2.1 Selecting Controls

00:00

Hi and welcome to risk management framework. This is less than 2.1 where we're going to be selecting our controls.

00:10

So the learning objectives of this video, um we're really gonna be interested in what the selection step is and how it fits into RMF. What tasks are associated with the selection step as well as how executive leadership can support the proper selection of controls for their environment,

00:26

selecting control. So we're gonna go through the definition here from the Nist sp 837.

00:32

The purpose of the select step is to select taylor and document the controls necessary to protect the information system and organization commensurate with risk to organizational operations and assets. Individuals and other organizations and the nation. Uh so obviously this is a really important step, making sure that we understand

00:52

which controls are important for our systems.

00:55

So why is this important? Again, it's making sure that we're selecting the proper controls because without that we don't know if our systems are secured in the way that they should be. It's really about having that full picture and understanding which ones were selecting and why we're selecting them.

01:12

So the selection tasks, uh this includes the actual selection of the controls, tailoring them to your system, depending on what kind of system you have or what kind of operating systems and applications you may have,

01:25

making sure that you're allocating them properly,

01:27

making sure that you're documenting them the documentation, your plan controls. Obviously hugely important to have that documentation to know why you selected them and which ones you selected.

01:37

Again, continuous monitoring strategy that we mentioned before is very important when it comes to selecting these. Uh and then of course plan review and approval.

01:48

So what we're talking about control selection, we're talking about a top down approach, making sure that,

01:55

you know, based on the inputs and outputs. We're categorizing the system properly using the system inventory and any other contractual requirements from vendors or any applications you might be using to bring that output um that you've selected the proper controls for your system or environment depending on which ones you're looking at.

02:14

So the primary contact is gonna be your system owner. They're really ultimately going to be the ones to make sure that the controls are selected properly um with supporting roles by the audio. Maybe some security engineers, privacy officers, anyone who may be able to provide technical input for selecting these controls

02:31

quiz. So why should you use a top down approach when selecting controls?

02:38

You know, it's important to uh what we spoke about earlier brings security from the top down. That really helps people to understand that security should be first or at least integrated into projects. It helps to make sure that when you're selecting controls, again you're balancing security and functionality. So you're saying yes, we need to be secure. But also I need my I need my system to function properly.

02:59

So let's make sure that we're selecting controls and make sure that everyone's involved that needs to be involved.

03:06

So tailoring the controls uh So we're going to take the inputs from the initial baselines, any risk assessment results, we might have our system inventory and an impact analysis. We're going to take all of those inputs to hopefully create that list of tailored controls for your system or your environment.

03:23

Um And that's really getting that whole view of your system to make sure that

03:28

you're tailing the controls to your needs. Again, functionality, insecurity balancing.

03:32

Uh So again, your primary contacts can be your system owner, they're going to be really heavily involved in this. Um And again, you're supporting roles will be your a. O any security engineers or privacy offers that again, may be able to add some input and help with selecting some of the technical controls.

03:51

Okay, so control allocation,

03:53

so we're going to take the inputs again from our security categorization, our enterprise or security architecture, uh any list of common controls that might be inherited from the domain or the network as well as any relevant laws depending on your organization or business.

04:08

Um with the expected output of a list of security and privacy controls that are allocated to the system.

04:14

So your primary contact is going to be your security or privacy architect or officers. So you're gonna want to make sure that anybody that's very familiar with the overall design or anyone who may be dealing with this operationally can help make sure that the controls are allocated properly.

04:30

Um And again, you're supporting roles. You're gonna have your Ci or you're authorizing official your A. O helping in this process.

04:41

So documentation. So when we're talking about documentation,

04:46

we're going to take the inputs from the security categorization, the risk assessment results, your list of selected controls as well as your risk management strategy. So again, you're gonna be taking all this information and you're going to be putting it out into your security and privacy plans. So you're going to grab all this information and try to create a

05:04

a great security plan. That's cohesive.

05:08

Again, your primary contact is going to be your system owner with supporting roles with your a o any security or privacy engineers or officers that might need to be involved in getting the documentation right

05:20

quiz. Who is the main contact when allocating controls?

05:26

Again, this is gonna be your system owner. They're really critical throughout this process and I think it's important to note that you want to make sure that your system owners are aware of their responsibilities when it comes to owning a system and really taking responsibility for that system

05:39

so that they understand the risks and are able to secure their systems properly.

05:46

Okay, So when we're talking about continuous monitoring or conman,

05:49

we're talking about taking inputs from the risk management strategy, the organizational conman strategy, because we're talking about the system level now and it's going to be taken into the system common strategy. So you would want to take any of those, like we're talking about inheriting any of those common strategies that would come from the organizational level and apply them at the system level.

06:12

So again, your primary contact is going to be your system owner and you're probably going to need some support from uh your risk management executive, see IO security or privacy architect engineers officers. Um You're continuing continuous monitoring strategy

06:27

is going to involve a lot of people and it should so that all the teams can work together and make sure that you're monitoring the right things,

06:35

so plan review and approval. So here we're talking about the inputs from previous steps, the security and privacy plans, as well as the results from a system level risk assessment,

06:46

so that you can then come out with an approved security and privacy plans, which your primary contact is going to be your ale. They're going to need to be the ones that say yes, I sign off on that weather that Ceo Ceo, anyone in the C suite that might be signing off on this uh with supporting roles from your risk management executive

07:03

or a chief acquisition officer they may need to be involved in um If you're looking at getting a new product, buying a new application, they might need to be involved in this step.

07:15

Okay, So executive are real.

07:16

So what are the main takeaways for executives? You know? Again, we're gonna harp on this, this think about using a top down approach, really think about how this how you can help in this step and how you might want to be involved um And also who you want to have involved

07:31

to make sure that they're doing the right thing. So, again, your system owners, they have major responsibilities,

07:38

making sure that they understand those responsibilities and what it means to their system. Make sure management involves appropriate people for each task that's going to come up again and again. So making sure you've allocated the right people with the right skills to make sure that the tasks are successful.

07:54

All right. So for our video summary today, we talked about what the selection step means to the RMF process. We talked about which task correlate to the selection step,

08:03

which groups should be involved in each task, so making sure we've got the right people in the right place,