security categories, incorporating information security requirements, and establish an enterprise architecture. Tire 3 include risk management framework.
The implementation of the multitiered risk management concept does ensure that residual risk is at its minimum possible level. Risk is evaluated at different levels in the organization hence proving vital in aligning the process with business goals and objectives.
I find that section 3.2 cutting baseline safety control is what I am most interested in, and is also most relevant to my current working environment. The tailoring process should be part of the overall risk management process. Based on my experience, it seems unlikely that smaller organizations will invest a large amount of time and/or resources in the clipping part of their control. They tend to imitate the “best practices” of large organizations, thus limiting their tailoring process. The most prominent point in this section is that organizations should not cancel safety control for operation convenience. This is another area in which smaller organizations may lack the mindset and process of security control. When critical control appears to be “wasteful”, it is hard to maintain, or it will “slow everyone down” until what has happened. If these control measures are in place, it can be prevented. The documentation process is also crucial for adjusting control measures. The keynote of risk management is very important for recording future business and system decisions.
The process of selecting and specifying security controls for organizational information systems including four step: selecting appropriate security control baselines; tailoring the baselines; documenting the security control selection process; and applying the control selection process to new development and legacy systems.
First, organizations first perform security control baseline while categorizing the information which determines the criticality and sensitivity of the information to be processed, stored, or transmitted by information systems. Next, according to the specific conditions within the organization, it need to modify and tailoring the baselines. Then, organizations need to documenting the security controls selection process, because it can help to implement risk management and review the related information eailer and in the future.Finally, organization will apply the control selection process to new development and legacy systems.
This document is very important for security and privacy controls. It helps us categorize and select the controls necessary for an organization. In the second section we learned about the risk management framework. To quote, “The RMF addresses the security concerns of organizations related to the design, development, implementation, operation, and disposal of information systems and the environments in which those systems operate.” The risk management framework outlines a continuous process where you categorize, select, implement, assess, authorize and monitor different risks. With this framework in mind, you can apply the appropriate security control for the risk. In section three, we learn how to use the families from section two to select and specify which controls you apply. It helps us learn how to tailor the controls, document them and apply them.
To me, the documentation of the controls is the most important part. When reviewing the control in the future, you’ll have the documentation to refer to when assessing the control.
Hi Jonathan,
Thanks for your sharing. I also find that an important aspect of security and privacy controls for federal information systems and organizations is the process of identifying additional security controls that are required. An organization can use a requirements definition approach or a gap analysis approach when selecting controls and control enhancements to supplement the initial baseline. For the requirements definition approach, the organization obtains specific and credible threat information or makes reasonable assumptions about the activities of the adversary. Understanding the capabilities of the adversary will enable the organization to strive to achieve a certain level of defense capability or network readiness.
NIST 800 53r4 publication provides a catalog of security and privacy controls for federal information systems. NIST 800 5344 has a process for selecting controls to protect organizational operations. There are three steps in selecting security controls:
(Step 1) Determine Baseline Controls
– Determines if you need to implement low, moderate or high controls for a particular system
(Step 2) Tailor the controls:
Not all security controls can be used because they may break your system. And in some cases they are simply not applicable.
There are also Common Controls, Hybrid controls, and system specific controls.
Common Controls:
– Organization-Wide
– Organization Owned
– Inheritable
– Example: (Physical Controls) Security Cameras, Fences, Mantraps
Specific Controls:
– Information System Owner
– Technical
– Not inherited
– Example: AU Controls on a Linux System
Hybrid Controls:
– Mixture of Common + Specific Controls
– Example: Incident Response Controls,
(Step 3) Document the Controls
– Use a System Security Plan to Document the controls
– Then get it authorized by a higher level
This is a very helpful breakdown when understanding the steps of selecting security controls. It is very interesting to see how many different common, hybrid and system specific controls there are. Most things should fall under the standard control groups, however these one-off type controls if not maintained could be the reason the whole thing comes down.
