Time
1 hour 27 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Description

This lesson covers Domain 2 of NIST 171 and talks about the 14 families of security requirements. Within these families, there are two requirements: basic and derived. Basic requirements are about the ultimate goal while derived requirements are about the ways in which we accomplish a goal.

Video Transcription

00:04
okay, As we move on to section two or domain to, we're going to start to talk a little bit about the requirements. And again, this will just give you the 14 requirements, and then we'll go through each one more in depth. So the whole premise of this documentation is there really 14 classes or families,
00:22
if you will, of security requirements?
00:25
And we have these listed out, and what you're gonna find in each one of these families is there are basic requirements and then derived requirements. So the basic requirements were essentially going to tell you this is the ultimate goal of what we're trying to accomplish. And the derived requirements were kind of those
00:43
those ways in which we accomplish them. Hopefully, that makes little sense, and I think you'll see it as we move forward.
00:49
So we start off with access control, which is limiting how a subject can manipulate an object awareness and training That's pretty self explanatory
00:59
auditing and accountability, making sure we can match an action to a subject and making sure that, uh, no one individual has too much power and making sure that there's no sorts that there isn't any sort of abuse within the system.
01:15
Ah, configuration management revolves around documentation, documentation, documentation and controlling changes and having an approval process for changes in the environment.
01:26
Identification, authentication. We make a claim, then we prove it. I claim to be Kelly Hander Hand. Here is my passport
01:34
incident response. What do we do when there is a cyber incident, Whether it's malicious or not, how do we respond to loss of data, loss of availability or whatever those elements might be
01:47
maintenance? How'd we go back and review our systems? Make sure everything's up to date. How do we catch if necessary, or modify Ah, hardware or whatever we're required to do to maintain our systems
02:00
Protection of media, Making sure that if media is reused the remnants of data or cleanse, making sure that we label media properly, whether that's done through immediate librarian or, uh, you know Dunmore on an individual level, making sure that we have good policies in place.
02:21
Personnel security, making sure that we don't give access to people that shouldn't have access. And some of that's going to come just from hiring policies as well as some other administrative policies. Physical protection,
02:34
protect your facility. And sometimes sadly, that's one of those elements that's overlooked in our environment. And we think that it's somebody else's responsibilities.
02:42
But things as basic as locking doors. Having a security guard. Um, any of those elements can really impact the security in your environment.
02:52
Risk assessment. You know what all of this comes down to risk assessment.
02:57
You know, how much money do I spend on physical security? What elements of access control do I implement? How do I go about authentication and often unidentified cation comes down to How much money am I going to spend
03:10
and how much money I'm going to spend comes back to the value of the data. So we've gotta have some sort of risk assessment mechanism in place
03:17
to make sure that we're We're aware of the threats and vulnerabilities and also continuing to monitor for risks because risks are always popping up in, you know, the risk landscape or the threat landscapes, frequently changing security assessments.
03:31
Ah, security assessments, pen testing and vulnerability assessments, making sure that our network and our individual systems air properly configured in order to rebuff any sort of attack.
03:45
Ah, system and communications protection so here, looking at our networking environment and making sure that we're protecting data in transit and then system and information integrity. You know, when we talk about system integrity, making sure that the internal function of a system isn't compromised in any sort of attack
04:04
and the integrity of the information getting the assurance that the information hasn't been modified, whether intentionally or
04:11
unintentionally so these are the requirements will go through against each of the the next 14 sections.

Up Next

NIST 800-171 Controlled Unclassified Information Course

The Cybrary NIST 800-171 course covers the 14 domains of safeguarding controlled unclassified information in non-federal agencies. Basic and derived requirements are presented for each security domain as defined in the NIST 800-171 special publication.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor