In my role as a security consultant, I often conduct risk assessments and security audits. I am familiar with NIST SP800-53, but I found some helpful guidance in 800 53Ar4, Appendix C, regarding guidance on assessment methods. I liked the basic, focused, and comprehensive testing breakdown and their descriptions. Not all clients require comprehensive testing and being able to tailor assessments based on requirements is helpful. I found last week’s class exercise beneficial in making NIST actionable. I am comfortable referencing NIST to re-enforce my recommendations to clients however taking a deeper dive into the appendices has added an additional layer of support to my assessments.
NIST 800 53Ar4 mentions effective methods of developing security and privacy assessment plans:
-Organizations select compensating controls from Appendix F; if appropriate compensating controls are not available, organizations adopt suitable compensating controls from other sources;
– Select the appropriate assessment procedures to be used during assessments based on the security or privacy controls and control enhancements to be included in the assessments;
– Develop additional assessment procedures to address any security requirements or privacy requirements or controls that are not sufficiently covered by Special Publication 800-53;
One of the takeaways from this reading for me was the importance of security and privacy assessments within the software development lifecycle. I think a lot of times security is not a major focus during development, and for many (private-sector) organizations security is just not as important compared to putting out new features and time to market. For federal information systems, it makes sense that security is a higher priority, which is shown by security and privacy assessments being emphasized as a part of the software development lifecycle.
I like that you pointed this out Andrew, I would have to agree largely with this sentiment; I see this type of thing all over the place on a regular basis as a penetration tester. The most common thing in the wild that is found outside of insecure Active Directory trusts, is a buffer overflow (BOF), which at the most general level is an attack performable as a result of insecure memory access functions in code. The fact that it is the most common item found really highlights this idea. It becomes a nested issue as transforming enormous amounts of old code written many years ago in massive organizations is just simply too expensive and time consuming for most.
It is important to remember that today’s threat environment is constantly changing and evolving, so a static business plan would quickly become outdated. As a result, organizations must continually assess their security and privacy controls to ensure they are up to date with the latest standards and are effective against modern threats. Analyzing the results of these assessments will show where a business is lacking and how it can improve its policy and controls.
I agree with you that in order to ensure they are up to date with the latest standards and effectively defend against modern threats, organizations must continually evaluate their security and privacy controls. Risk acceptance decisions, on the other hand, are directly related to an organization’s risk tolerance, which is defined as part of an organization’s risk management strategy.
Hello Patrick,
I totally agree with you in your assertion that today’s threat environment is constantly changing and dynamic due to a comprehensive list of essential network security controls mapped to NIST 800-53 requirements., Inventory of Authorized and Unauthorized Devices, Continuous Vulnerability Assessment and Remediation
Maintenance, Monitoring, and Analysis of Audit Logs Secure Configurations for Network Devices. And those things are making regulatory compliance requirements are always being updated and are difficult to interpret, and achieve meaningful results in the end.
Hi Patrick!
IT is changing every single day. It is important for IT to be on top of what is changing, what new updates are out, and what softwares/updates are outdated. In order to mirror security controls with the latest standards, this reduces the risk to the environment and allows vulnerabilities to be addressed in a timely matter.
HI Patrick, I like what you are saying here. This also highlights the importance of an organization scheduling regular (annual, or even semi-annual if there are sufficient resources) penetration/red team testing. Like you said, the threat landscape is constantly evolving; so it is important that information systems are constantly being tested against adversarial attacks.
It is always the key to keeping the alignment when developing information security as the foundation; this will help avoid unnecessary errors and mistakes. The publication of 800-53A is in the way to provide a guideline on the top of the alignment and development, which will help to build any accessive plans. It also provides the set of procedures to support and define the effectiveness of privacy control. I also found that 800-53A targets a more diverse group of the system, which enlarges the performance and results in more accessibility.
As a result, there has been a lot of growth and development as organizations or individuals have taken more concerns into privacy controls; new features are more accessible during the development cycle.
For developing a security and privacy assessment plan, there are a few steps you should take.
* Determine the scope of the assessment. What security and privacy controls should be included?
* Select the appropriate method of completing the assessment, based on the type of control you are analyzing. These are outlined in great detail within the publication, so you can start there if you need ideas.
