800-53 Introduction

00:00

Welcome back to lesson one point to where we'll be talking about

00:04

853. Just give it to the initial introduction to it. So we understand where we're going.

00:11

So for this lesson, we're gonna define some of the common cybertechnology again. You need to understand those words what they mean someone seems simple. But just understanding how honest under start believes that with what they mean

00:24

and again kind of focus on why we need this common framework or taxonomy.

00:29

And then it talked about some of the introductory concepts for 853.

00:36

So why do we need a taxonomy for a cyber risk or a central way? Just need this. We need a bucket so that when we're all talking, we know these terms mean this and we have this limited words you could describe, and but that that helps having a common framework

00:51

because sometimes they mean different things within the context, so that even the worst security requirement

00:56

may seem simple to you, But if you're in legal, it means something different. If you're in contracting means something different. So we need to really understand our specifically defined these words

01:07

and for the A or the authorising official

01:11

they they have. They need a consistent, repeatable process so that they know because they look at this portfolio of systems across their organization, and they need to know that each time it's credited and the security requirements that are used are the same so that they can compare across systems.

01:27

And also we have a common framework for varying goal. So we need to document security controls. We need to assess them. The documentation is done through the security plan except the assessment of risk risk assessment process,

01:42

vulnerability reporting. So there's even though you're not a crediting, you may have this continuous monitoring where you're always reporting vulnerabilities or risks. You need a common way to map these into the control. So that's why eight or 53 helps.

01:56

Um,

01:57

we also need to be able to align it across the arm F process, which will discuss little bit more so that you have these these common requirements and common set of goals that again repeatable.

02:07

So what is the security control? Ms described it as the security controls and then this special publication 853 are designed to facilitate compliance with applicable federal laws, executive orders, directives, policies, regulations, standards and guidance

02:24

notice I highlight to facilitate their facilitate compliance because they've realized that

02:29

we get stuck into this idea because we're having a report compliance and that you spend a lot of your time because you don't wanna look bad or you want your red, yellow, green char looking looking good. So we spend a lot of time compliance. But really, the goal is to be diligent. And that's why I have this practitioners, no tears. Remember this, trying not to get stuck into the idea

02:49

we're

02:51

we're implementing control so that we don't look better so that our fisma score looks good

02:57

again. Misstated purposes. They want consistency, comparability, repeatability the same idea of always implementing controls, testing them the same way so that cross systems that make sense.

03:09

They also wanted it to be flexible as well, so that you're not stuck within this. Whatever this is, whatever n'est says you have to do so. They've added some of these flexible families,

03:23

like the project management and in some of the privacy controls, talk about

03:28

and again this common language to facilitate mapping again because we have. We're getting ideas of what risks are from automated tools, interviews, things like that. We need to build a map to the same controls

03:39

as I mentioned before. There's 812 which is the intruder to cybersecurity. It's good to kind of, maybe proves that so. One of the ideas they talk about is we're gonna talk about is the security controls. They define it as safeguards counter measures designed to protect the confidentiality integrity.

03:58

Availability of information is processed and stored and transmitted,

04:01

and to satisfy a set of defined security requirements. So the first bullet there's a couple of things again you'll see re occurring what we're talking about. Confidentiality, integrity, availability. There's a recurring themes. You'll see the menu where is very important

04:15

and also noticed that they said process stored and transmitted. So were we sometimes forget that there's the data is being stored and sitting there waiting to be processed. We have to protect it there. We have to protect it when it's actually being processed, and then when it's being transmitted. So those were some of the fundamental principles to understand.

04:31

You also wanna understand the lingo, so some of the things we don't even think about information. What does that mean? That means they define it as ideas that could be encoded into data. Okay, that kind of makes sense. We go from in France that data information security is protecting the information. Confidentiality is

04:50

we set rules or who's allowed to use the data or access it storage or processes, making sure those those those are in place and actually working.

04:59

Integrity means what the data we expect to be is what it is. It can't be changed,

05:05

and availability is.

05:08

Can can the data data available to be accessed, or does the system work at one of the ones in the area that we forget? A lot or some of the people forget is, if the system isn't available, it obviously doesn't work. So those are security controls we need in place

05:27

and another just pulled out from the abstract. That's miss idea of kind of summarizing the whole document.

05:34

So what they from the abstract one of the the courts I pulled out was it provides a catalogue of security and privacy controls to protect assets, individuals, other organizations from hostile attacks,

05:46

natural disaster, structural fairy failures, human errors and privacy risk,

05:51

so it's a lot in there. But the reason I put that in there is you understand the breadth of what we have to control in cybersecurity, what we're trying to protect, said risks from privacy, even human error structural faire. Alors disasters We forget, although some of those especially human error,

06:10

we think that we're protecting from malicious activity. But sometimes it's just protect protecting humans from

06:15

themselves and not giving them access to systems they don't understand.

06:18

But it's also wants to control to be flexible, customizable, and you'll see us talking about that as well. If we really want the ability to make the controls fit for your organization and your business, what it actually means,

06:32

Another one of our practitioner notes, Here's You can't ignore difficult controls that doesn't that's not what they mean by customizable. When you look at it like that's too hard, that costs too much money. I don't want to do it. You have to have a justifiable reason of why you did. You decided to change what missed recommended

06:50

before. We're not gonna go on really in depth in here, but it's when it kind of give you a view of what I mean by the control families. So this is how Mr organizes all the control surfaces the family, so there's access, control, awareness and training.

07:05

Those ideas are somewhat the acronym that doesn't always work out. We'll talk a little bit more in depth, but you can see this is the family so that each one of Control's falls under thes family of controls.

07:19

And then again, this is a lot of information, but just to kind of what this is, what a control looked like. So if you if you feel like you can go take a look at 853 independent chef,