Control Families

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

2 hours 11 minutes
Video Transcription
Okay, So for a lesson to point to that, spend some time actually talking about the control families, what they mean with what they are again. They came from the security kept there. They came from Fitz 200 that minimum security requirements.
So in this lesson, pretty simple. You'll be able to list to controls differentiate security between the security controls and privacy controls, as I mentioned in ref. Or they set up a whole set of privacy controls, which are separate from the regular security controls.
Here is the same table that I showed before, but we'll explain it a little bit Maur or some of the theme ideas of these. So, as I mentioned before, you have, say, the first one's access control. They call it a C. So thats the acronym so a C one would be the first control a C two, obviously following like that. That's how this
this whole, this hierarchy of the controls are set up.
There's something there technical, some that arm or process oriented, some of their policy on. There's some interesting one here. The program management, the PM controls. They're not allocated to any of the baseline, but it's part of what n'est offers as part of the
available requirement. Or that's where the available controls to, say, here's ones you can use. Here's how we define them if you need them. If you think they're important to your system, here's how you can implement them.
So the more technical ones or the A C control of the access controls the S C, which is the system communication protection. You get pretty obvious their technical controls of how you're going to implement and protect the system,
not exclusively
technical, but they're generally that's that's what they are.
Well, I kind of mentioned before is you'll see that most of the dash ones we call him a C Dash 1 80-1 a u Dash one. All those are generally policy or procedural base, so it's the high level. If you remember that tear, that's what the organization would be implementing. I'm sorry
with the US to control you would be implemented by the organization.
There's some other ones that air somewhere in between, or, for example, there's the physical and environmental protection. The P E controls
generally depends on every organization, but generally those air not implemented by the system those air implemented by the organization because there's a shared pool of money or say there's a data center that everybody uses until all the systems don't need to implement their own physical controls.
But at the same time there, maybe they may the physical in trolls, maybe at the organization level. But the system needs a little more physical protection, so they made it. They need a special rack or some special protection for encryption keys. Things like that.
Another technical one is the identification and authentication. The aye aye, you'll see. You'll see that one like that. There's a mix, but there's quite a few technical controls in there versus, like, the maintenance. That's a lot more procedural based. There are technical control of a lot of it. Is a procedural
or say are a, which is the risk assessment that's almost exclusively
procedural and policy base, because that's what you would expect, the organization says. Here's how I assess risk. Here's a process. Here's independent. I have independent sensors that this is their role, and it goes to this C I S O is one of these. Look at it and then present it to the authorising official or the C i o all those kind of procedural
issues. You kind of look through these in Chapter two of Revision for is where tha section lies or that devised all the security control families
to. The other part is the privacy controls. These were established a link between the likes of the security controls, but keep them specific. So if you have Pea II and your system these air controls, you really need to take a look at
they're all very most of them are self explanatory. The authority and purpose A PR. Why my collecting this privacy information? I need a good reason to do it.
A R is accountability, audit, risk management.
So how am I going to make sure that what procedures are in place and who's accountable for that? Why am I gonna make sure there's a reasoning? I need Thio p I. And make sure I'm protecting them correctly.
The D. I dated quality integrity. There's two controls. That's really what it's self explanatory.
D M is data minimization retention, so that's
really needed. The ordination needs to explain why again, why I'm collecting the data and stay within limits of side will just collect everything. I have to explicitly say why I'm collecting phone numbers or other personal information and how long I'm going to keep them. There's no reason if there's no reason to keep them for X number of years,
you should say I'm gonna keep it for this amount of time and then I'm gonna dispose of them.
So them being good shepherds of peoples of other people's privacy information
and I pee is individual participation redress. It just means who's going to participate and why are they per participating in and how convey How is that information specifically collected?
And then S C is pretty? Obviously it's the security of how I'm going to protect it.
Tiaras the transparency. So
what policies am I putting out there? What procedures am I explain how I'm collecting the data, how I'm protecting It's for the public of whoever's information you're collecting is again the transparency of explaining why I'm collecting it and also maybe publishing them for the public
use limitation is really just constraining the use of it. Why am I giving it the third parties? And if I am, why I must be explicitly explained why I'm giving it to somebody else and what business purpose it provides. And it kind of goes back to the transparency. Say, like, if I'm going to give it to some deals,
I must explain. Explain that before I collect your private data. Have to explain what I'm going to use Ward
or what I'm gonna use it for and how long I'm gonna keep it. All these are somewhat interrelated, but they're very important for P I
Quick quiz,
which is not a real control family
incident. I are instant response e an encryption CP Contingency planning.
So he's the same one of the previous quiz. But e'en encryption is not a real family, but it's featured in they detectable access controls, security and communication protection to the i. R c p r. Valid security controls. The encryption is not valid. It's just hasn't been set out as its own control family
Up Next