I think an important point from NIST 800-53r4 is in section 2.6 where it explains Assurance and Trustworthiness. As we rely more and more on information security tools, we have to believe that the tools in which we create behave according to how we design them. Two main points of trustworthiness are Security Functionality and Security Assurance. Security Functionality is the services and security features implemented within organizational information systems and their subsequent environments. Security Assurance is how we measure our confidence that the security functionality was implemented correctly. On paper, you can have security functionality top notch, but if security assurance fails, then that poses a problem with trust in the system that was created. Those who create security functionality should provide confidence in their work to ease the minds of others using the systems.
Trustworthiness is a crucial aspect since we cannot implement a security control that we are not sure works right or as per our requirements. This applies to all systems and IT environments within each organization
In section2.5 the issue of outsourcing is through vendors is addressed. It is a great challenge to align the security and privacy controls of an external organization with your own. Hence, this publication tries to help organizations overcome not only the challenges listed below but many others too:
• Defining the types of external information system services provided to organizations.
• Describing how those external services are protected in accordance with the information
security requirements of organizations; and
• Obtaining the necessary assurances that the risk to organizational operations and assets,
individuals, other organizations, and the Nation arising from the use of the external services
is acceptable
Above all, it comes down to the level of trustworthiness between the organizations since some service provisions can result in there being a non-explicit agreement with the provider. However, the publication notes that the risk responsibility still lies with the authorizing officials of the outsourcing organization.
Outsourcing is sometimes a necessary aspect of organizations. Unfortunately, proper security controls should be in place because outsourcing adds another point of entry to the organization. See what happened to Target only a few years ago.
This publication lists various security controls for federal systems to aid in protecting them from hostile cyber attacks, natural disasters, structural failures, and human errors. The controls listed were designed to be technology-neutral, meaning that they focus on fundamental safeguards necessary to protect information while in process, storage, and during transmission. One key feature in the reading was base-lining. A security control baseline must be established before specifying which security control to implement on a system. The baseline is based on the FIPS 200 impact level that was given to a particular system. Certain factors are considered when determining a baseline for an information system such as what physical location the information system is located, the type of information that is being stored/processed, the nature of operations conducted by the organizations, or the types of threats facing the organization. Once the baseline is established, proper security controls can be tailored around that baseline to properly protect the information.
Hi Anthony…..thanks for the summary on security control baselining. I agree it is an important step in the control selection process and helps set the stage for any countermeasure implementation that may come out of the control selection. Baselines allow organizations to determine their risk posture and how to prioritize control improvements given the various factors surrounding specific information and information systems.
One key point that I took away from this reading is the multitiered risk management. The three-tiered approach is integrated with the risk management process throughout the organization and addresses business concerns with the objective of continuous improvement in the risk related activities and inter-tier and intra-tier communications. The three tiers at which risk management should be addressed are: organizational tier, business process tier, and information systems tier. Figure 1 in the book highlights the three tiers and the flow. Tier 1 which is the organizational tier prioritizes missions/business functions which drives investment strategies and funding decisions. Tier 2 which is the business process tier defines the missions/business processes needed to support the organizational mission/business functions, determining security categorizations, incorporating information security requirements, establishing an enterprise architecture. Tier 3 which is the information systems tier is central to the risk assessment process and is dependent on the correct and consistent allocation of security, including common controls, across the other tiers in order to operate efficiently.
It is important to have the most cost-effective and appropriate security controls for organizations mitigating the risk and follow the regulations. Many documents have mentioned that organizations need to select the most appropriate security controls to mitigate the risk to an acceptable level. However, it is not easy for every organization to achieve its aim. They need to understand the starting point to select the correct controls. As NIST 800 53r4 mentions that baseline controls can help the organizations to complete the selection process, and they need to identify what impact level of information systems use are from low-impact to high-impact. Most of the organizations will start to assess the high-impact level and put many resources to control the risk, and sometimes they may ignore the low-impact level because it may not affect the operation. In doing so, they need to have a very useful risk assessment to select the security baseline controls, and the risk assessment needs to be sufficient to protect the organizational operation and resources.