* Tailor the assessment procedure as needed (select appropriate scope, depth, and method of assessment).
* Develop additional assessment techniques as needed which go above and beyond what is outlined within this publication.
* Optimize the assessment method in order to reduce duplication of effort.
* Finalize and obtain approval of the assessment plans
Hello Madalyn,
That’s a great post. That sure is a great start to create a security and privacy assessment plan. In addition to that, I would also recommend to have that plan to be reviewed at least annually. To update any necessary information within that plan.
NIST 800 53r4 provides the six steps of the RMF that address the security of organizations associated with the design, development, implementation, operation, and disposition of information systems and the environments in which those systems operate. What I consider critical are steps four and six. Evaluating security controls controls the degree to which they are implemented correctly and operate as intended while producing the desired results that meet the security requirements of the system. On the other hand, continuously monitoring security controls in information systems and operating environments ensures that controls are effective and up-to-date. This can be done for security controls with a more clearly defined organizational structure.
Fixed: Security and privacy functions can address a variety of areas, not just technical means, physical means, or even procedural means or any combination of them. This approach allows the organization to have a good understanding of the relationship between controls, as well as to understand deficiencies and potential risks. Although the existence of these methods may lead to a more complex assessment. This is because the greater the number of controls included in the organization, the more difficult it is to determine the root cause of the failure. In the event that a control is found to contribute neither to the identified capability nor to the overall safety of the system, the organization will revisit the RMF steps.
I was intrigued to see Appendix E, Penetration Testing, of NIST SP 800 53AR4. I think this should hold high weight for many organizations as it can help be a critical tool in identifying low-hanging fruit and enabling an organization to target their most vulnerable aspects that are most exploitable. The subtle idea pointed out in the appendix, that vulnerability scanning is just not enough, really resonates, as it is quite easy to see and rather common that many organizations attempt to buy security solutions and perform many scans, but often fail to target poor configurations which are widespread, and most common today in Active Directory trusts, which 95% of organizations use daily.
I have also been finding the appendices to be interesting and valuable resources for tactical engagements. I would also agree that vulnerability scanning is not enough, especially if the findings are never remediated. Second, they can provide a false sense of security due to zero-day vulnerabilities that would not materialize during routine vulnerability scanning. Nice Post!
The purpose of the NIST 800-53Ar4 is to provide the guideline to effectively build the security assessment plan. One of the are this guideline would be most helpful would be during the step 4 of the risk assessment. It could assist in assessing the controls that are being implemented. It also assists in identifying the importance of an organization-wide strategy conducting the security assessment. It would also be helpful during the system development life cycle to continuously assess the controls to ensure they are properly securing the information systems.
In this article’s reading, I liked to see how to prepare for a security and privacy control assessments. In order to make the assessments successful, the information system owners, common control providers, authorizing officials, CIO, senior information security officers, senior agency officials for privacy/chief privacy officers, chief executive officers/head of agencies, security and privacy staffs, inspector general, and OMB must work together and ensure the information system has the set of expectations.
However, in order to prep, you must obtain an understanding of organization’s operations & structure of the information system, identify the responsibilities for the development and implantation of common controls supporting controls, meeting with the appropriate organization officials, obtain artifacts needed for the assessment, establish appropriate organizational points of contact needed to carry out the assessment, and develop security & privacy assessment plans which may be integrated into one plan or developed separately (Page 15 & 16).
Admittedly, I was absolutely impressed about the article in regard to its security control assessments and privacy control assessments are not just checklists, that is just being seen as
pass-fail results, or generating paperwork to pass inspections or audits—rather, such assessments
are primarily being regarded as mechanism used to confirm that implemented security controls and privacy controls are satisfying their stated goals and objectives. The article further stated Special Publication 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations is done to undertake security control assessments and privacy control assessments being performed within an effective risk management benchmark. The control assessment outcomes offer organizational officials with categorical evidence in connection to the effectiveness and efficiency of implemented controls measures within an organization and giving a hint of the quality of the risk management processes adopted within the organization; and Information about the strengths and weaknesses of information systems which are supporting organizational missions and business functions in a global environment of sophisticated and changing threats.
