Time
1 hour 27 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Description

This lesson covers Domain 14 which is security assessment. This only has basic security requirements, 3.12.1, 3.12.2 and 3.12.3. There are no derived requirements.

Video Transcription

00:04
moving onto domain 14 security assessment. Now, I may have misspoken earlier. I think that I had mentioned one of the earlier,
00:13
uh, requirements was the only one toe have no derived security requirements. That actually was wrong. Ah, security assessment also has no derived security requirements. So here we would just look at the basics. So when we talk about security assessment, uh, this goes hand in hand with risk control, right?
00:33
Uh, with risk assessment were continuously monitoring
00:37
and making sure that our systems are in line with the current risks based on our cost benefit analysis. So we have three basic security requirements. First of all, we're gonna periodically assess the security controls organizational information system to determine if the controls are effective
00:57
in their application.
00:58
Are they working
01:00
right? Part of what a vulnerability assessment is. Are the proper controls configured? And are they working? Are they sufficient? So periodically? Now, again, this doesn't necessarily lock down and say once per quarter or once per
01:15
twice per year, whatever. But ultimately our organization needs to me and they just standard
01:23
with which we apply. So we're gonna periodically assess those controls and to make sure that they're working, make sure they're effective.
01:30
And then we're going to develop an implement plans of action to correct the deficiencies and also to reduce, or at least eliminate, these vulnerabilities that we were able to detect. So here again, we should already have these plans in place, at least the foundations for them.
01:49
So was we determined? Maybe a system. Uh, we're getting ready to certify a system,
01:55
and it fails one of the security assessments. Well, there should be a plan of getting this system back on track, correcting the problems that air there. Ah, and making sure that we're able to respond in a more positive fashion for the next series of tests. You know, one of the best ways to incorporate this
02:15
is to build security
02:16
into the design of a product, one of our later Siri's in mist. We're gonna be talking about, um,
02:24
this systems engineering process and how we build security into each stage of the system engineering process, and I think that's gonna be very significant. Ultimately, we're gonna build a system to pass the security assessments because that's, you know, ultimately what we want to do is to build a secure system
02:45
rather than to build a functional system that we secure later.
02:47
So ultimately, what I was getting at with that is you know, this process is much easier if your system is secured by design,
02:57
all right, and then the final basic security requirement we have to monitor, right? So the first bullet point, we're going to assess the security controls, make sure they're effective.
03:07
Second point is, we're gonna make corrective action plans in case the controls are not effective. And then the third basic security session dissection or, um, security assessment piece is monitor. Make sure on an ongoing basis. Just because the system passes the test today
03:25
doesn't mean it's gonna be resilient or,
03:29
um, or trustworthy tomorrow. Right? So we're going to continue to monitor those systems. So this is short session section on security assessment.

Up Next

NIST 800-171 Controlled Unclassified Information Course

The Cybrary NIST 800-171 course covers the 14 domains of safeguarding controlled unclassified information in non-federal agencies. Basic and derived requirements are presented for each security domain as defined in the NIST 800-171 special publication.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor