Summary and Review

All right, let's go ahead and wrap things up. So Missed 800 Special Publication 1 71 Documented how we protect and control, uh, controlled unclassified information.

So ultimately, this document presented to us 14 families, if you will, of protection mechanisms.

So we started out with access control, which ultimately talked about how a subject can manipulate an object how we're gonna limit access, control, awareness and training. Make sure your people know the rules. Make sure they know what to expect. Make sure that they know what to do. Should they see a security incident, how to report it

as well as how to steer clear of making those mistakes.

Auditing accountability. We've gotta monitor. I need a trail, and I need to be able to match actions back to subjects.

Configuration management we talked about earlier is making sure that we documented control any changes to the standard baseline configuration of our systems

identification in authentication. We then looked at we talked about identification is making a claim. Authentication is proving it. So how we limit authorization based on authentication

incident response, how we respond to a change in state that has a negative impact on the system could be intentional or unintentional, but responding to incidents having a program in place and a trained team as well,

all right. Maintaining a system, certainly making sure that we limit in control. Who could maintain a system and that maintenance happens as scheduled on and as needed

media protection. As we move device from one system to another, making sure these portable devices are labeled, making sure that they're protected in the means dictated by S O the highest sensitivity information on that media would drive its protection.

Also making sure that media sanitized before we use

personnel security. Watch who we hire and how we fire right back down background checks and screening and then termination procedures that allow this to happen as amicably as possible while still protecting the security of the organization.

Ah, physical protection. You know what? Lock your doors. Get a security guard, watch piggybacking eight foot fence around your facility. Now again, these air just kind of some some common principles. But the bottom line is don't overlook physical security. I could include fire safety,

having plans in place for a variety of contingencies.

Uh, risk assessment.

Everything comes down to risk assessment. Look at the assets and what they're worth.

Look a threats and vulnerabilities. Then figure out probability and impact.

Look at the potential for loss versus the cost of the countermeasure and make a good business decision. Keeping in mind, though, you've got to look at things that are less tangible in nature, like a company's reputation, its credit rating, um,

bad press. You know all of those elements can have a huge impact on the organization.

All right, security assessments. We've got to test the system before certification or authorization or really before you know, moving forward with anything that we're You know, that's kind of for government environment. But in any element, we have to test the security of the system

through vulnerability assessments and pen tests.

System communications protection, protect at a wall. It's in transit but also protect at a wall. It's a rest and then last but not least, system and information integrity. Make sure that security's designed into the architecture of a system,

that it's not designed with inherent flaws, that we have means of detecting these flaws,

and we have means of detecting any type of modification. So that sums up missed 801 71. And I hope this has been helpful for you, and I would invite you to continue on in our Siri's related to miss standards and hope you find them to be equally helpful.