Welcome back to the D. O D risk management framework. Siris on Mike Redman here to get you through everything you need to know to successfully implement the D. O. D risk management framework. But we've made it to Step three implementation
this chapter. We're going to walk you through how to allocate the appropriate security controls for your information system. Implement the security controls for your information system and describe the information system at a functional manner. Appropriate word documentation and the security plan.
If you're studying for the I S C squared cap examination, this section will help discern between a compensating control and a supplemental control.
Plus, you'll want to study the concept and pompous off tailoring controls to your information system. Through this section, there are two primary tasks. Theis Security Control Implementation and Security Control Documentation.
The key stake orders here are the information system owner and the common controls provider. So
how do we work through implementation? It all starts with reviewing the control structure itself. Remember, all the controls are listed in the 853 in alphabetical order by identify WR. That's the two letter identify. At the beginning,
there is a number to upend the family. I didn't fire to indicate each control within the family. He's control is configured consistently.
You will have the control itself, which is the description. Amy is supplemental guidance applicable to the control, control enhancements, references and then assignments or variables to the control. Here you see an example of a control listing. You see the two letter identify or, in this case, a you five
response to on it. Processing failures.
You see, I've highlighted here in red first the variable for the control, which would be an organizational e defined value for this particular control. Also, pay close attention underthe e supplemental guidance.
Here you will see any other related controls to the particular control we're working.
He's control contains a concise statement of the specific security capability needed to protect the particular aspect of an organization or information system. It describes the security activities or actions to be performed again. You see here the identify Randy Long name
and then the control section itself, which will give a detailed explanation off what is to be a cheek and also pay close attention to the related control. You will find that under the supplemental guidance. This could be especially helpful when it comes to consistency across the control families
as well as any artifacts that need to be documented with each control again, there are control enhancements. They're there to build additional but related functionality, toothy basic control itself. They're there to either increase for strengthen the base control these air selected if greater protection is needed
due to potential impact or loss. This is why the categorization level was so important.
Next you will see the parenthetical entries. They're numbered sequentially. For each control that you see in this instance, we have parenthetical 123 and four.
Remember, all of them may not be required. It will depend on the categorization itself. Whether you have indicated a high, moderate or love,
the reference section is there to identify any applicable laws executive orders, directives, policies, standards, guidelines, anything that is a forcing function forthis particular control. It may also contain pertinent websites for you to get additional information
as to the history or the importance of the control as it applies to your information system.
And then we have the assignments or the variables these air there to designate where organizations should establish specific values for certain parameters. Again, these are fully tolerable, and we're gonna get into that a bit later.
But that is the key to understand. Here, the risk has been framework is not cut by number. It's not cookie cutter.
It's supposed to be tailored to each specific information system and specific environments. When we look at how to tailor these controls, there are core things to keep in count, remembering no to information systems are in an identical environment, so obviously no to information systems
should be protected identically.
There are going to be one offs and uniqueness to each information system again, that is part of the beauty and the elegance of the risk management framework. However, you have to let it work, select the initial security control baseline and then
consider all aspects of risk against that information system
to give you your tailor set of security control. Baseline Tillery controls is somewhat a very basic process. It just takes cerebral thought. You have to think through it. The basic process itself is palpable to all national security systems as well as Nadia, the agencies,
the new version of the D. O. D risk management framework covers three core steps. The select step. Select the initial set of controls, the Taylor Step
Taylor, that initial set of controls and then a supplement Those tailored controls again make it unique to the system.
This sea NSS has additional supplemental parameters. Such a specific review frequencies and specific control specifications. Tailoring controls What do you need to keep in mind? Well,
the three primary areas should be be scoping guidance itself, compensating controls that need to be introduced and then organizationally defined parameters. Specifications also ensure that you are aligned with the operational activities
as well as being aligned with the operating environment. There is a large difference between the protection profile of a system
here in the continental United States and a system, for instance, in the middle of the Middle East. You should not try to protect them the same,
however, the information may be identical, so that's where the compensating controls will come into play. Specific scoping guidance areas include the common control itself,
the security objective for the information system, the security component allocation technology, the physical infrastructure policy and regulation, operational and environmental issues as scalability of the information system itself and any public access requirements that need to be taken into account.
Working through each of the organizational defined parameters.