The NIST SP 800 53 r 5 (security and privacy controls) is usable by every entity irrespective of size, sector, and environment to maintain the safety of its information systems and mitigate privacy risks. The rules can be customized and implemented as part of a firm-wide process to manage attacks, deliberate human consequential errors, natural disasters, system failures, foreign attacks, and privacy risks.
The primary objective of NIST is to enable industry best practices (also known as standards) for organizations and government agencies to comply. These standards are created to improve the security standing of government agencies and private businesses that handle government data.
One key point I took from NIST 800-53Ar4 is that it is important for organizations to have (and for auditors to assess) written policies regarding information security controls.
This is a key point that I took from the publication because for nearly every security or privacy control that an auditor would assess, there was a separate assessment objective for locating and auditing the policy that corresponds to that physical/technical control. So, even if an organization has all the proper security controls in place, they would fail an audit completed using NIST 800-53Ar4 if they did not have written policies stating that they had these controls in place and outlining the structure of them.
An auditor might not know if a security/privacy control is in place without a written procedure because an admin/employee might forget to tell them, especially if there are many controls being used. Vice versa, if a control is in place, an auditor may not know if it is being properly used (based on how the organization planned on using it) if there is no policy outlining the purpose and scope of the control.
One key takeaway from this reading is the concept that security/privacy assessments/audits are not a ‘one size fits all’ solution. A comprehensive security assessment is conducted based on three overarching factors: the security categorization of an information system (using the FIPS 199 framework guidelines), the level of assurance an information system is expected to meet (i.e. a medical institution might need HIPAA insurance versus a federal military branch), and the security/privacy c0ntrols implemented using NIST 800-53 baseline controls. As an IT auditor, it is important to gather this type of information beforehand, during a surveillance period possibly, and then structuring an audit tailored to the needs of a client/organization.
I agree that the security categorization of a systems information, the specific type(s) of information at hand, and the controls required to safeguard that information from the different entities involved (and not involved) all play a role in a security assessment. It is almost starting to become repetitive how important security categorization and information inventorying is, but these things are truly the foundation for creating and assessing security controls and an overall security plan.
In my role as a security consultant, I often conduct risk assessments and security audits. I am familiar with NIST SP800-53, but I found some helpful guidance in 800 53Ar4, Appendix C, regarding guidance on assessment methods. I liked the basic, focused, and comprehensive testing breakdown and their descriptions. Not all clients require comprehensive testing and being able to tailor assessments based on requirements is helpful. I found last week’s class exercise beneficial in making NIST actionable. I am comfortable referencing NIST to re-enforce my recommendations to clients however taking a deeper dive into the appendices has added an additional layer of support to my assessments.
NIST 800 53Ar4 mentions effective methods of developing security and privacy assessment plans:
-Organizations select compensating controls from Appendix F; if appropriate compensating controls are not available, organizations adopt suitable compensating controls from other sources;
– Select the appropriate assessment procedures to be used during assessments based on the security or privacy controls and control enhancements to be included in the assessments;
– Develop additional assessment procedures to address any security requirements or privacy requirements or controls that are not sufficiently covered by Special Publication 800-53;
One of the takeaways from this reading for me was the importance of security and privacy assessments within the software development lifecycle. I think a lot of times security is not a major focus during development, and for many (private-sector) organizations security is just not as important compared to putting out new features and time to market. For federal information systems, it makes sense that security is a higher priority, which is shown by security and privacy assessments being emphasized as a part of the software development lifecycle.
I like that you pointed this out Andrew, I would have to agree largely with this sentiment; I see this type of thing all over the place on a regular basis as a penetration tester. The most common thing in the wild that is found outside of insecure Active Directory trusts, is a buffer overflow (BOF), which at the most general level is an attack performable as a result of insecure memory access functions in code. The fact that it is the most common item found really highlights this idea. It becomes a nested issue as transforming enormous amounts of old code written many years ago in massive organizations is just simply too expensive and time consuming for most.
It is important to remember that today’s threat environment is constantly changing and evolving, so a static business plan would quickly become outdated. As a result, organizations must continually assess their security and privacy controls to ensure they are up to date with the latest standards and are effective against modern threats. Analyzing the results of these assessments will show where a business is lacking and how it can improve its policy and controls.
