In this course we discussed the select control step in the risk management framework. The select step is supported by FIPS 200 minimum security requirements for federal information and information systems. NIST special publication 800-30 risk assessments, and NIST special publication 800-53, security and privacy controls for federal information systems. The select step has six tasks which will be covering through this course. Control selection, control tailoring, control allocation documentation of planned control implementation, continuous monitoring strategy for the system and the plan, review and approval. The purpose of this step is to select baseline controls and then tailor them to the organization's system security needs. The security control baseline is established by determining specific controls required to protect the system based on the security categorization of the system, which we completed using the FIPS 199 and FIPS 200. The baseline is tailored and supplemented in accordance with an organizational assessment of risk and local parameters. The security control baseline as well as a plan for monitoring it, is documented in the System Security Plan, the SSP. To select a control baseline, we use the FIPS 199 for categorization. Once we have the impact level of low monitor high we can use FIPS 200 or the special publication 800-53. The input documents are the FIPS 199 worksheet, the FIPS 200 baseline control suggestions, the system security plan template, the common control inputs, tailoring guidance, initial risk assessment. The output would be about three quarters of the System Security Plan. For the selection step the tasks and outcomes are, come and control identification and selection, security control tailoring, security control allocation, documentation of planned security control selection. The system security plan are monitoring strategy, the system security plan review and approval. The information system owner is the primary role in this function. The common control provider and information owner, as well as the security control architect all support this effort. The security controls are organized into 18 families. They're related by security functionality and designated by a two character identifier. The programmatic controls are listed in a separate appendix. Families are organized into three classes, operational controls, which are the day to day mechanisms used to protect operational systems and environment. Technical controls which are the hardware software controls used to provide automated protection of the IT system or application. And management controls, which are actions taken to manage the development, maintenance and use of the system. I've placed the control families here on the screen so you can see them. They are in alphabetical order. The controls are listed in the catalog alphabetically by identifier in 800-53. A number is appended to the control identifier to individualize each control within the family. Each control in the catalog consists of several sections. The control which is the description, supplemental guidance, enhancements, references, and assignments which are any variables. The program control is added in 800-53, but it is not listed in FIPS 200, since programs are dependent on the organization and their functions. This screen shows you the control family by identifier and class. You'll see that the identifier for example is AC. The family is Access Control and then the class would be technical. The classes are identified for each one of the families as technical, operational or management. This screen shows you an example of the control and explanation for the control implementation. Over the next few screens, will break this listing down. This just happens to be the FIPS auditing control response to audit processing failure. At the top of each control you'll have the identifier and the name, in this case, I'm showing you the AU-5 response to audit processing failure. Each control contains a concise statement of the specific security capabilities needed to protect the particular aspect of an organization's information system. It describes the security activities are actions to be performed, and you'll see that under word says controls information system, followed by the description. The next section down is the supplemental guidance. Additional information related to a specific security control is listed here. The organizations apply the supplemental guidance as appropriate. The control enhancements build in additional but related functionality to a basic control, and increases the strength of the basic control. It provides greater protection needed due to the potential impact or loss, their numbers sequentially within each control designated by a number. If the first three control enhancements are selected, the controlled designation becomes AU- 5(1)(2)(3). These enhancements are based on the impact levels by the FIPS 199. So, a low, may have an enhancement of 1, a moderate may have an enhancement of 1 and 2, and the high impact may have an enhancement of 1, 2 and 3. The reference section lists, any applicable federal laws, executive orders, directives, policies, standards, guidelines or any other document that may be relevant to this control, they may also contain pertinent websites. Each of the controls specify an assignment. The assignment is the area where the organization establishes specific values and certain parameters. These are the variables that the organization fills in, based on their policies, procedures, and guidelines for those specific controls. Each one of the controls has a prioritization code. This is a sequence of installation only. It does not relate to achievement of level of mitigation. Priority code 1s should be installed before any priority code 2, and priority code 2 should be installed before priority code 3. If there is no priority code listed, it will be listed as sequencing none. Those security controls that are not selected for the baselines themselves. In some cases there are common controls which provide consistent and more cost effective security across an organization. They accelerate implementation, reduced costs, and provide a more consistent behavior. Common Control Providers are selected by the CIO and the CISO, and provide for the inheritance of controls. Inheritance is a situation where a system or application receives protection from security controls that are developed, implemented, assessed authorized, monitored, and maintained by entities other than those responsible for the system or application itself. These entities can be internal or external to the organization where the system or application resides. In other words, they could be major