A key point from the NIST SP 800-53r4 “Security and Privacy Controls for Federal Information Systems and Organizations” document was the discussion of multitiered risk management. The document notes that multitiered risk management helps to integrate the risk management process throughout the organization, as well as to ensure risk management acknowledges mission and business concerns. The tiers are as follows: organization (tier 1), mission and business processes (tier 2), and information systems (tier 3). Tier 1 stood out to me, as this tier handles the highest-level management of risk, which includes prioritizing organizational missions and business functions, driving investment strategies and funding, promoting cost-effective solutions, and ensuring all these components are consistent with the strategic goals and objectives of the organization. This is an absolutely essential function that many organizations, especially those that treat risk management as a separate entity from the enterprise, often ignore. Organizations must integrate risk management into their business processes, and the multitiered risk management approach ensures that business operations and risk management are intertwined rather than siloed. Siloing these functions results in risk management not aligning with the organizational and strategic goals of the enterprise, which results in the risk management processes failing or not meeting the predetermined risk management standards.
This is an excellent point Taylor. The multitiered approach to risk management can also help to foster a security aware culture which is necessary in developing and maintaining adequate security posture.
In NIST SP 800 53r4 the document describes the process of selecting security controls while using the three-tiered risk management approach of organization (tier 1), mission/business processes (tier 2), and information systems (tier 3). This three-tiered approach allows continuous improvement of risk-related activities and makes it much easier to communicate with all of the stakeholders in the organization. After the risk categorization of the information systems have been performed the security controls need to be selected. These controls are listed in this document in a neatly structured format that include eighteen groups such as access control (AC), media protection (MP), personnel security (PS), and more. Using these groups of controls along with the systems categorization will help provide a baseline of how to protect the system. Lastly, these controls can be tailored to make sure the most cost-effective controls are being used while still protecting the system and being in compliance with any laws or regulations.
One of the key points from this publication is from the purpose of security and privacy controls, which is providing guidelines in stipulating security controls for establishments and supporting executive organizations. In order to attain information systems security, it is required to: enable a consistent method in specifying security controls for information systems; provide a firm collection of information regarding security controls in order to meet current information needs; provide groundwork for assessment procedures to determine security control efficiency, and communicate with organizations to provide knowledge in discussing risk management ideas.
One key takeaway I had from this publication are the two fundamental components of information systems. Security functionality are different features that a security system have, These features may be things like different mechanisms that are implemented. Security Assurance is the level of trust an organization has in they system. This means if it is working correctly, has the features implemented correctly etc. There are security controls for both components. An example of Functionality is SC-13; Cryptography Protection. An example of Assurance is CA-2; Security Assessment. These two components are essential for an information system to have
A key take away I took away from this reading was decentralized and centralized information security governance structures. These are the two basic models of governance, it is very rare for companies to be entirely 1 type of structure. There is usually a hybrid structure that combines features from both structures to better fit the specific organization. Usually the characteristics selected are based on the company’s mission, objectives, size, resources, and existing IT structure, federal and internal governance requirements, budget, distance between locations and number. Even after an organization has dedicated on their structure, it could change over time due to internal or external changes. In a decentralized structure, there are multiple missions, functions, and dispersed leadership. It’s harder to communicate problems because there’s a bigger disconnect, more common with bigger companies. There’s a huge difference in governance needs for mission and functions. Centralized structures have more uniform practices, one main organizational mission, and direct lines of communication.
A key takeaway from this reading is on the topic of tailoring baseline security controls. As the name of the process suggests, once baseline controls have been selected, it maybe modified to ensure controls are cost effective and risk-based security aligns with the entity business needs. This is not to say that controls should be removed for “operational or cost” convenience. All tailoring activities must be approved by authorization officials.
Lakshmi,
I agree I also found the tailoring concept was interesting, Especially the that the activities must be approved by the authorization officials. Hopefully the authorization officials will understand what they are approving.
A key takeaway from NIST 800-53 is an understanding of the way the document structures security controls. In the appendices of the document is a comprehensive list of security controls, and an ability to navigate the document alongside a familiarity with the way controls are structured is essential to implement those controls effectively. For each control, there is a description of the control and its implementation alongside nonbinding supplemental guidance. There is also a section on enhancements to the control which must be applied situationally based on the risk level of the information system. Finally, there is a reference section and a section covering the priority of the control and the baseline allocation of the control (reliant upon the risk level of the system).
I agree with the overall message from your takeaway. Properly documenting any and all audit work is extremely important. Our work always has to have purpose, methods, and evidence.
A key takeaway from the guidance is the importance of the security control structure which consists of the following components: control section. supplemental guidance section, control enhancements section, references section, and priority and baseline allocation section. The control section states what the control is (the security or actions to be implemented by the organization). The supplemental guidance section includes background information or additional information important to the user that provides context to the control. The control enhancement section includes additional security procedures that can be layered on of in order to strengthen or enhance the existing control. The references section includes applicable laws, regulations, guidance that is relevant to the control., the security and control baseline allocation provides prioritization which helps determine which controls are most critical to implement first including control enhancements. In my experience, operational controls typically do not any additional information other than the risk and the control objective. I think the addition of supplemental information, control enhancements and priority recommendations are critical to allow organizations to make informed decisions in order to be best position to safeguard the confidentiality, integrity and availability of the data and information they possess.
One important piece of NIST Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” that I have overlooked before is the assumptions that were made in determining the baselines. If any of the assumptions are false, the baselines may need to be modified. Some of the assumptions include: Information systems are located in physical facilities; User data/information in organizational information systems is relatively persistent; Some user data/information in organizational information systems is not shareable with other users who have authorized access to the same systems; Information systems exist in networked environments. The document also doesn’t address situations where there are insider threats, classified data in the information system, or APTs.
Jonathan – I agree with you. I was familiar with 800-53 before reading it in detail this week and I had not thought about the underlying assumptions. It shows that although 800-53 is a comprehensive library, it is not a “one-size-fits-all” solution for any given organization. I would imagine that when selecting controls for the first time, it would be imperative to have these assumptions in mind and understand and document any differences from the assumptions as well as rationale for how controls are tailored as needed.
One of the key takeaways of the NIST Special Publication 800-53 Revision 4 is the new development and legacy systems part. There are two different perspectives for new development and legacy. For the new development system, the security control selection process is applied from a requirement definition perspective. The organization conducts a security categorization which included in the security plan and implements it into the system development life cycle. This perspective is for the systems do not yet exist. If the information systems already exist, the organization’s security control selection process is applied from a gap analysis perspective. This legacy information system can apply the safety control selection process from the perspective of different analyses.
Hi To-Yin – The different types of analysis organizations must conduct for newly developed systems and legacy systems is illustrative of how fast-moving information technology is. Legacy systems can have a variety of security gaps that develop over time as new threats emerge, and it is not often possible to simply replace them. Rather, the organization must make a determination of their value vs. their risk, and evaluate other methods to mitigate the inherent risks in a legacy system if that system can’t be replaced.
NIST 800 53r4 section 2.5 outlined the challenges and guidelines when working with external service providers. “Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements, service-level agreements), licensing agreements, and/or supply chain exchanges.” The expectation of the service provider and the responsibilities and accountabilities are the same as internal, in-house requirements and external providers are subject to the same level of Risk Management Framework (RMF).
The takeaway that i had is that the very first step in the process is to classify the data according to FIPS 199. When the data is classified according to the CIA Triad, then an organization can truly reflect on the Risk mitigation and will have a better understanding of the risk approach, It was also interesting that external service providers could be used to satisfy some (either all, or hybrid) to help an organization with their security needs.
I thought the section discussing external service providers was really good in this reading. From my experience, I have seen a lot of management teams have a misunderstanding of the use of third parties and how final responsibility still must reside with the management of the organization who is using the external service provider. This reading made it really clear that the organization is still both responsible and accountable for the risks incurred by the information system services outsourced to third parties. It also made a good point, which I see regularly as well, that external service providers may also outsource services to other external service providers, which further increases the complexity of managing external services. I think this section is particularly good for management of organizations of all types to read and understand and it drives home the point that the contract is a really important tool to govern the relationship with an external service provider.
I found the section on external service providers interesting as well. I find all to often that organizations do not take reoccurring review of external providers as seriously as they should until there is an issue with the tool or service. For example carefully reviewing SOC reports and following up with providers on any exceptions noted. This causes organizations to be reactive as opposed to proactive.
This document provides a holistic approach to information security and risk management by providing organizations with the necessary security controls. It also provides a structured approach to help organizations tailor security control baseline that can be applied to specific business functions. One of the key points that I took from this reading is the four steps of how to determine the impact level of an information system: (1) determine the different types of information by using NIST Special Publication 800-60. (2) using the impact values in FIPS Publication 199 and the recommendations of NIST Special Publication 800-60. (3) determine the information system security categorization. (4) determine the overall impact level of the information system from the highest impact value among the three security objectives in the system security categorization.