Hi Patrick,
I agree with you that in order to ensure they are up to date with the latest standards and effectively defend against modern threats, organizations must continually evaluate their security and privacy controls. Risk acceptance decisions, on the other hand, are directly related to an organization’s risk tolerance, which is defined as part of an organization’s risk management strategy.
Hello Patrick,
I totally agree with you in your assertion that today’s threat environment is constantly changing and dynamic due to a comprehensive list of essential network security controls mapped to NIST 800-53 requirements., Inventory of Authorized and Unauthorized Devices, Continuous Vulnerability Assessment and Remediation
Maintenance, Monitoring, and Analysis of Audit Logs Secure Configurations for Network Devices. And those things are making regulatory compliance requirements are always being updated and are difficult to interpret, and achieve meaningful results in the end.
Hi Patrick!
IT is changing every single day. It is important for IT to be on top of what is changing, what new updates are out, and what softwares/updates are outdated. In order to mirror security controls with the latest standards, this reduces the risk to the environment and allows vulnerabilities to be addressed in a timely matter.
HI Patrick, I like what you are saying here. This also highlights the importance of an organization scheduling regular (annual, or even semi-annual if there are sufficient resources) penetration/red team testing. Like you said, the threat landscape is constantly evolving; so it is important that information systems are constantly being tested against adversarial attacks.
It is always the key to keeping the alignment when developing information security as the foundation; this will help avoid unnecessary errors and mistakes. The publication of 800-53A is in the way to provide a guideline on the top of the alignment and development, which will help to build any accessive plans. It also provides the set of procedures to support and define the effectiveness of privacy control. I also found that 800-53A targets a more diverse group of the system, which enlarges the performance and results in more accessibility.
As a result, there has been a lot of growth and development as organizations or individuals have taken more concerns into privacy controls; new features are more accessible during the development cycle.
For developing a security and privacy assessment plan, there are a few steps you should take.
* Determine the scope of the assessment. What security and privacy controls should be included?
* Select the appropriate method of completing the assessment, based on the type of control you are analyzing. These are outlined in great detail within the publication, so you can start there if you need ideas.
* Tailor the assessment procedure as needed (select appropriate scope, depth, and method of assessment).
* Develop additional assessment techniques as needed which go above and beyond what is outlined within this publication.
* Optimize the assessment method in order to reduce duplication of effort.
* Finalize and obtain approval of the assessment plans
Hello Madalyn,
That’s a great post. That sure is a great start to create a security and privacy assessment plan. In addition to that, I would also recommend to have that plan to be reviewed at least annually. To update any necessary information within that plan.
NIST 800 53r4 provides the six steps of the RMF that address the security of organizations associated with the design, development, implementation, operation, and disposition of information systems and the environments in which those systems operate. What I consider critical are steps four and six. Evaluating security controls controls the degree to which they are implemented correctly and operate as intended while producing the desired results that meet the security requirements of the system. On the other hand, continuously monitoring security controls in information systems and operating environments ensures that controls are effective and up-to-date. This can be done for security controls with a more clearly defined organizational structure.
Fixed: Security and privacy functions can address a variety of areas, not just technical means, physical means, or even procedural means or any combination of them. This approach allows the organization to have a good understanding of the relationship between controls, as well as to understand deficiencies and potential risks. Although the existence of these methods may lead to a more complex assessment. This is because the greater the number of controls included in the organization, the more difficult it is to determine the root cause of the failure. In the event that a control is found to contribute neither to the identified capability nor to the overall safety of the system, the organization will revisit the RMF steps.
I was intrigued to see Appendix E, Penetration Testing, of NIST SP 800 53AR4. I think this should hold high weight for many organizations as it can help be a critical tool in identifying low-hanging fruit and enabling an organization to target their most vulnerable aspects that are most exploitable. The subtle idea pointed out in the appendix, that vulnerability scanning is just not enough, really resonates, as it is quite easy to see and rather common that many organizations attempt to buy security solutions and perform many scans, but often fail to target poor configurations which are widespread, and most common today in Active Directory trusts, which 95% of organizations use daily.
