Control Families

00:00

Okay, So for a lesson to point to that, spend some time actually talking about the control families, what they mean with what they are again. They came from the security kept there. They came from Fitz 200 that minimum security requirements.

00:15

So in this lesson, pretty simple. You'll be able to list to controls differentiate security between the security controls and privacy controls, as I mentioned in ref. Or they set up a whole set of privacy controls, which are separate from the regular security controls.

00:31

Here is the same table that I showed before, but we'll explain it a little bit Maur or some of the theme ideas of these. So, as I mentioned before, you have, say, the first one's access control. They call it a C. So thats the acronym so a C one would be the first control a C two, obviously following like that. That's how this

00:49

this whole, this hierarchy of the controls are set up.

00:52

There's something there technical, some that arm or process oriented, some of their policy on. There's some interesting one here. The program management, the PM controls. They're not allocated to any of the baseline, but it's part of what n'est offers as part of the

01:08

available requirement. Or that's where the available controls to, say, here's ones you can use. Here's how we define them if you need them. If you think they're important to your system, here's how you can implement them.

01:19

So the more technical ones or the A C control of the access controls the S C, which is the system communication protection. You get pretty obvious their technical controls of how you're going to implement and protect the system,

01:33

not exclusively

01:36

technical, but they're generally that's that's what they are.

01:42

Well, I kind of mentioned before is you'll see that most of the dash ones we call him a C Dash 1 80-1 a u Dash one. All those are generally policy or procedural base, so it's the high level. If you remember that tear, that's what the organization would be implementing. I'm sorry

02:00

with the US to control you would be implemented by the organization.

02:04

There's some other ones that air somewhere in between, or, for example, there's the physical and environmental protection. The P E controls

02:14

generally depends on every organization, but generally those air not implemented by the system those air implemented by the organization because there's a shared pool of money or say there's a data center that everybody uses until all the systems don't need to implement their own physical controls.

02:29

But at the same time there, maybe they may the physical in trolls, maybe at the organization level. But the system needs a little more physical protection, so they made it. They need a special rack or some special protection for encryption keys. Things like that.

02:44

Another technical one is the identification and authentication. The aye aye, you'll see. You'll see that one like that. There's a mix, but there's quite a few technical controls in there versus, like, the maintenance. That's a lot more procedural based. There are technical control of a lot of it. Is a procedural

03:02

or say are a, which is the risk assessment that's almost exclusively

03:07

procedural and policy base, because that's what you would expect, the organization says. Here's how I assess risk. Here's a process. Here's independent. I have independent sensors that this is their role, and it goes to this C I S O is one of these. Look at it and then present it to the authorising official or the C i o all those kind of procedural

03:28

issues. You kind of look through these in Chapter two of Revision for is where tha section lies or that devised all the security control families

03:40

to. The other part is the privacy controls. These were established a link between the likes of the security controls, but keep them specific. So if you have Pea II and your system these air controls, you really need to take a look at

03:55

they're all very most of them are self explanatory. The authority and purpose A PR. Why my collecting this privacy information? I need a good reason to do it.

04:06

A R is accountability, audit, risk management.

04:11

So how am I going to make sure that what procedures are in place and who's accountable for that? Why am I gonna make sure there's a reasoning? I need Thio p I. And make sure I'm protecting them correctly.

04:23

The D. I dated quality integrity. There's two controls. That's really what it's self explanatory.

04:29

D M is data minimization retention, so that's

04:34

really needed. The ordination needs to explain why again, why I'm collecting the data and stay within limits of side will just collect everything. I have to explicitly say why I'm collecting phone numbers or other personal information and how long I'm going to keep them. There's no reason if there's no reason to keep them for X number of years,

04:54

you should say I'm gonna keep it for this amount of time and then I'm gonna dispose of them.

04:58

So them being good shepherds of peoples of other people's privacy information

05:04

and I pee is individual participation redress. It just means who's going to participate and why are they per participating in and how convey How is that information specifically collected?

05:16

And then S C is pretty? Obviously it's the security of how I'm going to protect it.

05:21

Tiaras the transparency. So

05:25

what policies am I putting out there? What procedures am I explain how I'm collecting the data, how I'm protecting It's for the public of whoever's information you're collecting is again the transparency of explaining why I'm collecting it and also maybe publishing them for the public

05:43

use limitation is really just constraining the use of it. Why am I giving it the third parties? And if I am, why I must be explicitly explained why I'm giving it to somebody else and what business purpose it provides. And it kind of goes back to the transparency. Say, like, if I'm going to give it to some deals,

06:01

I must explain. Explain that before I collect your private data. Have to explain what I'm going to use Ward

06:08

or what I'm gonna use it for and how long I'm gonna keep it. All these are somewhat interrelated, but they're very important for P I

06:15

Quick quiz,

06:17

which is not a real control family

06:20

incident. I are instant response e an encryption CP Contingency planning.