NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary.
00:00
Of course, I'm your instructor, Brad Rhodes.
00:00
Let's jump into NIST Special Pub 853,
00:00
and these are our security controls.
00:00
In this video, we're going to look at the RMF again.
00:00
That probably shouldn't surprise you.
00:00
We're going to talk about
00:00
security controls and then we're
00:00
going to do an example,
00:00
application of a security control,
00:00
in this case, access control.
00:00
There's two charts on this particular slide.
00:00
One, you should be familiar with,
00:00
this is the RMF security life cycle.
00:00
We talked about this.
00:00
You need to memorize this chart.
00:00
You need to understand that we categorize,
00:00
we select, we implement,
00:00
we assess, we authorize, and we monitor.
00:00
You will note on this chart,
00:00
each one of the areas where we're going to do that
00:00
is specified in a NIST publication or a FIPS manual,
00:00
and this chart is super handy because it
00:00
shows you which ones apply to which of those areas.
00:00
When you're thinking about the use of content
00:00
and you need to say study security controls,
00:00
in this case here where we're at
00:00
in this particular lesson,
00:00
you're going to go to NIST Special Pub 800-53.
00:00
Now, the second chart on this slide
00:00
is a defense-in-depth diagram.
00:00
We start, and you can start at the top or the bottom.
00:00
We'll start at the top.
00:00
We have the perimeter or edge of our organization.
00:00
Within that perimeter, we have
00:00
our network which connects hosts.
00:00
On the host your applications,
00:00
which ultimately access data.
00:00
There are security controls in 800-53 for data.
00:00
There are certain controls for applications,
00:00
there are certain controls for hosts,
00:00
networks, and the perimeter.
00:00
If you need an idea of a security control
00:00
and those could be a technical control
00:00
, a non-technical control,
00:00
preventive, detective, whatever,
00:00
you're going to find those controls in 800-53.
00:00
Here are the security controls that you
00:00
will find in 800-53.
00:00
You'll notice there's access control,
00:00
contingency, there's
00:00
incident response, maintenance controls,
00:00
plan and control, risk assessment,
00:00
services and system acquisitions,
00:00
all of these things, these are all controls.
00:00
These IDs are actually tied out to
00:00
very specific controls in each of
00:00
these areas that you will find in 800-53.
00:00
You don't need to memorize all of them.
00:00
But it helps to
00:00
understand that when you see something that
00:00
says AU.1 control is
00:00
dealing with audit and accountability,
00:00
you need to know that AU is
00:00
the ID for the audit and accountability category.
00:00
Very important to understand each of these different IDs.
00:00
Let's do a quick access control example.
00:00
If you notice,
00:00
here's a control number, here's the control name.
00:00
This is a direct cut out of
00:00
800-53 to get you familiar with that.
00:00
You can see there's lots of controls here.
00:00
There's access control, there's least privilege,
00:00
there is session lock, there's terminate.
00:00
When you think about say harding a system,
00:00
protecting a system, the controls
00:00
are literally listed for you.
00:00
You don't have to reinvent the wheel.
00:00
It's very important to understand
00:00
that NIST gives you the ability to
00:00
grab controls and then
00:00
figure out what you're going to use in your organization.
00:00
In the access enforcement area,
00:00
when we get a little deeper in there,
00:00
we find things like MAC and DAC,
00:00
and RBAC, and TBAC.
00:00
Well, those are our access control
00:00
models where when you remember,
00:00
mandatory access control is it's specified for the users.
00:00
Discretionary access control is
00:00
that the users can specify that themselves.
00:00
Role-based is unique because
00:00
that's where we get to the granular level of okay,
00:00
user Bob is an administrator,
00:00
so he's going to get a certain set
00:00
of things based on his role,
00:00
and user Frank is just a power user,
00:00
so he's going to get a certain amount of things.
00:00
Rule-based is a little bit different than role-based.
00:00
Rule-based is based on the data.
00:00
What systems and what data do you need
00:00
access to and why do you need access to it?
00:00
Maybe that rules could be inclusive
00:00
of a access at a certain time,
00:00
during certain work hours,
00:00
during certain shifts, so
00:00
that makes the management and tracking of,
00:00
say, IAAA a lot easier.
00:00
Then of course, task-based.
00:00
Let's say that you have somebody that you
00:00
hire and what they do is babysit and run your scripts.
00:00
Great, well guess what?
00:00
You could give them task-based access control,
00:00
so that's all they can do.
00:00
Lots of ways to do that.
00:00
But all of these types of controls are listed in
00:00
the access enforcement control in 800-53.
00:00
In this lesson, we reviewed again the RMF,
00:00
that security life cycle that you should
00:00
memorize that particular chart and the flow,
00:00
we talked about security controls and
00:00
where they come from and the types,
00:00
and of course there's a laundry list
00:00
of them, which is great.
00:00
If you don't know where to start
00:00
>> with security controls,
00:00
>> start with NIST 800-53.
00:00
Then of course we talked about access control,
00:00
RBAC, TBAC, the other RBAC,
00:00
[LAUGHTER] a mandatory access control,
00:00
discretionary access control in
00:00
our access control example. We'll see you next time.
Up Next