2 hours 11 minutes
and welcome back. So we've reached the end of the the lessons so far. So this module three just a conclusion was going to some wrap up and talk about a little bit what we learned. So in less than 3.1 that wrap up, let's just
understand what we talked about. It just reinforced. So we kind of go through
the whole line of the progression of what we did.
So in this video,
this'll whole video, all the videos you learned listed 8 53 control families. He learned how to describe 853 within the context of our mef.
Learned why we need a common taxonomy. Why we need this common framework of 853. We talked about baseline selection. So going from security catic categorization to understanding low, moderate, high baseline in which one you need to pick
talked a little bit about the different versions of 853 and say we're focusing on four. But there was three before this five. How How do
look at any of the new revisions that come out how to understand which parts to look at?
We looked at the different parts of the 853
controls, differentiating the parts that control the supplemental information, the enhancement, things like that.
And then we also looked at common hybrid system control and why we need does where we need that shared risk.
And then we also looked at selecting applicable 853 controls.
the course synopsis. That's just kind of go through this again just to understand the life cycle we started off with Phipps 1 99 This is the process you go through and look at and say, What is my
for? For my confidentiality, integrity, availability? Let me set the whether to decide whether it's low, moderate, high and then from that whole process, developed the security categorization. And that's what actually we use all throughout the process. And that's what selects the 853 controls
now tell you, determine which ones are applicable to your system so that you have to get that right because it has cascading effects
all the way down through the whole arm of process.
Then you Taylor. The baseline is actually done by the organization beforehand That says, the bass, the bass lines. Here's what Here's what controls should be a new here's How did they find the variables
but the system level? You can also taylor it as well and say this control doesn't apply, or it does have two very good reasons for you can't just say I don't want to do it, but that you girls have Taylor at the system level,
and then the controls are implemented at separate tiers. The organization has control or implement controls. You have a system level the hybrid.
You want to be able to define each one of those or understand that shared risk that cascade through the levels.
And then the implementation is defined in security plans because we looked at how you define it, how you explain what's being implemented, where you put in the organization to find variable in the security plan.
And then, well, and then we looked at taking a weakness that may not be specifically generated from *** control, but from another tool and how we map that weakness to 853 control. Because that's what you have to do. You have to be able to tie it back to a control. If you can't do that, it's probably not applicable toe.
You may come up with something crazy like
your system doesn't have a eye for auditing auditing controls. If you can't map that to control, it's probably not a real control that needs to be implemented.
And then we we mapped the risk
into ours where we met the weakness to risk and then identified in the poem. So we have this life cycle of security controls. Here's what we need to pick how we implement them. Here's how we test him is that we mapped them to actual risks because the risk is thean plaque risk is defined as the impact of it
and the likelihood that it will happen and you need. That's the most important reason
why we're talking about security weaknesses and that needs to go in the poem so that the authorising official
anybody needs to be able to look at a system from a poem and not have to go through risk assessments and all these documents and babbling just a quick view and say what is the risk to the system?
Since the one final quiz using fits 1 99 you defined the following security categorization for your system. So on the right there you see SC security categorization.
You determine that the confidentiality was moderate, integrity was high and availability was low.
What is the overall categorization used to select the 853 control baseline?
With this system, based on that, be a low would be a moderate or would be high
based on the high water mark principle, which talked about Wait a while back is this would be a high system because you look at all the confidentiality, integrity, availability, whichever has the highest. That's your high watermark. Integrity's high, so the whole system has to be high. So the baseline you select all the controls you select are based on a high baseline.
So thank you for attending my class on this date 108 153. Um, I hope you found it useful.
Course Assessment - NIST 800-53