Archive for risk management

You are browsing the archives of risk management.

800-53 rev3 FPD

The new revision of NIST SP 800-53 (rev3) is now in FINAL Public Draft (FPD) and should be published in final form soon. When NIST moves a draft document from IPD status to FPD status, the changes are often few as the document is nearly ready for final publishing. In this case, however, the changes […]

800-53 rev3 IPD

A new version of 800-53 (revision 3) is in Initial Public Draft (IPD) and available for comments on the NIST web site. [note – IPD means the document is in “draft” mode while NIST collects comments from the public and incorporates them into changes/corrections before releasing the document in a final form, usually many months […]

Awareness and Training

Need Awareness and training is a critical part of any information security program People are the weakest link in any security defense Components – there is a security learning continuum: Awareness Basic training Functional training Specialized education Designing a program Identify needs Behavior (awareness) Skills (training and education) Plan Get buy-in Priorities Material – audience […]

Policy and Procedure

Each of the seventeen families of security controls found in 800-53 contain a first control that requires the development of policy and procedures for that specific family of controls. Here is an example from the PL family: 800-53 security control PL-1 SECURITY PLANNING POLICY AND PROCEDURES Control: The organization develops, disseminates, and periodically reviews/updates: (i) […]

Rules of Behavior

Any information security policy and Site Security Plan (SSP) should contain a section known as “Rules of Behavior” that establishes appropriate use and behavior of system users and the consequences of non-compliance. From 800-100, Appendix B, FAQs: Q – What are “Rules of Behavior”? A – The rules should state the consequences of inconsistent behavior […]

POAMs

Plan of Action and Milestones A POAM is a plan that describes specific measures to be taken to correct deficiences found during a security control assessment. The POAM should identify: The tasks needed to correct the deficiency The resources required to make the plan work Milestones in completing the tasks Scheduled completion dates for the […]

Incident Response

Federal agencies are required by law to report incidents to the US Computer Readiness Team (CERT) office in DHS and must have a formal incident response capability. INCIDENT RESPONSE METHODOLOGY Prepare – accumulate knowledge, resources, tools, team members and training needed to handle incident reponse. Provide feedback into other processes (patch management…) that may help […]

Contingency Plan

Contingency Plan

Policy Identify statutory or regulatory requirements Create a policy statement Get the policy statement approved Publish the policy statement Key elements of policy Roles and responsibilities Scope Resources required Training required Testing and exercises schedule Maintenance schedule Backup and storage schedule Business Impact Assessment (BIA) The BIA is a critical piece of the CP that […]

Supplementing Controls

After the baseline of security controls have gone through the tailoring process of: scoping guidance, compensating controls and organizationally defined parameters, it is possible that additional controls or enhancements may be needed in order to mitigate the risk that has been assessed. It is also possible to simple add restrictions to already existing controls. There […]

Tailoring Controls

NIST SP 800-53 sets terms and conditions for tailoring the security control baseline to organizational and operational needs.   There are three specific areas addressed as follows: Scoping Guidance Compensating Controls Organizationally Defined Parameters Scoping Guidance offers considerations on how individual security controls are applied and implemented. The following areas are discussed: Common Controls Common Controls […]