Archive for security controls

You are browsing the archives of security controls.

Security Control Matrix

This matrix is a map that correlates attackers methodology with NIST 800-53 security controls: ATTACK METHODOLOGY/CONTROL

Recon

General/Google

RA-3 RISK ASSESSMENT - you can only reduce exposure and can never “stop” general reconnaissance, but you damn well better know what you’re defending before the attacker starts to find out

Network scanning

CM-7 LEAST FUNCTIONALITY - show the attacker the [...]

800-53 rev3 FPD

The new revision of NIST SP 800-53 (rev3) is now in FINAL Public Draft (FPD) and should be published in final form soon. When NIST moves a draft document from IPD status to FPD status, the changes are often few as the document is nearly ready for final publishing. In this case, however, [...]

800-53 rev3 IPD

A new version of 800-53 (revision 3) is in Initial Public Draft (IPD) and available for comments on the NIST web site.
[note - IPD means the document is in "draft" mode while NIST collects comments from the public and incorporates them into changes/corrections before releasing the document in a final form, usually many months later]
Draft-SP800-53 [...]

Policy and Procedure

Each of the seventeen families of security controls found in 800-53 contain a first control that requires the development of policy and procedures for that specific family of controls. Here is an example from the PL family:
800-53 security control PL-1 SECURITY PLANNING POLICY AND PROCEDURES
Control:
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, [...]

Contingency Plan

Policy

Identify statutory or regulatory requirements
Create a policy statement
Get the policy statement approved
Publish the policy statement
Key elements of policy

Roles and responsibilities
Scope
Resources required
Training required
Testing and exercises schedule
Maintenance schedule
Backup and storage schedule

Business Impact Assessment (BIA)
The BIA is a critical piece of the CP that establishes requirements for the strategy and procedures in the rest of the CP.

Identify critical [...]

Risk Analysis

Control Analysis
Likelihood Determination
Impact Analysis
Risk Determination

Implementation and Assessment Phase

Integration of security controls, Certification & Accreditation and documentation updates.
(…more)

Acquisition and Development Phase

Defining the security requirements, including risk assessment and security controls. Security planning involves documenting these requirements and preventative controls.
(…more)