In my opinion, privacy and security are two sides of the same coin. However, privacy its own discipline that not all information security or I.T. professionals possess a deep understanding of privacy. With increasing, privacy regulations, clearly defined and accessible frameworks are a tremendous asset for organizations. Appendix J: Privacy Control Catalog of NIST SP800-53 follows a similar structure to the security controls families and is helpful to assess and develop a privacy baseline by providing further insight into how controls are implemented. For example, Appendix J provides supplemental guidance on how to create a privacy impact and risk assessment.
NIST 800 53r4 provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations. Compensating controls is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time. An example of compensating controls is separation of duties. An employee should not have access to payment and financial reporting system.
NIST SP 800-53 lays out what technical and personnel controls need to be established in an organization to prevent cyber attack exploitations, protect user privacy, and recover from any adverse situations. By providing a baseline control catalog, this document can be adapted and built upon by different organizations and businesses to create a secure and efficient business environment. This document can also be referenced by organizations to determine if their current policy has implemented the controls listed, and how they can plan to implement them if needed.
One of the key takeaways from this reading for me was how to approach achieving adequate information security. Here are some of the points from the reading :
1. Clearly articulated security requirements and security specifications
2. Sound security principles
3. Sound security practices
4. Continuous monitoring
5. Planning
I think that all of the points here make sense, are easy to understand, and potentially easy to enforce/implement. However, none of these things are particularly glamorous or sound like ‘fun’. This may make it harder for individuals to actually perform the tasks, even though they are important. In security, all of the simple and little things add up to create a secure system, and I think this enforces the idea that the ‘weakest-link’ in the security chain is usually human error.
A couple of interesting things I took away from this document was that for one it applies to multiple information security positions such as individuals with system development responsibilities, individuals with assessment and monitoring responsibilities, and others. Another thing I found informative was that the document is set up to provide information about security and privacy assessment throughout multiple stages of the system development life cycle. It also mentions the concept of tailoring where the security controls can be adjusted from their baseline, and it is important to establish a baseline before applying any adjustments.
Use FIPS Publication 199 to classify its information and information systems in organizational responsibilities. Security classification is accomplished as an organization-wide activity that requires the involvement of senior corporate personnel, including, for example, the authorizing official, chief information officer, senior information security officer, information owners, and administrators, information system owners, and risk managers. Information is categorized as Tier 1 (organizational level) and Tier 2 (task/business process level). According to FIPS Publication 200, organizations use the security classification results for Tier 1 and Tier 2. Designate organizational information systems at Tier 3 (information system level) as low-impact, medium-impact, or high-impact. Medium-impact or high-impact systems.
I agree with you that security classification is done as an organization-wide activity that requires the involvement of senior corporate personnel. The senior corporate staff needs to assess the extent to which the security controls are implemented correctly and are functioning as intended, while producing the desired results that meet the system security requirements. On the other hand controls for real-time supervision also need to be time-sensitive.
Under the identification and authentication section, it goes over some best practices. See below for a summary of some of these best practices:
* This includes implementing MFA for both privileged accounts and regular accounts. MFA should consist of at least 2 of the following: something you are, something you know, and something you have. The reading recommends receiving a token on a device separate from the device you’re logging into (e.g., receive a token on your phone when trying to login to your laptop). Also, the token you receive should be randomized every time, so hackers can’t reuse tokens that were just used to gain access.
* When shared accounts are used, force the user to identify and authenticate himself before gaining access to the group account.
* Single sign on is both a benefit and risk. It allows you to sign on once and gain access to multiple systems, which might be dangerous. However, it also allows you to sign on once with MFA before gaining access to systems that may not natively work with MFA.
The assignment of specific values to organizationally defined security control parameters through explicit assignment and selection statements mentioned in NIST 800 53r4 may require supplementing the baseline with additional security controls and control enhancements because the tailoring process, as an integral part of security control selection and specification, is part of a comprehensive organizational risk management process. Approval of customization activities needs to be coordinated by the authorizing official with selected organizational officials prior to the implementation of security controls. This means that the criteria for the selected organization officials also need to be accurate and multi-dimensional. On the other hand, organizations do not remove security controls for operational convenience. Customization decisions regarding security controls are based on business requirements and are accompanied by clear risk-based decisions.
