Time
2 hours 22 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Description

This unit discusses the tasks associated with implementing security controls for an information system as well as describing the information for documentation. Upon completion of this unit, participants will be able to allocate the appropriate security controls for an information system and implement the security control for an information system. In addition, participants will be able to describe an information system in a functional manner appropriate for documentation in a security plan. Implementation of a security control consists of the following two tasks: Task 3-1: Security Control Implementation Task 3-2: Security Control Documentation

Video Transcription

00:11
Welcome back to the D. O D risk management framework. Siris on Mike Redman here to get you through everything you need to know to successfully implement the D. O. D risk management framework. But we've made it to Step three implementation
00:27
this chapter. We're going to walk you through how to allocate the appropriate security controls for your information system. Implement the security controls for your information system and describe the information system at a functional manner. Appropriate word documentation and the security plan.
00:45
If you're studying for the I S C squared cap examination, this section will help discern between a compensating control and a supplemental control.
00:54
Plus, you'll want to study the concept and pompous off tailoring controls to your information system. Through this section, there are two primary tasks. Theis Security Control Implementation and Security Control Documentation.
01:08
The key stake orders here are the information system owner and the common controls provider. So
01:15
how do we work through implementation? It all starts with reviewing the control structure itself. Remember, all the controls are listed in the 853 in alphabetical order by identify WR. That's the two letter identify. At the beginning,
01:32
there is a number to upend the family. I didn't fire to indicate each control within the family. He's control is configured consistently.
01:41
You will have the control itself, which is the description. Amy is supplemental guidance applicable to the control, control enhancements, references and then assignments or variables to the control. Here you see an example of a control listing. You see the two letter identify or, in this case, a you five
02:00
response to on it. Processing failures.
02:04
You see, I've highlighted here in red first the variable for the control, which would be an organizational e defined value for this particular control. Also, pay close attention underthe e supplemental guidance.
02:17
Here you will see any other related controls to the particular control we're working.
02:23
He's control contains a concise statement of the specific security capability needed to protect the particular aspect of an organization or information system. It describes the security activities or actions to be performed again. You see here the identify Randy Long name
02:43
and then the control section itself, which will give a detailed explanation off what is to be a cheek and also pay close attention to the related control. You will find that under the supplemental guidance. This could be especially helpful when it comes to consistency across the control families
03:01
as well as any artifacts that need to be documented with each control again, there are control enhancements. They're there to build additional but related functionality, toothy basic control itself. They're there to either increase for strengthen the base control these air selected if greater protection is needed
03:22
due to potential impact or loss. This is why the categorization level was so important.
03:27
Next you will see the parenthetical entries. They're numbered sequentially. For each control that you see in this instance, we have parenthetical 123 and four.
03:38
Remember, all of them may not be required. It will depend on the categorization itself. Whether you have indicated a high, moderate or love,
03:49
the reference section is there to identify any applicable laws executive orders, directives, policies, standards, guidelines, anything that is a forcing function forthis particular control. It may also contain pertinent websites for you to get additional information
04:04
as to the history or the importance of the control as it applies to your information system.
04:11
And then we have the assignments or the variables these air there to designate where organizations should establish specific values for certain parameters. Again, these are fully tolerable, and we're gonna get into that a bit later.
04:27
But that is the key to understand. Here, the risk has been framework is not cut by number. It's not cookie cutter.
04:33
It's supposed to be tailored to each specific information system and specific environments. When we look at how to tailor these controls, there are core things to keep in count, remembering no to information systems are in an identical environment, so obviously no to information systems
04:53
should be protected identically.
04:55
There are going to be one offs and uniqueness to each information system again, that is part of the beauty and the elegance of the risk management framework. However, you have to let it work, select the initial security control baseline and then
05:11
consider all aspects of risk against that information system
05:15
to give you your tailor set of security control. Baseline Tillery controls is somewhat a very basic process. It just takes cerebral thought. You have to think through it. The basic process itself is palpable to all national security systems as well as Nadia, the agencies,
05:32
the new version of the D. O. D risk management framework covers three core steps. The select step. Select the initial set of controls, the Taylor Step
05:44
Taylor, that initial set of controls and then a supplement Those tailored controls again make it unique to the system.
05:54
This sea NSS has additional supplemental parameters. Such a specific review frequencies and specific control specifications. Tailoring controls What do you need to keep in mind? Well,
06:05
the three primary areas should be be scoping guidance itself, compensating controls that need to be introduced and then organizationally defined parameters. Specifications also ensure that you are aligned with the operational activities
06:20
as well as being aligned with the operating environment. There is a large difference between the protection profile of a system
06:29
here in the continental United States and a system, for instance, in the middle of the Middle East. You should not try to protect them the same,
06:38
however, the information may be identical, so that's where the compensating controls will come into play. Specific scoping guidance areas include the common control itself,
06:49
the security objective for the information system, the security component allocation technology, the physical infrastructure policy and regulation, operational and environmental issues as scalability of the information system itself and any public access requirements that need to be taken into account.
07:08
Working through each of the organizational defined parameters.
07:12
Just understand that they're there to provide the flexibility to determine certain portions of the control for specific organizational requirements. Again, it's making security meet the mission, not making the mission adjust to the security requirements
07:30
again. This is not Die Cap
07:31
2.0, that brings us to overlays. The overlays are simply pre tailored guidance for a specific community of interest. There's a class fight of related There's a space systems Over day. There's an RT t any overlay anyone can create an overly as long as the community of interest is wide enough
07:51