This reading is the background and process outline for choosing security controls after the information and information systems have been classified into risk categories. An important point I took from the reading was related to how security controls can be layered to be organization wide, common controls or hybrid or system specific. These tiers allow organizations to be more streamlined in their controls and not repeat controls for every information system used. For example, each control has a policy component and an operational component. The policy can be designated at the organizational level. For example security training and awareness can be designated at an organization level while mobility controls can be designated at a system specific level.
This publication provides insight into the second step of the NIST cybersecurity risk framework for selecting security controls after a system has been categorized as a low, moderate, or high impact system. It provides a list of the seventeen control families and a catalog of controls that a system should implement based on the impact categorization. This assessment establishes a baseline of security controls that keep an information system well protected from various types of threats whether it’s internal, external, or man-made. Additionally, some systems may need more controls than what the baseline suggests due to a number of factors such as the data that is being processed, stored, the nature of the business, etc. This exercise should be performed periodically and add/remove security controls as necessary to minimize the risk the system faces.
The multitiered risk management section was the biggest takeaway from this document. Often times we get lost in the idea that this security we are implementing is to protect the info systems or data. While that is true, it runs deeper than that as security protects Information systems, business processes and the organization as a whole. It takes both strategic risk as well as tactical risk and being able to complete both of these is the goal of security. The documents are very detailed because the more transparent and traceable any risk is helps increase the chance that the security team is able to find the issue quickly and resolve it. If it is hard to trace, the team or auditor will not be able to hold anyone accountable leading to more problems. Resolving the threat or issue is the first step but if a team is unable to figure out where it came from and who it falls under, it leaves the organization vulnerable to the same thing happening in the future.
One of the key takeaways from the reading is developing the security and privacy assessment plans, it is used to provide objectives and a roadmap on how to conduct the assessment. It can either be a conjoined plan or distinct plans depending on tailoring the organization’s needs. It can be developed by:
– determining the scope for what security and privacy controls/control assessments are to be included. It should contain the contents of the plans, the purpose, and the scope of these assessments.
– defining what procedures will be used during these assessments, can be based on what security and privacy controls/control enhancements are named within the scope
-tailor the selected procedure, including the depth of the assignments and the coverage attribute levels
-develop any additional procedures to address security/privacy requirements not already covered by NIST 800-53
– optimize the assessment procedures to reduce wasted resources and duplication of assessments, provide better cost-effective solutions.
-Finalize the assessment plans and obtain the necessary approval needed for execution.
I feel like these planning instructions are useful to identify before executing the plan to help the organization assess and only use needed resources. This can help save time and money, narrows down our areas of focus.
For modern enterprises, information security is essentially a problem of risk management, risk management is based on the assessment, processing and control activities of information security risks. Risk management is the process of identifying risks, assessing risks, taking measures to reduce risks to an acceptable level, and maintaining this level of risk. The core content of information security management is risk management, so we tend to summarize information security management by risk management. Like the information security management process, risk management is also a dynamic development and cyclic process. The so-called risk management, is a continuous assessment of risk, risk reduction, risk acceptance of such a closed loop. The so-called information security management, is based on the security risks, constantly self-improvement and improvement of the process, so we often say that information security is based on risk management. Risks can only be controlled and reduced, but not eliminated. There is no such thing as absolute safety or zero risk in the real sense.
Hi, Junhan. Thank you for your sharing. I agree that the information security is the vital problem. This document mainly provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations.
This document mainly provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations, organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs.
This document does a great job of listing different security controls for federal systems to help protect them from cybersecurity threats, attacks, natural disasters, technical and human errors. All of these controls are designed to be neutral when it comes to technology focus. One of the important aspects mentioned was baselining. A security control baseline must be established before specifying which security control to implement on a system. The baseline is based on the FIPS 200 document with the impact level that was given to a particular information system. Some factors are considered when determining a baseline for an information system such as the exact physical location the information system is located, the type of information/data that is being stored and processed, the kind of operations conducted by the organizations involved.
Hi, Prince. I agree that a security control baseline must be established before specifying which security control to implement on a system. The baseline controls can help the organizations to complete the selection process, and they need to identify what impact level of information systems use are from low-impact to high-impact. When the organizations understand what the baseline is for their security purpose, they can mitigate the risks.