Hi Wei. Great point that you brought up here. I agree with you that this document provides a holistic approach to information risk management by providing organizations with appropriate security controls. The four steps are essential to improving IT security. Out of these four, I think the third step is the most important since this is where we need to categorize the data. Categorization is fundamental to have proper cybersecurity.
My takeaway from this document is the framework, governance, and overall organization. It’s really important that everything in our field is very well-documented and everything goes through a progress. Unfortunately, our field isn’t something that allows too much creative expression, but it is for the best. For example, table 1 in section 2.2 does a great job of grouping and categorizing different security control families. In cybersecurity or just information systems security in general, it’s very important that everything is fed through a mill of rigor, and when it comes out on the other side it is laden with a trail of documentation. There cannot be any cracks in the system or else they will be exploited by potential hackers. As the saying goes, the bad guy only needs to find one hole, while the good guy has to protect a dozen.
I agree that a standardized approach is important and beneficial for the industry as a whole. Without this document, if you asked 10 different people to design security controls for the same system, you’d probably get 10 vastly different assortments of controls. As you mentioned, it’s about being comprehensive and using tested methods. Any one weakness is an avenue that threat actors can use to attack. Particularly important in NIST SP 800-53 is how it describes the processes of risk analysis and selecting controls, not just a checklist of controls.
A key point that learned was that the objective of the, NIST 800 53r4 Security and Privacy Controls for Federal Information Systems and Organizations, is to provide guidance for the selection of organizational security controls in accordance with FIBS Publication 200 and Federal Minimum Security Requirements for its partners. The document provides a risk management framework outline that is a continuous process. Where IT security professionals should categorize, select, implement, assess, authorize and monitor different risks. By knowing the framework, an IT security professional can implement the appropriate security control for each type of risk
One key takeaway from the reading is the importance of tailoring baseline security controls. Organizations must take an active role in aligning the security controls to their organization and business processes. Applying a one-size fits all approach will add risk as the c9ntrols are intended to use as a baseline. Also it’s important that organizations take strategic approach to tailoring the security controls. Controls should not be removed for convenience, and any deviation from the baseline needs to be documented. It’s also important that management and process owners are involved in this process to ensure that proper support and knowledge is used to make risk-based decisions.
A key point from the NIST SP 800-53r4 “Security and Privacy Controls for Federal Information Systems and Organizations” document was the discussion of multitiered risk management. The document notes that multitiered risk management helps to integrate the risk management process throughout the organization, as well as to ensure risk management acknowledges mission and business concerns. The tiers are as follows: organization (tier 1), mission and business processes (tier 2), and information systems (tier 3). Tier 1 stood out to me, as this tier handles the highest-level management of risk, which includes prioritizing organizational missions and business functions, driving investment strategies and funding, promoting cost-effective solutions, and ensuring all these components are consistent with the strategic goals and objectives of the organization. This is an absolutely essential function that many organizations, especially those that treat risk management as a separate entity from the enterprise, often ignore. Organizations must integrate risk management into their business processes, and the multitiered risk management approach ensures that business operations and risk management are intertwined rather than siloed. Siloing these functions results in risk management not aligning with the organizational and strategic goals of the enterprise, which results in the risk management processes failing or not meeting the predetermined risk management standards.
This is an excellent point Taylor. The multitiered approach to risk management can also help to foster a security aware culture which is necessary in developing and maintaining adequate security posture.
In NIST SP 800 53r4 the document describes the process of selecting security controls while using the three-tiered risk management approach of organization (tier 1), mission/business processes (tier 2), and information systems (tier 3). This three-tiered approach allows continuous improvement of risk-related activities and makes it much easier to communicate with all of the stakeholders in the organization. After the risk categorization of the information systems have been performed the security controls need to be selected. These controls are listed in this document in a neatly structured format that include eighteen groups such as access control (AC), media protection (MP), personnel security (PS), and more. Using these groups of controls along with the systems categorization will help provide a baseline of how to protect the system. Lastly, these controls can be tailored to make sure the most cost-effective controls are being used while still protecting the system and being in compliance with any laws or regulations.
One of the key points from this publication is from the purpose of security and privacy controls, which is providing guidelines in stipulating security controls for establishments and supporting executive organizations. In order to attain information systems security, it is required to: enable a consistent method in specifying security controls for information systems; provide a firm collection of information regarding security controls in order to meet current information needs; provide groundwork for assessment procedures to determine security control efficiency, and communicate with organizations to provide knowledge in discussing risk management ideas.
