security control families
DESCRIPTION
Management Class. Security Control Families. Security Controls Overview. XX-1 Policy and Procedures. NIST Doc Review Strategy:. Table Summaries. Graphic Summaries. Bulleted Summaries. Executive Summaries, Overviews, Introductions. XX-1 Policy & Procedures. SP 800-12 The Handbook - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/1.jpg)
Security Control Families
Management Class
![Page 2: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/2.jpg)
![Page 3: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/3.jpg)
![Page 4: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/4.jpg)
![Page 5: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/5.jpg)
![Page 6: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/6.jpg)
ID Class Family # ofCA Management Security Assessment and Authorization 6PL Management Planning 5PM Management Program Management 11RA Management Risk Assessment 4SA Management System and Services Acquisition 14/40AT Operational Awareness and Training 5CM Operational Configuration Management 9CP Operational Contingency Planning 10IR Operational Incident Response 8MA Operational Maintenance 6MP Operational Media Protection 6PE Operational Physical and Environmental Protection 19PS Operational Personnel Security 8SI Operational System and Information Integrity 13/84AC Technical Access Control 19AU Technical Audit and Accountability 14IA Technical Identification and Authentication 8SC Technical System and Communications Protection 34/75
![Page 7: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/7.jpg)
Security Controls Overview
XX-1 Policy and Procedures
![Page 8: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/8.jpg)
NIST Doc Review Strategy:
Bulleted Summaries Executive Summaries,
Overviews, Introductions
Table Summaries
Graphic Summaries
8
![Page 9: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/9.jpg)
XX-1 Policy & Procedures
SP 800-12The Handbook
SP 800-100Manager’s Handbook
AC-1 Access Control AT-1 Security Awareness and TrainingAU-1 Audit and AccountabilityCA-1 Security Assessment and AuthorizationCM-1 Configuration ManagementCP-1 Contingency Planning IA-1 Identification and Authentication IR-1 Incident Response MA-1 System Maintenance MP-1 Media Protection PE-1 Physical and Environmental Protection PL-1 Security Planning PM-1 Information Security Program PlanPS-1 Personnel Security RA-1 Risk Assessment SA-1 System and Services Acquisition SC-1 System and Communications Protection SI-1 System and Information Integrity
![Page 10: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/10.jpg)
Security Assessment & Authorization
Core RMF Documents
800-47 (SLA) 800-137 (CM)
CA-2 Security AssessmentsCA-3 Information System ConnectionsCA-5 Plan of Action and MilestonesCA-6 Security AuthorizationCA-7 Continuous Monitoring
![Page 11: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/11.jpg)
Planning Family & Family PlansPL-2 System Security PlanPL-4 Rules of BehaviorPL-5 Privacy Impact AssessmentPL-6 Security-Related Activity Planning
800-18 (RMF) 800-100 (PM) OMB M-03-22 (Privacy)
CA-5 Plan of Action and Milestones -37
CP-2 Contingency Plan -34
CM-9 Configuration Management Plan-128
IR-8 Incident Response Plan -61
PM-1 Information Security Program Plan
PM-8 Critical Infrastructure PlanRMF 4.1 Security Assessment Plan -53a
![Page 12: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/12.jpg)
Program Management
PM-2 Senior Information Security OfficerPM-3 Information Security ResourcesPM-4 Plan of Action and Milestones ProcessPM-5 Information System Inventory
PM-6Information Security Measures of Performance
PM-7 Enterprise ArchitecturePM-8 Critical Infrastructure PlanPM-9 Risk Management StrategyPM-10 Security Authorization ProcessPM-11 Mission/Business Process Definition
800-30 800-37 (RMF) 800-39 (RMF) 800-100 800-55 - Performance 800-60 800-65 - CPIC
FIPS 199 HSPD 7 – Critical
Infrastructure OMB 02-01 - SSP
![Page 13: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/13.jpg)
Program Management Overview
Information Security Program Plan (PM) Critical Infrastructure Plan (HSPD 7) Capital Planning and Investment Control (SP 800-65) Measures of Performance (SP 800-55) Enterprise Architecture and Mission/Business Process
Definition
![Page 14: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/14.jpg)
Information Security Program Plan
Defines Security Program Requirements Documents Management and Common Controls Defines Roles, Responsibilities, Management
Commitment and Coordination Approved by Senior Official (AO) Appoint Senior Information Security Officer
![Page 15: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/15.jpg)
Critical Infrastructure Plan
HSPD-7 Critical Infrastructure Identification, Prioritization, and Protection
Essential Services That Underpin American Society Protection from Terrorist Attacks
– Prevent Catastrophic Health Effects or Mass Casualties – Maintain Essential Federal Missions– Maintain Order – Ensure Orderly Functioning of Economy – Maintain Public's Morale and Confidence in Economic and
Political Institutions Strategic Improvements in Security
![Page 16: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/16.jpg)
Capital Planning & Investment Control
Investment Life Cycle Integrating Information Security into the CPIC Process Roles and Responsibilities
– Identify Baseline– Identify Prioritization Criteria– Conduct System- and Enterprise-Level Prioritization– Develop Supporting Materials– IRB and Portfolio Management– Exhibits 53 and 300 and Program Management
![Page 17: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/17.jpg)
Investment Life Cycle
![Page 18: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/18.jpg)
Integrating Information Security into the CPIC Process
![Page 19: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/19.jpg)
Knowledge Check
If the interconnecting systems have the same authorizing official, an Interconnection Security Agreement is not required. True or False?
