Security Control Implementation

Overlays of Tailored Security Controls

Tailoring security controls involves adapting the generic baseline sets of security controls to better fit a specific operating environment. Here is a list of tailoring activities: Defining “Common Controls” that are centrally managed and can be used by several information systems. Applying “Scoping Considerations” Using “Compensating Controls” Defining “Organizational Parameters” Adding “Supplementary Controls” Using “Overlays” […]

Tailoring Security Controls

The NIST Risk Management Framework (RMF) is a six step process as follows: Categorize both the information and the system based on impact. Select a baseline set of security controls. Implement the controls. Assess the effectiveness of the security controls. Authorize the system to operate. Monitor the ongoing state of protection the security controls are […]

Assurance is the Reason to Trust

We want to trust that the measures we take to protect our information systems are working. But we need concrete reasons to hold that trust. We need proof that our defensive controls are doing the job and are actually protecting the system. Those reasons and that proof are known as “Assurance”. Trust tends to be […]

Security SLAs from Security Controls

Most industry standard Service Level Agreements (SLAs) are determined by business performance requirements such as: uptime/downtime, throughput, response time, time to recover and more. But some SLAs may need to be driven by security requirements and these requirements are most often documented in the form of security controls. Security controls determine the processes and practices […]

Security Metrics

It is a mantra of quality improvement methodology that you can’t manage what you don’t measure. Security metrics are the measurements that allow management of information security. As function and requirements change from network and organization to others, so will the requirements and design of security metrics change. But there are some standard and central […]

Supplementing Controls

After the baseline of security controls have gone through the tailoring process of: scoping guidance, compensating controls and organizationally defined parameters, it is possible that additional controls or enhancements may be needed in order to mitigate the risk that has been assessed. It is also possible to simple add restrictions to already existing controls. There […]

Tailoring Controls

NIST SP 800-53 sets terms and conditions for tailoring the security control baseline to organizational and operational needs.   There are three specific areas addressed as follows: Scoping Guidance Compensating Controls Organizationally Defined Parameters Scoping Guidance offers considerations on how individual security controls are applied and implemented. The following areas are discussed: Common Controls Common Controls […]

Categorization and Baseline Selection

Categorization is the process of selecting an Impact Level according to FIPS 199, which is a public law and must be adhered to. FIPS 199 sets three impact levels of HIGH, MODERATE and LOW. They are selected according to a consideration of the potential impact level on an organization if a security event jeopardizes the […]