Anatomy of a Control

00:00

welcome back to lesson 2.3. Where will actually start breaking down the control? Or that the security controls and seeing different parts of them what they mean how to read them.

00:12

So for this lesson, we're gonna learn you will learn how to identify the components of control, explain organization variables, which we talked about a little bit boring. Talk about them or here, get more in depth and explain the selection of a control for a baseline.

00:29

Begin. There's a lot of text on the screen here, but just going. I have to follow the arrows here so you can kind of see where where I'm talking about. But again, it is important to see this information kind of in this

00:43

cluster of data. Because when you're going through the document and you're looking through hundreds of pages and all these controls are like this, you're gonna have to kind of get used to this.

00:52

So at the top is for this one. This is pulled directly out of appendix F of red four of 18 53. So there's the control number and the title. The control number is to see if the appendix of the control family. So, for example, this is the auditing. So this is a you and it's number three. So it's a you three

01:11

and there's always a title. So this one is the content of the audit records,

01:15

and then the next important part is right under that. This is the actual control. This is what you must implement. So I called it the description here. So, for example, this one says for this control, which is the content of the audit records the information system generates on it, records containing information establishes what type of events occurred when it occurred.

01:34

Who did it? Who is the subject,

01:37

for example here. And you can see this while this talks about what it is kind of read this and say, OK, what does this mean exactly? Maybe it doesn't explain it enough,

01:47

so they always provide some supplemental guidance in the next section here.

01:52

So this gets into a little bit more specific so you'll see. You'll say, I'll give you some help. This is not part of control, but this really help you. So that says, the on a record content may be necessary to satisfy the requirements of this control, which includes, for example, timestamp source, destination, the process, the event description,

02:10

any success or failure so you can see this one gives you a little bit more information. Okay, so this is what it means in the actual audit record,

02:19

and the next part is control enhancement. So not everyone of the controls have this, and some have more than others. Some have pages and pages of them, but these are the Maur advanced requirement. So the higher the security categorization them or of these control enhancements, you'll have to dio, for example, this is for a moderate system. You have to implement this.

02:38

So this is the content of the records says the system of the information generates auto records that contains the following additional information. And right here is an open spot where it says assignment organization to find additional content or information. So this is the part.

02:54

This is what we call the organization to find variables. This is the chance with the organization to say this is what I want in here. I know it has to be more than a for example, on this one. A low system moderate system should have additional information in here, whatever that an additional information means.

03:13

This is your chance to our side. There's the organization's chance to

03:15

specifically Taylor this for your organization, and this is again this is the organ sea organization to find variables. You'll see this throughout the document

03:25

and then last part down at the bottom here is the allocation for the baseline, which we've talked about which you understand what this means now. So for you've already you've already said this is a security categorization of my system, whatever it means. So for example, in this one for this, eh, you control a three. A low system must implement that

03:46

control, which is just a descriptive control at the top

03:49

versus a moderate system which says a U enhancement one since means if you have a moderate system, you have to do that. And in addition, that control enhancement and for a high system, you have to do enhancement one and two so you can see back when I said,

04:03

there's no reason to over categorize, but when you because if you do, this is the extra work you have. Thio perform an implement for a system.

04:14

Here's a quick quiz Based on what we just learned, you should be able to get eso first. Your security categorization for your system is moderate. Which parts? Willen? Assessor Review Determine if your system has adequately implemented the control. So this is third parties coming in and they're gonna look at your security plan, Your implementation.

04:33

Did you do it correctly?