Hi Antonio,
I have also been finding the appendices to be interesting and valuable resources for tactical engagements. I would also agree that vulnerability scanning is not enough, especially if the findings are never remediated. Second, they can provide a false sense of security due to zero-day vulnerabilities that would not materialize during routine vulnerability scanning. Nice Post!
Kelly
The purpose of the NIST 800-53Ar4 is to provide the guideline to effectively build the security assessment plan. One of the are this guideline would be most helpful would be during the step 4 of the risk assessment. It could assist in assessing the controls that are being implemented. It also assists in identifying the importance of an organization-wide strategy conducting the security assessment. It would also be helpful during the system development life cycle to continuously assess the controls to ensure they are properly securing the information systems.
In this article’s reading, I liked to see how to prepare for a security and privacy control assessments. In order to make the assessments successful, the information system owners, common control providers, authorizing officials, CIO, senior information security officers, senior agency officials for privacy/chief privacy officers, chief executive officers/head of agencies, security and privacy staffs, inspector general, and OMB must work together and ensure the information system has the set of expectations.
However, in order to prep, you must obtain an understanding of organization’s operations & structure of the information system, identify the responsibilities for the development and implantation of common controls supporting controls, meeting with the appropriate organization officials, obtain artifacts needed for the assessment, establish appropriate organizational points of contact needed to carry out the assessment, and develop security & privacy assessment plans which may be integrated into one plan or developed separately (Page 15 & 16).
Admittedly, I was absolutely impressed about the article in regard to its security control assessments and privacy control assessments are not just checklists, that is just being seen as
pass-fail results, or generating paperwork to pass inspections or audits—rather, such assessments
are primarily being regarded as mechanism used to confirm that implemented security controls and privacy controls are satisfying their stated goals and objectives. The article further stated Special Publication 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations is done to undertake security control assessments and privacy control assessments being performed within an effective risk management benchmark. The control assessment outcomes offer organizational officials with categorical evidence in connection to the effectiveness and efficiency of implemented controls measures within an organization and giving a hint of the quality of the risk management processes adopted within the organization; and Information about the strengths and weaknesses of information systems which are supporting organizational missions and business functions in a global environment of sophisticated and changing threats.
The NIST SP 800 53 r 5 (security and privacy controls) is usable by every entity irrespective of size, sector, and environment to maintain the safety of its information systems and mitigate privacy risks. The rules can be customized and implemented as part of a firm-wide process to manage attacks, deliberate human consequential errors, natural disasters, system failures, foreign attacks, and privacy risks.
The primary objective of NIST is to enable industry best practices (also known as standards) for organizations and government agencies to comply. These standards are created to improve the security standing of government agencies and private businesses that handle government data.
One key point I took from NIST 800-53Ar4 is that it is important for organizations to have (and for auditors to assess) written policies regarding information security controls.
This is a key point that I took from the publication because for nearly every security or privacy control that an auditor would assess, there was a separate assessment objective for locating and auditing the policy that corresponds to that physical/technical control. So, even if an organization has all the proper security controls in place, they would fail an audit completed using NIST 800-53Ar4 if they did not have written policies stating that they had these controls in place and outlining the structure of them.
An auditor might not know if a security/privacy control is in place without a written procedure because an admin/employee might forget to tell them, especially if there are many controls being used. Vice versa, if a control is in place, an auditor may not know if it is being properly used (based on how the organization planned on using it) if there is no policy outlining the purpose and scope of the control.
One key takeaway from this reading is the concept that security/privacy assessments/audits are not a ‘one size fits all’ solution. A comprehensive security assessment is conducted based on three overarching factors: the security categorization of an information system (using the FIPS 199 framework guidelines), the level of assurance an information system is expected to meet (i.e. a medical institution might need HIPAA insurance versus a federal military branch), and the security/privacy c0ntrols implemented using NIST 800-53 baseline controls. As an IT auditor, it is important to gather this type of information beforehand, during a surveillance period possibly, and then structuring an audit tailored to the needs of a client/organization.
Hi Lauren,
I agree that the security categorization of a systems information, the specific type(s) of information at hand, and the controls required to safeguard that information from the different entities involved (and not involved) all play a role in a security assessment. It is almost starting to become repetitive how important security categorization and information inventorying is, but these things are truly the foundation for creating and assessing security controls and an overall security plan.
-Mike