Just understand that they're there to provide the flexibility to determine certain portions of the control for specific organizational requirements. Again, it's making security meet the mission, not making the mission adjust to the security requirements
again. This is not Die Cap
2.0, that brings us to overlays. The overlays are simply pre tailored guidance for a specific community of interest. There's a class fight of related There's a space systems Over day. There's an RT t any overlay anyone can create an overly as long as the community of interest is wide enough
and the authorising official accepts it, the overlays are there to address specialized requirements for that community of in shifts,
mission and business functions that are unique to that group. Any specialized technologies like space systems and general environments of operation again rt ta ti would be a perfect example. So the overlays and having compliment section
What you're looking to do here is to add or eliminate controls
that are not after ble to that particular information system within that community of interest. It's there to adjust to the applicability of interpretations for specific information technologies, computing paradigms, environments of operation like the desert
and establish a community wide perimeter of value that can be consistent
across the entire community. So, like I said, anyone can create an overlay as long as it has the key components. These would be what you would need to include in your overlay for a unique community of interest system, the identification, the overlay characteristics himself,
the applicability. Who's it for
the overlay summary? Why have we created this overlay? A detailed overlay control specifications. This is where you will lay out all specified controls, tailoring considerations. What a community of interest might need to consider when tailoring in or out additional controls
for this particular overlay,
any app, ical definitions and additional information or instructions that now brings us to supplementing controls. Sometimes the baseline controls air just not sufficient. You need to add or bolster control
to meet the system requirements in a particular environment or operating posture. But remember, supplementing controls are not the same as compensating controls, So why might you need to supplement controls, maybe a specific threat or vulnerability? Perhaps a cross domain service is required.
There might be specific statutory or regulatory requirements of a system in one location versus another location. Highly sensitive information or application. Layering security might be required. These are all really good reasons to consider supplemental controls,
doing more than what the base control asked for to make it unique
to that information system. So a good example of supplementing controls would be advanced. Persistent threats Not all information systems aren't necessarily susceptible to AP tease, but some are. For those that are. You would need to
ad or supplement additional controls.
For instance, to fully address the advanced, persistent threat concepts such as insider threat protection, diversity description, non persistence and segregation may need to be considered for that particular information system again. Tailoring
to the system, not just using a checklist now that we've defined supplemental controls.
That brings us to compensating controls these air controls that are selected and Louis, or because the original control cannot be met in its exact specifications, you select a different control that meets the same security requirements just in a different way.
That control should be equivalent or comparable to the control that you're having to compensate for
when compensating controls, you would again refer to the next publication 853 where all the base controls are, and then select the control that meets your requirements and
document any supporting rationale as to why that control was selected and another one was not. For instance, let's take screen locks
to prevent access to a specific war station. The information system activity session lock automatically should lock after a specified period of time. However, let's say you have an information system that puts life and limb in danger.
If that screen locks like an air traffic control system, what are the possible compensating controls that you could put in its place?
How about 24 by seven Physical monitoring? If the system has never left unattended, why would, in fact the screen or session need to be locked? This meets the spirit of the original requirement, just not in the way that the original control intended. Let's do one more
we moat access monitoring. Simply stated, all remote access must be monitored using automated mechanisms.
Now the problem that no automated capabilities are available due to cost or expanded mission considerations. What are the possible compensating controls that you could use in this instance. How about manual audits in manual audit logging?
When automated mechanisms aren't in place, it doesn't mean we just don't
do it. We just have to find another way. Get out a pen and paper and audit the system manually until an automated solution can be afforded or the mission considerations have expired. Here's another look at specifically how to tailor controls.
You see the core identifier, the control name,
the 853 based variable, and then you would move to the for instance 12 53. And see that instead of what the base indicates, perhaps you need to do at least annually to meet the national security system requirements.
Again, This is nothing more than tailoring control to the requirements of the system and the mission. So why do we tailor these controls? What is the advantage of tailoring controls At its heart? It's simply to sufficiently mitigate the risk to the organization, operations
and assets, individuals and other organizations as well as the nation.
Remember, tailoring controls should always be risk based, not convenience,
just like any other controls, whether you have tailored them or left the base intact. You need to consider that these are breathing systems. They moved and they adjust their not static, most of them, So you will need to revisit the controls on a periodic basis.
For instance, there could be a changing or emergent
a security requirement that has presented itself. And if that's the case, the base control may no longer be sufficient. You might have to move to a supplemental control or emergent threats or vulnerabilities or attack methods have presented themselves,
and now the base is no longer sufficient, and supplemental or compensated controls would need to be selected.
That brings us to the core documentation. Once we have adjusted or tailored from the base security controls, we fully document the controls. And their status is
this is a primary function of the information system owner and the common controls provider. Again, this is not the only individuals, just the owners or the primary roles for this activity.
Keeping in mind that the controls covered the entire gambit, both operational, technical and physical s o. This is not a one group activity. This literally cuts across all organizational requirements from physical and environmental, too
operations, security I T. And information of security
personnel security that everyone has a role to play in this activity. This is not just an I t. Function specifically, for instance, when dealing with software, there are some specific things that need to be taken into account,
such as the developer needs to provide the system, architecture and software design
as well as ensure integrity of all integrated components. The stakeholder that that software has been developed for needs to make sure to conduct an initial certification analysis as well as conduct a system test readiness review. In our next section, we will take a look at Step four