and the authorising official accepts it, the overlays are there to address specialized requirements for that community of in shifts,
08:01
mission and business functions that are unique to that group. Any specialized technologies like space systems and general environments of operation again rt ta ti would be a perfect example. So the overlays and having compliment section
08:16
What you're looking to do here is to add or eliminate controls
08:20
that are not after ble to that particular information system within that community of interest. It's there to adjust to the applicability of interpretations for specific information technologies, computing paradigms, environments of operation like the desert
08:37
and establish a community wide perimeter of value that can be consistent
08:43
across the entire community. So, like I said, anyone can create an overlay as long as it has the key components. These would be what you would need to include in your overlay for a unique community of interest system, the identification, the overlay characteristics himself,
09:01
the applicability. Who's it for
09:03
the overlay summary? Why have we created this overlay? A detailed overlay control specifications. This is where you will lay out all specified controls, tailoring considerations. What a community of interest might need to consider when tailoring in or out additional controls
09:22
for this particular overlay,
09:24
any app, ical definitions and additional information or instructions that now brings us to supplementing controls. Sometimes the baseline controls air just not sufficient. You need to add or bolster control
09:37
to meet the system requirements in a particular environment or operating posture. But remember, supplementing controls are not the same as compensating controls, So why might you need to supplement controls, maybe a specific threat or vulnerability? Perhaps a cross domain service is required.
09:56
There might be specific statutory or regulatory requirements of a system in one location versus another location. Highly sensitive information or application. Layering security might be required. These are all really good reasons to consider supplemental controls,
10:13
doing more than what the base control asked for to make it unique
10:18
to that information system. So a good example of supplementing controls would be advanced. Persistent threats Not all information systems aren't necessarily susceptible to AP tease, but some are. For those that are. You would need to
10:35
ad or supplement additional controls.
10:39
For instance, to fully address the advanced, persistent threat concepts such as insider threat protection, diversity description, non persistence and segregation may need to be considered for that particular information system again. Tailoring
10:56
to the system, not just using a checklist now that we've defined supplemental controls.
11:03
That brings us to compensating controls these air controls that are selected and Louis, or because the original control cannot be met in its exact specifications, you select a different control that meets the same security requirements just in a different way.
11:20
That control should be equivalent or comparable to the control that you're having to compensate for
11:28
when compensating controls, you would again refer to the next publication 853 where all the base controls are, and then select the control that meets your requirements and
11:39
document any supporting rationale as to why that control was selected and another one was not. For instance, let's take screen locks
11:48
to prevent access to a specific war station. The information system activity session lock automatically should lock after a specified period of time. However, let's say you have an information system that puts life and limb in danger.
12:03
If that screen locks like an air traffic control system, what are the possible compensating controls that you could put in its place?
12:11
How about 24 by seven Physical monitoring? If the system has never left unattended, why would, in fact the screen or session need to be locked? This meets the spirit of the original requirement, just not in the way that the original control intended. Let's do one more
12:30
we moat access monitoring. Simply stated, all remote access must be monitored using automated mechanisms.
12:37
Now the problem that no automated capabilities are available due to cost or expanded mission considerations. What are the possible compensating controls that you could use in this instance. How about manual audits in manual audit logging?
12:54
When automated mechanisms aren't in place, it doesn't mean we just don't
12:58
do it. We just have to find another way. Get out a pen and paper and audit the system manually until an automated solution can be afforded or the mission considerations have expired. Here's another look at specifically how to tailor controls.
13:16
You see the core identifier, the control name,
13:20
the 853 based variable, and then you would move to the for instance 12 53. And see that instead of what the base indicates, perhaps you need to do at least annually to meet the national security system requirements.
13:37
Again, This is nothing more than tailoring control to the requirements of the system and the mission. So why do we tailor these controls? What is the advantage of tailoring controls At its heart? It's simply to sufficiently mitigate the risk to the organization, operations
13:54
and assets, individuals and other organizations as well as the nation.
14:00
Remember, tailoring controls should always be risk based, not convenience,
14:07
just like any other controls, whether you have tailored them or left the base intact. You need to consider that these are breathing systems. They moved and they adjust their not static, most of them, So you will need to revisit the controls on a periodic basis.
14:24
For instance, there could be a changing or emergent
14:28
a security requirement that has presented itself. And if that's the case, the base control may no longer be sufficient. You might have to move to a supplemental control or emergent threats or vulnerabilities or attack methods have presented themselves,
14:43
and now the base is no longer sufficient, and supplemental or compensated controls would need to be selected.
14:50
That brings us to the core documentation. Once we have adjusted or tailored from the base security controls, we fully document the controls. And their status is
15:01
this is a primary function of the information system owner and the common controls provider. Again, this is not the only individuals, just the owners or the primary roles for this activity.
15:16
Keeping in mind that the controls covered the entire gambit, both operational, technical and physical s o. This is not a one group activity. This literally cuts across all organizational requirements from physical and environmental, too
15:35
operations, security I T. And information of security
15:39
personnel security that everyone has a role to play in this activity. This is not just an I t. Function specifically, for instance, when dealing with software, there are some specific things that need to be taken into account,
15:56
such as the developer needs to provide the system, architecture and software design
16:02
as well as ensure integrity of all integrated components. The stakeholder that that software has been developed for needs to make sure to conduct an initial certification analysis as well as conduct a system test readiness review. In our next section, we will take a look at Step four
16:21
Assess.

Up Next

What is the Risk Management Framework?

This course introduces the Department of Defense (DoD) Risk Management Framework (RMF). This course prepares participants to take the CAP Exam which consists of 125 multiple choice questions and covers the following domains:

Instructed By

Instructor Profile Image
Michael Redman
Sr. ISSM at deciBel Research, Inc.
Instructor