Welcome back to the deal. The risk management framework Siris, on my credit and here to help you walk step by step to implementing the deity risk management framework. We've made it to step to selection of security controls
throughout this chapter. We're going to help you identify your information systems. Common controls. Select the appropriate baseline controls for your information system. Taylor. The security controls for your information system and supplement the Baseline and Taylor controls for your information system as a whole.
Also, we will develop and support a continuous
monitoring strategy. If you're studying for the I S C squared cap certification, be sure to review the relationships between the Phipps 1 99 The Categorization Step and Fits 200. The control selection steps When it comes to selecting security controls,
There are four primary tasks.
The common control identification, the security control selection themselves, the monitoring strategy and the system security plan approval
So and Step one. When we categorized our system, we developed a common baseline of security controls. Those were based on the impact levels from our selections. Remember, those impact levels were based on confidentiality, integrity and availability, and the overall impact of compromise.
Now it's time to enhance the baseline security controls
from the appropriate tables for the Department of Defense. That would be the CNS aside 12 53. Throughout this step, we're going to tailor our baseline security controls either by inserting or deleting controls as it is appropriate for the information system itself.
And then, of course, document
any changes that we make. When we look at the security controls, we have three bass selections. They will either be a system specific, a common control or a hybrid control. These controls are identified simply by ownership or some portion of ownership.
For instance, a system specific controls
will provide security for a particular information system. Only common controls provide security for multiple information systems under their umbrella and then hybrid security controls obviously would be a combination of the two.
The security controls themselves covered these basic areas.
Risk Assessment System service is an acquisition configuration management, personnel security, physical and environmental protection, contingency planning system and information integrity, identification, authentication, accountability and audit. The certification, accreditation and security assessments,
Security planning, system and communications protection,
awareness and training, media protection, maintenance, incident, response, access control and overall program management. Upon the completion of this step, you will pretty much finalize the system security plan itself through the system control identification.
We are going to determine whether or not the control is sufficient.
Supplement those control with ACE, persistent, specific or a hybrid control. Or quite possibly, we will just need to accept the greater risk. The primary roles involved in this step would be the C I o themselves, the C I s or the C so the information security architect
and the common controls provider.
So when we look at comment controls, these are the controls that are provided by some other hosting system, for instance, and on claim again. You can identify a common control simply by identifying where your administrative control ends and somebody else's picks up.
If you have no ability to administratively affect a specific control,
it would be identified as a common control. That brings us to Step two. Once we've identified our baseline controls, we need to begin to Taylor that baseline. It's supplement with any controls that may be required or necessary to provide overall minimum assurance.
Again, the primary roles that we will be involved here
is the information security architect and the information security owner.
So our baseline controls come from feeding this special publication 853. Here you're gonna find the security control descriptions, any enhancements and scoping guidance tables of four translating beat, low, moderate and high impact results to a minimum security control baseline
and any amplifying guidance for tailoring the minimum control baseline
to the system's riel requirements.
Again shares. A look at the 18 families within the 853 control set identified by the wrong name or the family and their two letter identify WR.
All security controls will be identified at a minimum by the two letter identify her
now looking at, for instance, the Appendix D of the 853. This one in particular, is for access control. You can see the two letter identify where, for instance, in the first line a C one that is the parent identify her for this control,
access control policies and procedures.
You see a C one applies to all low, moderate and high systems. Now, now it gets a little tricky. For instance, let's go down to a C four information flow enhancement you recognize if your initial control baseline
is low for confidentiality.
This control would not be indicated, however, if it is moderate now. A C four would be included as well as for Hi.
Let's do one more A C six least privilege again for a low initial control baseline. This is not an indicated control, however, for moderate and high. It gets a little different. You see, for moderate a C six enhancement. One,
would be indicated for high. It would be enhancements. 12359 and 10.
You will need to walk the steps for each identify control for your information system. You will also see a column identified as priority codes p one p to p three and so on.
Thes four D o d systems are not implemented. All controls are implemented with the same priority.
The priority codes only affect the federal system's. Next. Let's take a look at the sea NSS 12 53 itself. This is going to provide you an overall baseline for security controls. This is the security control selection for all national security systems.
