2 hours 11 minutes
Let's start on Lesson 2.4, where we're gonna talk about control selection and how you pick from the baseline and what that actually means.
So in this lesson, you'll learn about control. Baselines. Explain the priority levels. Talked about a little bit, but we'll talk about them a little more just to make sure you understand what that means. Interpret the need for tailoring. Distinguish some of the control changes.
So here's that you'll notice if you'll notice the similarities from when I showed the actual control. So Independence D they created a matric that shows all the actual all the requirements and give you a nice matrix. So instead of having to go through each one of those controls individually, you can look at this base line and say, OK, whatever my system is,
this is what they're controls I need to implement instead of having to go through again
individually on each one, just kind of break it out the little pieces here. So again you have the control number, which is the family dash, the actual number,
and then the control name, which is a description about each one of the controls. That's a good way of looking at the matrix
in the middle. There is the priority mentioned at the previous one.
There's a P Juan P to p three. Know any time you really need this to look at this priority is when you're going to implement a control and say you have no how, no matter how many number of controls, the implement, but you're not sure how to do it where you should allocate to. Resource is
this provides this priority to say one goes first to goes for a second like that so you can
again allocate your time.
And then, as you saw in the actual control, this is the baseline so you can pick out. You could say my system is Hi. I'm gonna look at the Third column and just go straight down, and I could when I go to write my security plan, here's all the controls I need to address as well as the enhancements kind of going back to this. If you look at a C two there, you can see
reinforce what I said about security categorization so you can see from a C to low. There was no enhancements. He had to do and then high. You have to do 12345 11 12. There's a lot more you have to do in a lot of them. As you get to the high system, start talking about automation.
Other those Maur specific technical, technologically
heavy controls. So again, don't overdo your categorization if you don't need to.
We talked about tailoring a couple times, but really, this is Miss Fundamental Thing is the most important part they say, are they want to reinforce you see from this quote here. So they said the tailing process is part of a comprehensive organizational risk management process
framing, assessing, responding to and monitoring information security risk.
What does that mean? What they're really saying is, this is what this is the first step you should do after you've selected the baseline. That side is go through before selecting the baseline is really go through all the different organization organization. To find variables,
explain our decide across your organization. What these mean or how they should be, should
should be defined.
And then you can actually do this for separate. You could define variable separately for security categorization, so hello may have one available to find one way versus a high may have it to find a different way.
They really want you to apply scoping consideration, look at the risk and decide you take the baseline of what Miss suggested and then even look through some of the controls that were not part of war and even the enhancements that were not part of the baseline and look at them. And they do these make sense for my
my organization from my business? Should I add additional controls above and beyond what this suggests? Or
are there controlling the baseline that don't really make sense?
Should I work through those and beforehand, so that when new systems coming online, you say, Here's the baseline specific your organization? Here's what you want to d'oh or what you want to do. Here's what you want to implement. Here's how you want to document the controls to protect your system.
Trolls not working here.
Well, keep punching it, Um,
So for control changes things is what we really talked about You. You can add compensating controls, which means, I mean, there may be some risk to my system, but I have these other controls in place that compensate the risk our reduce some of the risk to it. You may want to add more controls to supplement it. You may want to add controls for
technological reasons or for technology.
Maybe the organization requires it.
There may be some specific policy or legal requirements. So if you're processing credit cards,
you there might be some PC I requirements that are not met specifically by the baseline or if you're in healthcare there. There are additional hippo requirements on top of that
and then someone else. What we'll talk about later is these technical specific technical and
a management benchmarks that are out there. So for the D. O. D, they used a stick, which is the security technical Implementation guide
on the federal side. You may use that, or you may use a different benchmarks, say, like the Center for Internet Security with the C. I s thes benchmarks go through and say, Here's how you should implement security controls to adequately protect. They come from a perspective of set a benchmark, but then they map them back to the nest requirements, which
helps you then identify
between the two