applications or general support systems. In this screen, I've placed the table structure from NIST special publication 800-53. You'll see the control number, the control name, the priority, and the internal control baselines of low, moderate, or high, which are based off of your FIPS 199 system categorization. The higher the impact to the organization, the more controls need to be implemented, starting with the Baselines using FIPS 200, minimum security requirements for federal information and information systems, and the 800-53. Low impact has approximately 115 possible controls. Moderate impact would give you about 159 possible controls. And if your system was categorized as a high impact system, you would have a possibility of up to 170 controls. Keep in mind that these are just baselines. The intent here is for the organization to tailor these baselines to their specific organizational system needs. Just because the baseline gives you, for example, under low, 115 possible controls, that does not mean that the organization has to implement all 115 controls. They only implement what makes sense for their organization. The minimum security baseline is our starting point, which is derived from our FIPS 199 classification and FIPS 200 control selection. Then we tailor the controls and that's accomplished through scoping, parameterization, and compensating guidance, supplementing through additional controls is next using enhancements in 800-53 family of controls. Additional criteria would be the operating environment, organizational specific requirements, threat assessments, and your business impact assessment, for implementation of the controls. We have primary and secondary categories for controls. Primary categories would be preventive, detective, and corrective. Secondary controls would be supplemental, compensating, and deterrent. The types of controls would be common, hybrid or system-specific. Common controls, would be controls that are inherited by one or more organizational information systems like an organizational firewall. Hybrid control is implemented in part as a common control, and in part as a system-specific, like a Microsoft active directory group policy. And then you have your system-specific controls which are implemented entirely within the information system under review, like a host based intrusion detection system. As I've stated previously, the classes and types of controls are technical, management, and operational. Your technical controls were 4, AC Access Control, AU Audit and Accountability, IA Identification Authentication, and SC System and Communication Protection. Your management controls were 5, CA for Security Assessment and Authorization, PL for Planning, PM for Program Management, RA for Risk Assessment, and SA for System and Service Acquisition. And your 9 operational controls were, AT for Awareness and Training, CM for Configuration Management, CP for Contingency Planning, IR Incident Response, MA Maintenance, MP Media Protection, PE for Physical and Environmental Protection, PS for Personnel Security, and SI For System and Information Integrity. A monitoring strategy is developed during the initial part of the system development life cycle, for the system. It allows for a robust review, and near real time awareness of the current security state of the system. This is especially important in highly dynamic environments. There are 4 parts to monitoring, configuration management, security impact analysis of any changes, continuous assessment of the system, and security status reporting. The objective is to identify which controls are to be monitored? How often, in other words, the frequency of monitoring and the assessment approach to be used? The selection of controls to be monitored is determined by the information system owner or common control provider, focusing on controls that are volatile, critical, or in the plan of action and milestone. The duration is based on the determination of trustworthiness by the common control provider or the information system owner, and the risk assessment. And it continues throughout the system's lifecycle. The organizational risk assessment can be used to guide the selection of specific security controls to be monitored, and the frequency of those specific controls. The authorizing official or delegated representative approves the monitoring strategy, including the set of security controls that are to be monitored on an ongoing basis, as well as the frequency of that monitoring activity. An assessment case is a worked example of an assessment procedure that provides specific actions that an assessor might carry out during the assessment of a security control in an information system. The assessment cases are intended to represent a starting point for expanding upon the NIST 800-53 A, assessment procedures. The assessment case supplements the information from NIST special publication 800-53 A, which is assessing security and privacy controls in the federal information system and organization, by adding two sections, potential assessment sequencing, to help facilitate more efficient and more cost effective assessments, by identifying other control assessments. The sequencing of which should be considered with regards to the assessment of the selected controls. And potential assessor evidence, gathering actions, Specifically providing guidance on precursor controls, which are controls that should be assessed prior to assessing the selected controls. Concurrent controls, which are controls whose assessment involves applying the same method to the same object or objectives as the assessment. And successor controls, which are controls that should be assessed after assessing the selected controls. Once the system security plan is completed, a review is conducted by the information system owner, and the information system security officer, with the possibility of the chief information security officers, office involvement. The completed system security plan is signed by the system owner, and the ISSO, Information Systems Security Officer. It is then presented to the authorized in official for approval. If the system security plan and all its artifacts are accepted by the authorizing official it is signed. By doing so the authorizing official is approving the system security boundaries, approves the defined risks, and accept any initial risks listed in the plan of action and milestone. In summary, in this course we discussed the select control step of the risk management framework process, and the associated tasks of control selection, control tailoring, control allocation, documentation of planned controls implementation, continuous monitoring, strategy, and plan review and approval.