One key takeaway I had from this publication are the two fundamental components of information systems. Security functionality are different features that a security system have, These features may be things like different mechanisms that are implemented. Security Assurance is the level of trust an organization has in they system. This means if it is working correctly, has the features implemented correctly etc. There are security controls for both components. An example of Functionality is SC-13; Cryptography Protection. An example of Assurance is CA-2; Security Assessment. These two components are essential for an information system to have
A key take away I took away from this reading was decentralized and centralized information security governance structures. These are the two basic models of governance, it is very rare for companies to be entirely 1 type of structure. There is usually a hybrid structure that combines features from both structures to better fit the specific organization. Usually the characteristics selected are based on the company’s mission, objectives, size, resources, and existing IT structure, federal and internal governance requirements, budget, distance between locations and number. Even after an organization has dedicated on their structure, it could change over time due to internal or external changes. In a decentralized structure, there are multiple missions, functions, and dispersed leadership. It’s harder to communicate problems because there’s a bigger disconnect, more common with bigger companies. There’s a huge difference in governance needs for mission and functions. Centralized structures have more uniform practices, one main organizational mission, and direct lines of communication.
A key takeaway from this reading is on the topic of tailoring baseline security controls. As the name of the process suggests, once baseline controls have been selected, it maybe modified to ensure controls are cost effective and risk-based security aligns with the entity business needs. This is not to say that controls should be removed for “operational or cost” convenience. All tailoring activities must be approved by authorization officials.
Lakshmi,
I agree I also found the tailoring concept was interesting, Especially the that the activities must be approved by the authorization officials. Hopefully the authorization officials will understand what they are approving.
A key takeaway from NIST 800-53 is an understanding of the way the document structures security controls. In the appendices of the document is a comprehensive list of security controls, and an ability to navigate the document alongside a familiarity with the way controls are structured is essential to implement those controls effectively. For each control, there is a description of the control and its implementation alongside nonbinding supplemental guidance. There is also a section on enhancements to the control which must be applied situationally based on the risk level of the information system. Finally, there is a reference section and a section covering the priority of the control and the baseline allocation of the control (reliant upon the risk level of the system).
Hi Mitchell,
I agree with the overall message from your takeaway. Properly documenting any and all audit work is extremely important. Our work always has to have purpose, methods, and evidence.
A key takeaway from the guidance is the importance of the security control structure which consists of the following components: control section. supplemental guidance section, control enhancements section, references section, and priority and baseline allocation section. The control section states what the control is (the security or actions to be implemented by the organization). The supplemental guidance section includes background information or additional information important to the user that provides context to the control. The control enhancement section includes additional security procedures that can be layered on of in order to strengthen or enhance the existing control. The references section includes applicable laws, regulations, guidance that is relevant to the control., the security and control baseline allocation provides prioritization which helps determine which controls are most critical to implement first including control enhancements. In my experience, operational controls typically do not any additional information other than the risk and the control objective. I think the addition of supplemental information, control enhancements and priority recommendations are critical to allow organizations to make informed decisions in order to be best position to safeguard the confidentiality, integrity and availability of the data and information they possess.
One important piece of NIST Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” that I have overlooked before is the assumptions that were made in determining the baselines. If any of the assumptions are false, the baselines may need to be modified. Some of the assumptions include: Information systems are located in physical facilities; User data/information in organizational information systems is relatively persistent; Some user data/information in organizational information systems is not shareable with other users who have authorized access to the same systems; Information systems exist in networked environments. The document also doesn’t address situations where there are insider threats, classified data in the information system, or APTs.
Jonathan – I agree with you. I was familiar with 800-53 before reading it in detail this week and I had not thought about the underlying assumptions. It shows that although 800-53 is a comprehensive library, it is not a “one-size-fits-all” solution for any given organization. I would imagine that when selecting controls for the first time, it would be imperative to have these assumptions in mind and understand and document any differences from the assumptions as well as rationale for how controls are tailored as needed.
One of the key takeaways of the NIST Special Publication 800-53 Revision 4 is the new development and legacy systems part. There are two different perspectives for new development and legacy. For the new development system, the security control selection process is applied from a requirement definition perspective. The organization conducts a security categorization which included in the security plan and implements it into the system development life cycle. This perspective is for the systems do not yet exist. If the information systems already exist, the organization’s security control selection process is applied from a gap analysis perspective. This legacy information system can apply the safety control selection process from the perspective of different analyses.