The key take away i took from this publication is the criticality of identifying the controls you want to implement as an IS professional. It further highlights the importance of understanding your own business and business processes to correctly select the controls that will boost your InfoSec and reduce your risks. The goal of the document is to not only index the controls for 17 control families, but to give a deeper insight into implementation details such as dependencies and by giving detail into assignment and selection statements which provide “greater specificity to the control.” The controls are designed in such a way that, for the most part, do not apply to any one particular technology to expand the applicability of the control.
The key takes away I find, is selecting a security baseline. The security baseline is a series of security configuration benchmarks formulated to clarify that the enterprise network environment’s relevant equipment and systems have reached the most basic protection capabilities. The security baseline is the minimum security guarantee of an information system, the most basic security requirements that the information system needs to meet.
First of all, corporate information or technology departments should formulate corporate security baseline management systems from a macro level to ensure security baselines. The management system should clearly specify the division of responsibilities for implementing the safety baseline work, the requirements for using the baseline and implementing the baseline system for supervision and inspection. In the division of responsibilities, define the baseline formulation department, revision and review department; specify the operators of specific baselines such as network equipment, servers, middleware, and databases; monitor and inspect the equipment security baseline configuration results; specify the Internet and intranet in the baseline usage requirements System baseline applicable requirements, and applicable requirements of different levels of system baselines. It also clearly stipulates the requirements for new online systems, third-party system access, important system changes, and baseline application requirements for major system changes. For situations where the baseline standard cannot be met due to business needs, the approval process and alternate handling measures should also be specified in the baseline use requirements.
Hi Zibai, i agree with your point of view. the IT commetiee and management should form a coporation security baseline, so the employee has a direction to execute the actual policies and rules.
Hi Zibai,
I agree with your point of view. I appreciate your view on when and when to not use baseline control. One size is not suitable for all sizes. When evaluating baseline control, the tailoring process and/or compensation control are very important. It seems that smaller organizations tend to rely entirely on cloud-based security control, and they may or may not get enough information to realize that they should consider other controls, depending on the sensitivity of their data/business nature.
The purpose of this publication IS to provide guidance for the selection of organizational security controls in accordance with FIBS Publication 200, Federal Minimum Security Requirements for Information and Information Systems, and to provide recommendations for the selection of security controls for IS in accordance with FIBS Publication 199, Standard. Guidelines are also provided for organizations to select secure controls to meet the minimum security requirements of FIPS 200. In addition, it is important to consider these controls in the risk management process because the risk owner can better understand the risk profile of the IT system and further control measures that can be implemented if needed.
Hi Wenyao,
Great summary on this publication. Essentially, this helps an organization establish a baseline for their system. The baseline should be evaluated and may need additional modification to mitigate risk to an acceptable level. Additionally, the security controls should be reviewed periodically to ensure adequate security.
Multitiered risk management is a process and a approach to security control. The main logic is to mitigate risk, and consider all aspect of the operation. What kind of risk will occur during the operation, and what will it cost the organization to be back at normal. Risk-based approaches to security control selection and specification consider effectiveness, efficiency, and constraints due to applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines. Three tier approach is one of the ways to dive in. Tier 1 provides a prioritization of organizational missions/business functions which in turn drives investment strategies and funding decisions. Tier 2 includes defining the mission, determine the security categories, incorporating information security requirements, and establish an enterprise architecture. Tire 3 include risk management framework.
The implementation of the multitiered risk management concept does ensure that residual risk is at its minimum possible level. Risk is evaluated at different levels in the organization hence proving vital in aligning the process with business goals and objectives.
