NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

5 hours 58 minutes
Video Transcription
Welcome back to cyber. Is this? Of course. I'm your instructor, Brad Roads. Let's jump into this special pub 853 and these air our security controls.
So in this video, we're gonna look at the RMF again. That probably shouldn't surprise you. We're gonna talk about security controls, and they were gonna do an example. Application of a security control in this case, access control.
So there's two charts on this particular slide one you should be familiar with. This is the arm s security lifecycle. We talked about this. You need to memorize this chart. You need to understand that we go, we categorize, we select, we implement, we assess we authorized and we wanted her. You will note on this chart
each one of the areas where we're going to do that
is specified in in this publication or a Phipps manual. And this chart super handy because it shows you which ones apply to which of those areas. So when you're thinking about Theis of content and you need to say study security controls in this case here where we're at in this particular lesson you're going to go to in this special pub 800 Tech 53. Now,
the second chart on this slide
is a defense in depth diagram. So we start and you can start at the top or the bottom. We'll start at the top, right? We have the perimeter are edge of our organization. Within that perimeter, we have our network, which connects host on the hosts or applications which ultimately access access data. So
there are security controls in 853
for data security controls for applications, the certain controls for host networks and the perimeter. Right. So if you need an idea of a security control, those could be a technical control and non technical control. Preventive detective, whatever. You're gonna find those controls in 800
So here are the security controls that you will find in 853. You'll notice there's access control contingency. There's incident response, maintenance controls, planning controls, risk assessment services and and system acquisitions. All of these things these air all controls these I. D. S right
are actually tied out to very specific controls in each of these areas that you will find in 853.
You don't need to memorize all of them,
right. But it helps to understand that when you see something that says, uh, au dot a one control is dealing with audit and accountability. You need to know that a U is the idea for for the audit and accountability category very important to understand each of these different I. D. S.
So let's do a quick access control example. So if you notice here's a control number, here's your control name. This is a direct cut out of 853 to get you familiar with that, right? And you can see there's lots of controls here.
Um, there's access control. There's least privilege. There's session like there's terminate. So when you think about, say, hardening a system protecting a system right,
the controls are literally listed for you, right? You don't have to reinvent the wheel. It's very important to understand that that NUS gives you the ability to grab controls and then figure out what you're going to use in your organization in the access enforcement area. This is where we find things like
when we get a little deeper and then we find things like Mac and DAC and are back are back and
t back, right? Well, those are our access control models. Where when you remember ah, mandatory access control. Is it specified for the users? Discretionary access control is the users can specify that themselves. Role based is unique because that's where we get to the granular level of Okay, you know,
user Bob is an administrator, so he's gonna get a certain set of things based on his role
and user. Frank is just a power user, so he's going to get a certain amount of things. Rule based is a little bit different than role based. Rule based is based on the data, right? What systems and what data do you need access to and why do you need access to it? And maybe that rules could be inclusive of a access at a certain time
during certain work hours during certain shifts. Right?
So that that makes the management and tracking of say, I triple a ah lot easier. And then, of course, task base. Right? Let's say that you have somebody that that you hire and what they do is babysit and run your scripts. Great. Well, guess what? You could give them tasks based access control. So that's all they can do, right? So lots of ways to do that. But all of these
types of controls are listed in the access enforcement
control in 853.
So, in this lesson, we reviewed again the arm at that security lifecycle that you should memorize that particular tart and the flow. Right? You We talked about security controls and that they come from where they come from in the types, right? And, of course, there's a laundry list of them, which is great if you don't know where to start with security controls, start with this 853
aan den. Of course, we talked about access control
are back T back. The other are back. Mandatory access control, discretionary access control in our access control example. We'll see you next time
Up Next