Hi To-Yin – The different types of analysis organizations must conduct for newly developed systems and legacy systems is illustrative of how fast-moving information technology is. Legacy systems can have a variety of security gaps that develop over time as new threats emerge, and it is not often possible to simply replace them. Rather, the organization must make a determination of their value vs. their risk, and evaluate other methods to mitigate the inherent risks in a legacy system if that system can’t be replaced.
NIST 800 53r4 section 2.5 outlined the challenges and guidelines when working with external service providers. “Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements, service-level agreements), licensing agreements, and/or supply chain exchanges.” The expectation of the service provider and the responsibilities and accountabilities are the same as internal, in-house requirements and external providers are subject to the same level of Risk Management Framework (RMF).
The takeaway that i had is that the very first step in the process is to classify the data according to FIPS 199. When the data is classified according to the CIA Triad, then an organization can truly reflect on the Risk mitigation and will have a better understanding of the risk approach, It was also interesting that external service providers could be used to satisfy some (either all, or hybrid) to help an organization with their security needs.
I thought the section discussing external service providers was really good in this reading. From my experience, I have seen a lot of management teams have a misunderstanding of the use of third parties and how final responsibility still must reside with the management of the organization who is using the external service provider. This reading made it really clear that the organization is still both responsible and accountable for the risks incurred by the information system services outsourced to third parties. It also made a good point, which I see regularly as well, that external service providers may also outsource services to other external service providers, which further increases the complexity of managing external services. I think this section is particularly good for management of organizations of all types to read and understand and it drives home the point that the contract is a really important tool to govern the relationship with an external service provider.
I found the section on external service providers interesting as well. I find all to often that organizations do not take reoccurring review of external providers as seriously as they should until there is an issue with the tool or service. For example carefully reviewing SOC reports and following up with providers on any exceptions noted. This causes organizations to be reactive as opposed to proactive.
This document provides a holistic approach to information security and risk management by providing organizations with the necessary security controls. It also provides a structured approach to help organizations tailor security control baseline that can be applied to specific business functions. One of the key points that I took from this reading is the four steps of how to determine the impact level of an information system: (1) determine the different types of information by using NIST Special Publication 800-60. (2) using the impact values in FIPS Publication 199 and the recommendations of NIST Special Publication 800-60. (3) determine the information system security categorization. (4) determine the overall impact level of the information system from the highest impact value among the three security objectives in the system security categorization.
Hi Wei. Great point that you brought up here. I agree with you that this document provides a holistic approach to information risk management by providing organizations with appropriate security controls. The four steps are essential to improving IT security. Out of these four, I think the third step is the most important since this is where we need to categorize the data. Categorization is fundamental to have proper cybersecurity.
My takeaway from this document is the framework, governance, and overall organization. It’s really important that everything in our field is very well-documented and everything goes through a progress. Unfortunately, our field isn’t something that allows too much creative expression, but it is for the best. For example, table 1 in section 2.2 does a great job of grouping and categorizing different security control families. In cybersecurity or just information systems security in general, it’s very important that everything is fed through a mill of rigor, and when it comes out on the other side it is laden with a trail of documentation. There cannot be any cracks in the system or else they will be exploited by potential hackers. As the saying goes, the bad guy only needs to find one hole, while the good guy has to protect a dozen.
I agree that a standardized approach is important and beneficial for the industry as a whole. Without this document, if you asked 10 different people to design security controls for the same system, you’d probably get 10 vastly different assortments of controls. As you mentioned, it’s about being comprehensive and using tested methods. Any one weakness is an avenue that threat actors can use to attack. Particularly important in NIST SP 800-53 is how it describes the processes of risk analysis and selecting controls, not just a checklist of controls.
A key point that learned was that the objective of the, NIST 800 53r4 Security and Privacy Controls for Federal Information Systems and Organizations, is to provide guidance for the selection of organizational security controls in accordance with FIBS Publication 200 and Federal Minimum Security Requirements for its partners. The document provides a risk management framework outline that is a continuous process. Where IT security professionals should categorize, select, implement, assess, authorize and monitor different risks. By knowing the framework, an IT security professional can implement the appropriate security control for each type of risk
One key takeaway from the reading is the importance of tailoring baseline security controls. Organizations must take an active role in aligning the security controls to their organization and business processes. Applying a one-size fits all approach will add risk as the c9ntrols are intended to use as a baseline. Also it’s important that organizations take strategic approach to tailoring the security controls. Controls should not be removed for convenience, and any deviation from the baseline needs to be documented. It’s also important that management and process owners are involved in this process to ensure that proper support and knowledge is used to make risk-based decisions.