I find that section 3.2 cutting baseline safety control is what I am most interested in, and is also most relevant to my current working environment. The tailoring process should be part of the overall risk management process. Based on my experience, it seems unlikely that smaller organizations will invest a large amount of time and/or resources in the clipping part of their control. They tend to imitate the “best practices” of large organizations, thus limiting their tailoring process. The most prominent point in this section is that organizations should not cancel safety control for operation convenience. This is another area in which smaller organizations may lack the mindset and process of security control. When critical control appears to be “wasteful”, it is hard to maintain, or it will “slow everyone down” until what has happened. If these control measures are in place, it can be prevented. The documentation process is also crucial for adjusting control measures. The keynote of risk management is very important for recording future business and system decisions.
The process of selecting and specifying security controls for organizational information systems including four step: selecting appropriate security control baselines; tailoring the baselines; documenting the security control selection process; and applying the control selection process to new development and legacy systems.
First, organizations first perform security control baseline while categorizing the information which determines the criticality and sensitivity of the information to be processed, stored, or transmitted by information systems. Next, according to the specific conditions within the organization, it need to modify and tailoring the baselines. Then, organizations need to documenting the security controls selection process, because it can help to implement risk management and review the related information eailer and in the future.Finally, organization will apply the control selection process to new development and legacy systems.
This document is very important for security and privacy controls. It helps us categorize and select the controls necessary for an organization. In the second section we learned about the risk management framework. To quote, “The RMF addresses the security concerns of organizations related to the design, development, implementation, operation, and disposal of information systems and the environments in which those systems operate.” The risk management framework outlines a continuous process where you categorize, select, implement, assess, authorize and monitor different risks. With this framework in mind, you can apply the appropriate security control for the risk. In section three, we learn how to use the families from section two to select and specify which controls you apply. It helps us learn how to tailor the controls, document them and apply them.
To me, the documentation of the controls is the most important part. When reviewing the control in the future, you’ll have the documentation to refer to when assessing the control.
Hi Jonathan,
Thanks for your sharing. I also find that an important aspect of security and privacy controls for federal information systems and organizations is the process of identifying additional security controls that are required. An organization can use a requirements definition approach or a gap analysis approach when selecting controls and control enhancements to supplement the initial baseline. For the requirements definition approach, the organization obtains specific and credible threat information or makes reasonable assumptions about the activities of the adversary. Understanding the capabilities of the adversary will enable the organization to strive to achieve a certain level of defense capability or network readiness.
NIST 800 53r4 publication provides a catalog of security and privacy controls for federal information systems. NIST 800 5344 has a process for selecting controls to protect organizational operations. There are three steps in selecting security controls:
(Step 1) Determine Baseline Controls
– Determines if you need to implement low, moderate or high controls for a particular system
(Step 2) Tailor the controls:
Not all security controls can be used because they may break your system. And in some cases they are simply not applicable.
There are also Common Controls, Hybrid controls, and system specific controls.
Common Controls:
– Organization-Wide
– Organization Owned
– Inheritable
– Example: (Physical Controls) Security Cameras, Fences, Mantraps
Specific Controls:
– Information System Owner
– Technical
– Not inherited
– Example: AU Controls on a Linux System
Hybrid Controls:
– Mixture of Common + Specific Controls
– Example: Incident Response Controls,
(Step 3) Document the Controls
– Use a System Security Plan to Document the controls
– Then get it authorized by a higher level
This is a very helpful breakdown when understanding the steps of selecting security controls. It is very interesting to see how many different common, hybrid and system specific controls there are. Most things should fall under the standard control groups, however these one-off type controls if not maintained could be the reason the whole thing comes down.
I think an important point from NIST 800-53r4 is in section 2.6 where it explains Assurance and Trustworthiness. As we rely more and more on information security tools, we have to believe that the tools in which we create behave according to how we design them. Two main points of trustworthiness are Security Functionality and Security Assurance. Security Functionality is the services and security features implemented within organizational information systems and their subsequent environments. Security Assurance is how we measure our confidence that the security functionality was implemented correctly. On paper, you can have security functionality top notch, but if security assurance fails, then that poses a problem with trust in the system that was created. Those who create security functionality should provide confidence in their work to ease the minds of others using the systems.