The security controls are selected based on the security categorization of the information system. After selecting the applicable security control baseline, organizations apply the tailoring process to align the controls more closely with the specific conditions within the organization (i.e., conditions related to organizational risk tolerance, missions/business functions, information systems, or environments of operation). The tailoring process includes: identifying and designating common controls in initial security control baselines; applying scoping considerations to the remaining baseline security controls; selecting compensating security controls, if needed; assigning specific values to organization-defined security control parameters via explicit assignment and selection statements; supplementing baselines with additional security controls and control enhancements, if needed; and providing additional specification information for control implementation if needed.
My takeaway from NITS SP 800-53R4 is from the section on privacy requirements for federal information systems and organizations. The revision includes 8 new sets of controls to safeguard privacy as a result of the increasing usage of social media, mobile, and cloud computing, and the privacy complications that arise with them. The eight new control types are: Authority and Purpose, Accountability Audit and Risk Management, Data Quality and Integrity, Data Minimization and Retention, Individual Participation and Redress, Security, Transparency, and Use Limitation. The usage increase of the previously mentioned items further complicates the federal requirements for providing and ensuring both security and privacy
Hello Antonio,
I am in agreement with you as regards your privacy’s analysis. However, data privacy becomes harder to handle when you factor in things like the Internet of Things, bring-your-own-device IT policies and proliferating internet-connected tablets, phones and watches. When you bring more devices into the workplace, you end up having more data to manage. In that regard, your organization must be able to manage compliance and data privacy from any source, different operating systems and multiple apps. To solve this, one needs to ensure that the organization has the right data governance procedures in place.
NIST 800-53 Rev 4 includes the controls to secure the information systems. This controls secures the information systems from different levels as at the Operational, technical and management level. The purpose of the NIST 800-53 Rev 4 is to maintain the confidentiality, integrity, and availability of the information system. It also includes the Risk Management Framework. Which includes 6 steps process. Step 1 is to categorize of the information systems. Then step 2 select the appropriate controls to secure the information systems. Step 3 includes implementing those controls. Security controls then get assessed as part of the step 4. Step 5 includes authorizing those controls. The final step 6 includes to continuous monitoring of that process.
One key takeaway of this publication is that it offers a series of security and privacy controls for federal information systems and organizations and a process for establishing measures to prevent organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a different categories of threats including hostile cyber-attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and developed as part of an organization-sleeping process that handles information security and privacy risk within the organization.
Security and Privacy controls have 3 approaches to implement the controls such as: a common control implementation approach, system-specific control implementation approach, and a hybrid control implementation approach (Page 11).
Control implementation- defines the scope of applicability for ht e control, shared nature or inheritability of the control, and responsibilities for the control development.
System-specific controls- primarily responsibility of the system owner and authorizing official for a given system. Implementing the system-specific can introduce risk if the control implementations are not interoperable with common controls.
Hybrid control- introduce risk if the responsibility for the implementation and ongoing management of the common and system-specific parts of the controls are unclear.
This is a very good post – it is important to differentiate how security controls are implemented in general ways and also in more specific (system specific) ways. Many policies and security controls are implemented in a generic way and further enhanced after assessing the specific uses and goals of the system being secured.
One key point that I took away from NIST 800-53r5 is that if all controls deemed necessary for a business (based off of security categorizations, industry, etc) are not in place, a business is not secure. This may seem obvious (which to many, it is), but creating and maintaining a perfect security environment is not as easy in practice as it is in theory.
For example, an organization can have the most IS aware employees but still have a breach if audit and accountability (3.3) or maintenance (3.9) are not perfected. These two controls are especially hard to perfect because of how fast the outside threat environment adapts, especially when the organization is a government entity or could be seen as having valuable intellectual property, such as biomedical, technical, or military organizations. On the other hand, an information system could have a large team of of very smart IT admins and professionals, but if the endpoint users are not sufficiently aware and trained (3.2), human error could easily become a vector for a breach.
