Warning: Use of undefined constant add_shortcode - assumed 'add_shortcode' (this will throw an Error in a future version of PHP) in /nfs/c03/h02/mnt/49321/domains/hackingtheuniverse.com/html/wp-content/plugins/stray-quotes/stray_quotes.php on line 615

Warning: Use of undefined constant MSW_WPFM_FILE - assumed 'MSW_WPFM_FILE' (this will throw an Error in a future version of PHP) in /nfs/c03/h02/mnt/49321/domains/hackingtheuniverse.com/html/wp-content/plugins/wordpress-file-monitor/wordpress-file-monitor.php on line 39
Tag: security controls

Archive for security controls

You are browsing the archives of security controls.

Holistic Information System Security

Too often, we think about and plan our information security in terms of protecting pieces of the system. We use firewalls and Anti-Virus (AV) software and intrusion detection and integrity checking and many more techniques to provide needed protections to various pieces. But we may not be paying enough attention to the gaps between the […]

APT versus OODA Security Controls

Advanced Persistent Threat (APT) is a kind of attack comes from a team with advanced skills, deep resources, and specific targets. They use advanced tools and techniques that are capable of circumventing defenses. They use stealth and demonstrate good situational awareness in evaluating the state of the defenders they face. They respond quickly and with […]

Overlays of Tailored Security Controls

Tailoring security controls involves adapting the generic baseline sets of security controls to better fit a specific operating environment. Here is a list of tailoring activities: Defining “Common Controls” that are centrally managed and can be used by several information systems. Applying “Scoping Considerations” Using “Compensating Controls” Defining “Organizational Parameters” Adding “Supplementary Controls” Using “Overlays” […]

FISMA Law vs Home Email Server

Working for a federal agency that has IT functions regulated by public law and running an email server from home to use for agency business seems problematic, but it may be possible. Here are some of the laws and regulations that come into play: FISMA – PUBLIC LAW 107–347, DEC. 17 2002 is known as […]

Tailoring Security Controls

The NIST Risk Management Framework (RMF) is a six step process as follows: Categorize both the information and the system based on impact. Select a baseline set of security controls. Implement the controls. Assess the effectiveness of the security controls. Authorize the system to operate. Monitor the ongoing state of protection the security controls are […]

New Insider Threat Controls in 800-53 rev4

The NIST revision to 800-53 controls that is known as rev4 added new controls related to insider threats. PM-12 (0) INSIDER THREAT PROGRAM – this is the master control requiring an insider threat program, including a team that is focused on insider threat incident handling. The team needs to have cross-discipline representation that allows them […]

800-53 rev4 Changes

NIST periodically revises their catalog of security controls, “NIST SP 800-53 Recommended Security Controls for Federal Information Systems”. Rev 4 is the most recent version. Here are some of the changes: BASELINES A few existing controls have been re-assigned to new IMPACT level baselines Many new controls have been added – some are not assigned […]

Continuous Monitoring Misunderstood

Network security monitoring includes intrusion detection, audit log correlation and analysis and other methods of detecting failures of our network protections. Continuous monitoring is not the same thing. Continuous monitoring is the process of checking our security controls to make sure they are working. Here is an article that explains some of the background: Continuous […]

A HIGH Impact Baseline for Clouds

FEDRAMP (FEDeral Risk and Authorization Management Program) offers baselines of 800-53 security controls that have been tailored for cloud environments. But they do not offer a HIGH impact baseline. Presumably, HIGH impact systems will use private clouds that exist inside the authorization boundary of the federal agency that implements them. FEDRAMP requirements do not apply […]

Security SLAs from Security Controls

Most industry standard Service Level Agreements (SLAs) are determined by business performance requirements such as: uptime/downtime, throughput, response time, time to recover and more. But some SLAs may need to be driven by security requirements and these requirements are most often documented in the form of security controls. Security controls determine the processes and practices […]