Trustworthiness is a crucial aspect since we cannot implement a security control that we are not sure works right or as per our requirements. This applies to all systems and IT environments within each organization
In section2.5 the issue of outsourcing is through vendors is addressed. It is a great challenge to align the security and privacy controls of an external organization with your own. Hence, this publication tries to help organizations overcome not only the challenges listed below but many others too:
• Defining the types of external information system services provided to organizations.
• Describing how those external services are protected in accordance with the information
security requirements of organizations; and
• Obtaining the necessary assurances that the risk to organizational operations and assets,
individuals, other organizations, and the Nation arising from the use of the external services
is acceptable
Above all, it comes down to the level of trustworthiness between the organizations since some service provisions can result in there being a non-explicit agreement with the provider. However, the publication notes that the risk responsibility still lies with the authorizing officials of the outsourcing organization.
Hi Humbert,
Outsourcing is sometimes a necessary aspect of organizations. Unfortunately, proper security controls should be in place because outsourcing adds another point of entry to the organization. See what happened to Target only a few years ago.
This publication lists various security controls for federal systems to aid in protecting them from hostile cyber attacks, natural disasters, structural failures, and human errors. The controls listed were designed to be technology-neutral, meaning that they focus on fundamental safeguards necessary to protect information while in process, storage, and during transmission. One key feature in the reading was base-lining. A security control baseline must be established before specifying which security control to implement on a system. The baseline is based on the FIPS 200 impact level that was given to a particular system. Certain factors are considered when determining a baseline for an information system such as what physical location the information system is located, the type of information that is being stored/processed, the nature of operations conducted by the organizations, or the types of threats facing the organization. Once the baseline is established, proper security controls can be tailored around that baseline to properly protect the information.
Hi Anthony…..thanks for the summary on security control baselining. I agree it is an important step in the control selection process and helps set the stage for any countermeasure implementation that may come out of the control selection. Baselines allow organizations to determine their risk posture and how to prioritize control improvements given the various factors surrounding specific information and information systems.
One key point that I took away from this reading is the multitiered risk management. The three-tiered approach is integrated with the risk management process throughout the organization and addresses business concerns with the objective of continuous improvement in the risk related activities and inter-tier and intra-tier communications. The three tiers at which risk management should be addressed are: organizational tier, business process tier, and information systems tier. Figure 1 in the book highlights the three tiers and the flow. Tier 1 which is the organizational tier prioritizes missions/business functions which drives investment strategies and funding decisions. Tier 2 which is the business process tier defines the missions/business processes needed to support the organizational mission/business functions, determining security categorizations, incorporating information security requirements, establishing an enterprise architecture. Tier 3 which is the information systems tier is central to the risk assessment process and is dependent on the correct and consistent allocation of security, including common controls, across the other tiers in order to operate efficiently.
It is important to have the most cost-effective and appropriate security controls for organizations mitigating the risk and follow the regulations. Many documents have mentioned that organizations need to select the most appropriate security controls to mitigate the risk to an acceptable level. However, it is not easy for every organization to achieve its aim. They need to understand the starting point to select the correct controls. As NIST 800 53r4 mentions that baseline controls can help the organizations to complete the selection process, and they need to identify what impact level of information systems use are from low-impact to high-impact. Most of the organizations will start to assess the high-impact level and put many resources to control the risk, and sometimes they may ignore the low-impact level because it may not affect the operation. In doing so, they need to have a very useful risk assessment to select the security baseline controls, and the risk assessment needs to be sufficient to protect the organizational operation and resources.
This reading is the background and process outline for choosing security controls after the information and information systems have been classified into risk categories. An important point I took from the reading was related to how security controls can be layered to be organization wide, common controls or hybrid or system specific. These tiers allow organizations to be more streamlined in their controls and not repeat controls for every information system used. For example, each control has a policy component and an operational component. The policy can be designated at the organizational level. For example security training and awareness can be designated at an organization level while mobility controls can be designated at a system specific level.
