okay, As we move on to section two or domain to, we're going to start to talk a little bit about the requirements. And again, this will just give you the 14 requirements, and then we'll go through each one more in depth. So the whole premise of this documentation is there really 14 classes or families,
if you will, of security requirements?
And we have these listed out, and what you're gonna find in each one of these families is there are basic requirements and then derived requirements. So the basic requirements were essentially going to tell you this is the ultimate goal of what we're trying to accomplish. And the derived requirements were kind of those
those ways in which we accomplish them. Hopefully, that makes little sense, and I think you'll see it as we move forward.
So we start off with access control, which is limiting how a subject can manipulate an object awareness and training That's pretty self explanatory
auditing and accountability, making sure we can match an action to a subject and making sure that, uh, no one individual has too much power and making sure that there's no sorts that there isn't any sort of abuse within the system.
Ah, configuration management revolves around documentation, documentation, documentation and controlling changes and having an approval process for changes in the environment.
Identification, authentication. We make a claim, then we prove it. I claim to be Kelly Hander Hand. Here is my passport
incident response. What do we do when there is a cyber incident, Whether it's malicious or not, how do we respond to loss of data, loss of availability or whatever those elements might be
maintenance? How'd we go back and review our systems? Make sure everything's up to date. How do we catch if necessary, or modify Ah, hardware or whatever we're required to do to maintain our systems
Protection of media, Making sure that if media is reused the remnants of data or cleanse, making sure that we label media properly, whether that's done through immediate librarian or, uh, you know Dunmore on an individual level, making sure that we have good policies in place.
Personnel security, making sure that we don't give access to people that shouldn't have access. And some of that's going to come just from hiring policies as well as some other administrative policies. Physical protection,
protect your facility. And sometimes sadly, that's one of those elements that's overlooked in our environment. And we think that it's somebody else's responsibilities.
But things as basic as locking doors. Having a security guard. Um, any of those elements can really impact the security in your environment.
Risk assessment. You know what all of this comes down to risk assessment.
You know, how much money do I spend on physical security? What elements of access control do I implement? How do I go about authentication and often unidentified cation comes down to How much money am I going to spend
and how much money I'm going to spend comes back to the value of the data. So we've gotta have some sort of risk assessment mechanism in place
to make sure that we're We're aware of the threats and vulnerabilities and also continuing to monitor for risks because risks are always popping up in, you know, the risk landscape or the threat landscapes, frequently changing security assessments.
Ah, security assessments, pen testing and vulnerability assessments, making sure that our network and our individual systems air properly configured in order to rebuff any sort of attack.
Ah, system and communications protection so here, looking at our networking environment and making sure that we're protecting data in transit and then system and information integrity. You know, when we talk about system integrity, making sure that the internal function of a system isn't compromised in any sort of attack
and the integrity of the information getting the assurance that the information hasn't been modified, whether intentionally or
unintentionally so these are the requirements will go through against each of the the next 14 sections.