Besides the two above examples, any security or privacy control not being perfectly implemented could result in a breach. With that being said, perfection is something that is hard to achieve in any aspect of business (and life, for that matter), which is why risk management and prioritization are used – to get the risk down to a point that meets the threshold deemed acceptable or that will be accepted for transfer by an insurance company.
The critical takeaway from the publication is NIST 800 53 r V4 now revision 5 is the baseline for implementing security controls within any organization handling private or public data. The initial 18 control families, now 20 in number, are the gold standard for data privacy and security implementation and have served as controls that IT auditors must test before a security pass mark can be given to any organization as being secure.
While organizations are recommended to follow the NIST compliance, most are not required to. All Federal government agencies must follow NIST standards 100% because NIST is a subcomponent of FISMA implemented by the OMB. Contractors working with the government must adhere to NIST requirements, while those with a history of NIST non-compliance could be excluded from government contracts. Compliance is, however, not mandatory for other businesses in the private sector.
Following NIST helps your systems be protected from breaches caused by malicious attacks and human error and benchmarking with regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA).
HI Olayinka, thanks for your post. I like how you tied in FISMA and HIPAA with the overarching NIST framework. NIST provides a strong baseline for security compliance frameworks like those you mentioned, in addition to PCI DSS, ISO 27001, and many others. It is crucial that all information systems follow the NIST 800-53 publication best practices to ensure data of all types is secure.
One takeaway from this reading is the importance of implementing controls of high trustworthiness. As defined in the publication, trustworthiness is the determination that a control is worthy of being trusted to fulfill its requirement. Both the functionality (operating capability) and assurance of a control determines its overall trustworthiness. Assurance involves confirming that a control was implemented correctly, is operating as intended, and is producing the desired outcome. Measurement of trustworthiness is done during audits (i.e. FedRAMP, ISO 27001 audits), in order to give information system owners and stakeholders confidence in the security of their assets.
In my opinion, privacy and security are two sides of the same coin. However, privacy its own discipline that not all information security or I.T. professionals possess a deep understanding of privacy. With increasing, privacy regulations, clearly defined and accessible frameworks are a tremendous asset for organizations. Appendix J: Privacy Control Catalog of NIST SP800-53 follows a similar structure to the security controls families and is helpful to assess and develop a privacy baseline by providing further insight into how controls are implemented. For example, Appendix J provides supplemental guidance on how to create a privacy impact and risk assessment.
NIST 800 53r4 provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations. Compensating controls is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time. An example of compensating controls is separation of duties. An employee should not have access to payment and financial reporting system.
NIST SP 800-53 lays out what technical and personnel controls need to be established in an organization to prevent cyber attack exploitations, protect user privacy, and recover from any adverse situations. By providing a baseline control catalog, this document can be adapted and built upon by different organizations and businesses to create a secure and efficient business environment. This document can also be referenced by organizations to determine if their current policy has implemented the controls listed, and how they can plan to implement them if needed.
One of the key takeaways from this reading for me was how to approach achieving adequate information security. Here are some of the points from the reading :
1. Clearly articulated security requirements and security specifications
2. Sound security principles
3. Sound security practices
4. Continuous monitoring
5. Planning
I think that all of the points here make sense, are easy to understand, and potentially easy to enforce/implement. However, none of these things are particularly glamorous or sound like ‘fun’. This may make it harder for individuals to actually perform the tasks, even though they are important. In security, all of the simple and little things add up to create a secure system, and I think this enforces the idea that the ‘weakest-link’ in the security chain is usually human error.
A couple of interesting things I took away from this document was that for one it applies to multiple information security positions such as individuals with system development responsibilities, individuals with assessment and monitoring responsibilities, and others. Another thing I found informative was that the document is set up to provide information about security and privacy assessment throughout multiple stages of the system development life cycle. It also mentions the concept of tailoring where the security controls can be adjusted from their baseline, and it is important to establish a baseline before applying any adjustments.