This publication provides insight into the second step of the NIST cybersecurity risk framework for selecting security controls after a system has been categorized as a low, moderate, or high impact system. It provides a list of the seventeen control families and a catalog of controls that a system should implement based on the impact categorization. This assessment establishes a baseline of security controls that keep an information system well protected from various types of threats whether it’s internal, external, or man-made. Additionally, some systems may need more controls than what the baseline suggests due to a number of factors such as the data that is being processed, stored, the nature of the business, etc. This exercise should be performed periodically and add/remove security controls as necessary to minimize the risk the system faces.
The multitiered risk management section was the biggest takeaway from this document. Often times we get lost in the idea that this security we are implementing is to protect the info systems or data. While that is true, it runs deeper than that as security protects Information systems, business processes and the organization as a whole. It takes both strategic risk as well as tactical risk and being able to complete both of these is the goal of security. The documents are very detailed because the more transparent and traceable any risk is helps increase the chance that the security team is able to find the issue quickly and resolve it. If it is hard to trace, the team or auditor will not be able to hold anyone accountable leading to more problems. Resolving the threat or issue is the first step but if a team is unable to figure out where it came from and who it falls under, it leaves the organization vulnerable to the same thing happening in the future.
One of the key takeaways from the reading is developing the security and privacy assessment plans, it is used to provide objectives and a roadmap on how to conduct the assessment. It can either be a conjoined plan or distinct plans depending on tailoring the organization’s needs. It can be developed by:
– determining the scope for what security and privacy controls/control assessments are to be included. It should contain the contents of the plans, the purpose, and the scope of these assessments.
– defining what procedures will be used during these assessments, can be based on what security and privacy controls/control enhancements are named within the scope
-tailor the selected procedure, including the depth of the assignments and the coverage attribute levels
-develop any additional procedures to address security/privacy requirements not already covered by NIST 800-53
– optimize the assessment procedures to reduce wasted resources and duplication of assessments, provide better cost-effective solutions.
-Finalize the assessment plans and obtain the necessary approval needed for execution.
I feel like these planning instructions are useful to identify before executing the plan to help the organization assess and only use needed resources. This can help save time and money, narrows down our areas of focus.
For modern enterprises, information security is essentially a problem of risk management, risk management is based on the assessment, processing and control activities of information security risks. Risk management is the process of identifying risks, assessing risks, taking measures to reduce risks to an acceptable level, and maintaining this level of risk. The core content of information security management is risk management, so we tend to summarize information security management by risk management. Like the information security management process, risk management is also a dynamic development and cyclic process. The so-called risk management, is a continuous assessment of risk, risk reduction, risk acceptance of such a closed loop. The so-called information security management, is based on the security risks, constantly self-improvement and improvement of the process, so we often say that information security is based on risk management. Risks can only be controlled and reduced, but not eliminated. There is no such thing as absolute safety or zero risk in the real sense.
Hi, Junhan. Thank you for your sharing. I agree that the information security is the vital problem. This document mainly provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations.
This document mainly provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations, organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs.
This document does a great job of listing different security controls for federal systems to help protect them from cybersecurity threats, attacks, natural disasters, technical and human errors. All of these controls are designed to be neutral when it comes to technology focus. One of the important aspects mentioned was baselining. A security control baseline must be established before specifying which security control to implement on a system. The baseline is based on the FIPS 200 document with the impact level that was given to a particular information system. Some factors are considered when determining a baseline for an information system such as the exact physical location the information system is located, the type of information/data that is being stored and processed, the kind of operations conducted by the organizations involved.
Hi, Prince. I agree that a security control baseline must be established before specifying which security control to implement on a system. The baseline controls can help the organizations to complete the selection process, and they need to identify what impact level of information systems use are from low-impact to high-impact. When the organizations understand what the baseline is for their security purpose, they can mitigate the risks.
The key take away i took from this publication is the criticality of identifying the controls you want to implement as an IS professional. It further highlights the importance of understanding your own business and business processes to correctly select the controls that will boost your InfoSec and reduce your risks. The goal of the document is to not only index the controls for 17 control families, but to give a deeper insight into implementation details such as dependencies and by giving detail into assignment and selection statements which provide “greater specificity to the control.” The controls are designed in such a way that, for the most part, do not apply to any one particular technology to expand the applicability of the control.