The core steps are still the same. Select the initial set of security controls. Taylor. The initial set of security controls to the system and then supplement the tailor said of security controls for the system requirements and a reminder that all Deal D systems have been indicated
to be national security systems.
So within the 12 53 this is what our table turns out to again. You see a C one access control policy and procedures is indicated for all confidentiality, integrity and available and availability low, moderate and high.
However, there are mixtures and differences.
Once you change the moderate and high, for instance, or maybe even just the high, it's a pretty simple chart to read. You just need to pay attention to each identified control and their sub parents as well as enhancements.
So the guidance one in the 12 53. The confidentiality and integrity objectives are largely focused on reading and writing. ***
disclosure and modification cryptographic methods provide the ability to address disclosure by encrypting information, hence protecting against disclosure. The integrity, through uses of hashes and cryptographic hash is will protect against modification,
so the controls that address the use of cryptographic methods are typically allocated to confidentiality
and integrity based controls,
amplifying guidance to deals with the integrity, objective understanding. It's also concerned with the correctness of the action. The availability objective is primarily concerned with this survivability and ensuring that the resource is are there when the user requires them.
The availability objective is also concerned with
consequence management and countering certain activities aimed at a denial of service.
Next, let's take a look at the Fits 200 using the Special Publication 853. The goal here is to achieve adequate security. Now we probably need to define adequate for controls selection based on defense. 1 99 Impact level
for low impact information systems. Organizations must employ appropriate controls
for the low baseline of security controls defined in the 853 for modern impact information systems, the moderate baseline and so on. So does that help us really define adequate?
Probably not. The identification of adequate is simply Are you doing what's best for the information system? Have you met the requirement? Remember, once we get to the validation step, the validators are there to ensure not only that the security control
is working properly, but also working as intended.
So let's start tailoring our controls. Remember, these are all built on top of each other. For instance, you would start with the 853 in the CNS s 12 53. Then, if you're an Army individual,
you would lay the ale Are 25 Tash to requirements? On top of that,
any command specific requirements in the augmentation for location, any specific laws or regulations like P I R. Health data and then any other requirements for it's just the authorising official may impose upon it and then any specific system controls that need to be addressed.
Remember, the tailoring part
is the heart of how the risk management framework is implemented. It is not a checklist, it is not die capped 2.0, the framework is specifically designed to only implement what the system needs and nothing more and nothing less. Why
it's all about re sourcing and resource incorrectly
Next, you will need to start defining your monitoring strategy. This range is all the way from configuration management and control processes through the overall security impact of proposed or actual changes to the system.
Also, we need to take a look at the assessment of selected systems throughout its life cycle and the security status reporting that will be required
again. This will go as an appendix to the system security plan. As a whole, general roles that are included at this point would continue to be the information system owner as well as three common control provider.
So when we identify monitored controls, which controls are we really looking for? Well, it's determined by the information system owner or the common control providers themselves. The controls that are most volatile or critical or on the poem
must be included. Four. Continuous monitoring.
Now we need to determine how often we will monitor well.
This is in part set by the determination of trustworthiness off the common control provider, as well as any outcomes from prior risk assessments and ensuring that it can be continued throughout the life cycle of the system. Remember, when we deal with continuous monitoring,
it is not just the thing with blinky lights. About 70% of continuous monitoring
has the physical aspect to it. You don't turn on a computer at all. It would include policy reviews and physical inventory and physical access to facilities. Don't think you're going to get a magic bullet that you're going to turn on and see the configuration of all your systems and call it a day.
physical and technical.
So as we decide and look at these controls, we need to begin looking for an eye towards implementation and assessment building. For instance, an assessment case for those controls as an assessment case is an example assessment procedure that
provide specific actions that an assessor might carry out
during the assessment phase of these system validation. It's there to help understand the control enhancement for the information system to assure that the enhancement or the tailoring that we've done is appropriate.
Finally, once we've selected our baseline tailored our baseline and begun to develop a least a draft continuous monitoring plan, it's time to seek approval. At this point, we will finalize this system security plan and send it
forward to the authorising official or their representative for
for most components on Lee. At this step, can you even begin to start soliciting for a validator to come visit the system technically until this step is complete until the system security plan is signed, the system and the controls do not exist
in the next section, we will move on to Step
three. The implementation phase