Use FIPS Publication 199 to classify its information and information systems in organizational responsibilities. Security classification is accomplished as an organization-wide activity that requires the involvement of senior corporate personnel, including, for example, the authorizing official, chief information officer, senior information security officer, information owners, and administrators, information system owners, and risk managers. Information is categorized as Tier 1 (organizational level) and Tier 2 (task/business process level). According to FIPS Publication 200, organizations use the security classification results for Tier 1 and Tier 2. Designate organizational information systems at Tier 3 (information system level) as low-impact, medium-impact, or high-impact. Medium-impact or high-impact systems.
Hi Zijian,
I agree with you that security classification is done as an organization-wide activity that requires the involvement of senior corporate personnel. The senior corporate staff needs to assess the extent to which the security controls are implemented correctly and are functioning as intended, while producing the desired results that meet the system security requirements. On the other hand controls for real-time supervision also need to be time-sensitive.
Under the identification and authentication section, it goes over some best practices. See below for a summary of some of these best practices:
* This includes implementing MFA for both privileged accounts and regular accounts. MFA should consist of at least 2 of the following: something you are, something you know, and something you have. The reading recommends receiving a token on a device separate from the device you’re logging into (e.g., receive a token on your phone when trying to login to your laptop). Also, the token you receive should be randomized every time, so hackers can’t reuse tokens that were just used to gain access.
* When shared accounts are used, force the user to identify and authenticate himself before gaining access to the group account.
* Single sign on is both a benefit and risk. It allows you to sign on once and gain access to multiple systems, which might be dangerous. However, it also allows you to sign on once with MFA before gaining access to systems that may not natively work with MFA.
The assignment of specific values to organizationally defined security control parameters through explicit assignment and selection statements mentioned in NIST 800 53r4 may require supplementing the baseline with additional security controls and control enhancements because the tailoring process, as an integral part of security control selection and specification, is part of a comprehensive organizational risk management process. Approval of customization activities needs to be coordinated by the authorizing official with selected organizational officials prior to the implementation of security controls. This means that the criteria for the selected organization officials also need to be accurate and multi-dimensional. On the other hand, organizations do not remove security controls for operational convenience. Customization decisions regarding security controls are based on business requirements and are accompanied by clear risk-based decisions.
The security controls are selected based on the security categorization of the information system. After selecting the applicable security control baseline, organizations apply the tailoring process to align the controls more closely with the specific conditions within the organization (i.e., conditions related to organizational risk tolerance, missions/business functions, information systems, or environments of operation). The tailoring process includes: identifying and designating common controls in initial security control baselines; applying scoping considerations to the remaining baseline security controls; selecting compensating security controls, if needed; assigning specific values to organization-defined security control parameters via explicit assignment and selection statements; supplementing baselines with additional security controls and control enhancements, if needed; and providing additional specification information for control implementation if needed.
My takeaway from NITS SP 800-53R4 is from the section on privacy requirements for federal information systems and organizations. The revision includes 8 new sets of controls to safeguard privacy as a result of the increasing usage of social media, mobile, and cloud computing, and the privacy complications that arise with them. The eight new control types are: Authority and Purpose, Accountability Audit and Risk Management, Data Quality and Integrity, Data Minimization and Retention, Individual Participation and Redress, Security, Transparency, and Use Limitation. The usage increase of the previously mentioned items further complicates the federal requirements for providing and ensuring both security and privacy
Hello Antonio,
I am in agreement with you as regards your privacy’s analysis. However, data privacy becomes harder to handle when you factor in things like the Internet of Things, bring-your-own-device IT policies and proliferating internet-connected tablets, phones and watches. When you bring more devices into the workplace, you end up having more data to manage. In that regard, your organization must be able to manage compliance and data privacy from any source, different operating systems and multiple apps. To solve this, one needs to ensure that the organization has the right data governance procedures in place.
NIST 800-53 Rev 4 includes the controls to secure the information systems. This controls secures the information systems from different levels as at the Operational, technical and management level. The purpose of the NIST 800-53 Rev 4 is to maintain the confidentiality, integrity, and availability of the information system. It also includes the Risk Management Framework. Which includes 6 steps process. Step 1 is to categorize of the information systems. Then step 2 select the appropriate controls to secure the information systems. Step 3 includes implementing those controls. Security controls then get assessed as part of the step 4. Step 5 includes authorizing those controls. The final step 6 includes to continuous monitoring of that process.
One key takeaway of this publication is that it offers a series of security and privacy controls for federal information systems and organizations and a process for establishing measures to prevent organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a different categories of threats including hostile cyber-attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and developed as part of an organization-sleeping process that handles information security and privacy risk within the organization.
Security and Privacy controls have 3 approaches to implement the controls such as: a common control implementation approach, system-specific control implementation approach, and a hybrid control implementation approach (Page 11).
Control implementation- defines the scope of applicability for ht e control, shared nature or inheritability of the control, and responsibilities for the control development.
System-specific controls- primarily responsibility of the system owner and authorizing official for a given system. Implementing the system-specific can introduce risk if the control implementations are not interoperable with common controls.
Hybrid control- introduce risk if the responsibility for the implementation and ongoing management of the common and system-specific parts of the controls are unclear.
Hi Victoria,
This is a very good post – it is important to differentiate how security controls are implemented in general ways and also in more specific (system specific) ways. Many policies and security controls are implemented in a generic way and further enhanced after assessing the specific uses and goals of the system being secured.
-Mike
One key point that I took away from NIST 800-53r5 is that if all controls deemed necessary for a business (based off of security categorizations, industry, etc) are not in place, a business is not secure. This may seem obvious (which to many, it is), but creating and maintaining a perfect security environment is not as easy in practice as it is in theory.
For example, an organization can have the most IS aware employees but still have a breach if audit and accountability (3.3) or maintenance (3.9) are not perfected. These two controls are especially hard to perfect because of how fast the outside threat environment adapts, especially when the organization is a government entity or could be seen as having valuable intellectual property, such as biomedical, technical, or military organizations. On the other hand, an information system could have a large team of of very smart IT admins and professionals, but if the endpoint users are not sufficiently aware and trained (3.2), human error could easily become a vector for a breach.
Besides the two above examples, any security or privacy control not being perfectly implemented could result in a breach. With that being said, perfection is something that is hard to achieve in any aspect of business (and life, for that matter), which is why risk management and prioritization are used – to get the risk down to a point that meets the threshold deemed acceptable or that will be accepted for transfer by an insurance company.
The critical takeaway from the publication is NIST 800 53 r V4 now revision 5 is the baseline for implementing security controls within any organization handling private or public data. The initial 18 control families, now 20 in number, are the gold standard for data privacy and security implementation and have served as controls that IT auditors must test before a security pass mark can be given to any organization as being secure.
While organizations are recommended to follow the NIST compliance, most are not required to. All Federal government agencies must follow NIST standards 100% because NIST is a subcomponent of FISMA implemented by the OMB. Contractors working with the government must adhere to NIST requirements, while those with a history of NIST non-compliance could be excluded from government contracts. Compliance is, however, not mandatory for other businesses in the private sector.
Following NIST helps your systems be protected from breaches caused by malicious attacks and human error and benchmarking with regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA).
HI Olayinka, thanks for your post. I like how you tied in FISMA and HIPAA with the overarching NIST framework. NIST provides a strong baseline for security compliance frameworks like those you mentioned, in addition to PCI DSS, ISO 27001, and many others. It is crucial that all information systems follow the NIST 800-53 publication best practices to ensure data of all types is secure.
One takeaway from this reading is the importance of implementing controls of high trustworthiness. As defined in the publication, trustworthiness is the determination that a control is worthy of being trusted to fulfill its requirement. Both the functionality (operating capability) and assurance of a control determines its overall trustworthiness. Assurance involves confirming that a control was implemented correctly, is operating as intended, and is producing the desired outcome. Measurement of trustworthiness is done during audits (i.e. FedRAMP, ISO 27001 audits), in order to give information system owners and stakeholders confidence in the security of their assets.