Archive for Security Control Implementation

You are browsing the archives of Security Control Implementation.

Tailoring Security Controls

The NIST Risk Management Framework (RMF) is a six step process as follows: Categorize both the information and the system based on impact. Select a baseline set of security controls. Implement the controls. Assess the effectiveness of the security controls. Authorize the system to operate. Monitor the ongoing state of protection the security controls are […]

Assurance is the Reason to Trust

We want to trust that the measures we take to protect our information systems are working. But we need concrete reasons to hold that trust. We need proof that our defensive controls are doing the job and are actually protecting the system. Those reasons and that proof are known as “Assurance”. Trust tends to be […]

Security Metrics

It is a mantra of quality improvement methodology that you can’t manage what you don’t measure. Security metrics are the measurements that allow management of information security. As function and requirements change from network and organization to others, so will the requirements and design of security metrics change. But there are some standard and central […]

Supplementing Controls

After the baseline of security controls have gone through the tailoring process of: scoping guidance, compensating controls and organizationally defined parameters, it is possible that additional controls or enhancements may be needed in order to mitigate the risk that has been assessed. It is also possible to simple add restrictions to already existing controls. There […]

Tailoring Controls

NIST SP 800-53 sets terms and conditions for tailoring the security control baseline to organizational and operational needs.   There are three specific areas addressed as follows: Scoping Guidance Compensating Controls Organizationally Defined Parameters Scoping Guidance offers considerations on how individual security controls are applied and implemented. The following areas are discussed: Common Controls Common Controls […]

Categorization and Baseline Selection

Categorization is the process of selecting an Impact Level according to FIPS 199, which is a public law and must be adhered to. FIPS 199 sets three impact levels of HIGH, MODERATE and LOW. They are selected according to a consideration of the potential impact level on an organization if a security event jeopardizes the […]