Which NIST SP, provides a seven-step process for integrating information security into the capital planning process?
This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.
The corrective action and cost information contained in which document, serve as inputs to the Exhibit 300s and are then rolled into the Exhibit 53?
![Page 20: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/20.jpg)
Measures of Performance
Metric Types Metrics Development and Implementation Approach Metrics Development Process Metrics Program Implementation
– Prepare for Data Collection– Collect Data and Analyze Results– Identify Corrective Actions– Develop Business Case and Obtain Resources– Apply Corrective Actions
![Page 21: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/21.jpg)
Metric Types
“Am I implementing the tasks for which I am responsible?”
“How efficiently or effectively am I accomplishing those tasks?”
“What impact are those tasks having on the mission?”
![Page 22: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/22.jpg)
Metrics Development Process
![Page 23: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/23.jpg)
Metrics Program Implementation
![Page 24: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/24.jpg)
Federal Enterprise Architecture
Performance
Data
Business Service
TechnicalInformation Type
(SP 800-60)
![Page 25: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/25.jpg)
Core Principles of the FEA
Business-driven Proactive and collaborative across the Federal
government Architecture improves the effectiveness and efficiency of
government information resources
![Page 26: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/26.jpg)
Defining Mission/Business Processes
Defines mission/business processes with consideration for information security and the resulting risk to the organization;
Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.
![Page 27: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/27.jpg)
Risk Assessment
RA-2 Security Categorization
RA-3 Risk Assessment
RA-5 Vulnerability Scanning
800-30r1 (draft) 800-37 800-40 -
Patch Management 800-70 - Checklists 800-115 - Assessments
![Page 28: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/28.jpg)
Patch and Vulnerability Management Program
Create a System Inventory Monitor for Vulnerabilities, Remediations, and Threats Prioritize Vulnerability Remediation Create an Organization-Specific Remediation Database Conduct Generic Testing of Remediations Deploy Vulnerability Remediations Distribute Vulnerability and Remediation Information to Local
Administrators Perform Automated Deployment of Patches Configure Automatic Update of Applications Whenever Possible and
Appropriate. Verify Vulnerability Remediation Through Network and Host
Vulnerability Scanning Vulnerability Remediation Training
![Page 29: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/29.jpg)
National Checklists Program
![Page 30: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/30.jpg)
In which NIST special publication might you find guidance for the performance measurement of information systems?
Which FEA reference model was used to create the guide for mapping information types to security categories, in support of the first step of the Risk Management Framework?
What is the name of the security control, represented by the control ID RA-3, must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework?
Where can information about vulnerabilities be found?
![Page 31: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/31.jpg)
System & Services AcquisitionSA-2 Allocation of ResourcesSA-3 Life Cycle SupportSA-4 AcquisitionsSA-5 Information System DocumentationSA-6 Software Usage RestrictionsSA-7 User-Installed SoftwareSA-8 Security Engineering PrinciplesSA-9 External Information System ServicesSA-10 Developer Configuration ManagementSA-11 Developer Security TestingSA-12 Supply Chain ProtectionSA-13 Trustworthiness
800-23 – Acquisition Assurance
800-35 – Security Services
800-36 – Security Products
800-53a 800-64 - SDLC 800-65 - CPIC 800-70 - Checklists
![Page 32: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/32.jpg)
Security Services Life Cycle
![Page 33: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/33.jpg)
General Considerations for Security Services
Strategic/Mission Budgetary/Funding Technical/ Architectural Organizational Personnel Policy/Process
![Page 34: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/34.jpg)
Security Product Testing
Identification and Authentication Access Control Intrusion Detection Firewall Public Key Infrastructure Malicious Code Protection Vulnerability Scanners Forensics Media Sanitizing
Common Criteria Evaluation and Validation Scheme
NIST Cryptographic Module Validation Program
![Page 35: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/35.jpg)
Considerations for Selecting Information Security Products
Organizational Product Vendor Security Checklists for IT Products Organizational Conflict of Interest
![Page 36: Security Control Families](https://reader036.vdocuments.site/reader036/viewer/2022062410/56815b5f550346895dc94425/html5/thumbnails/36.jpg)
Management Security Controls Key Concepts & Vocabulary
XX-1 Policy & Procedures CA - Security Assessment and Authorization PL – Planning Family & Family Plans
– Information Security Program Plan (PM)– Critical Infrastructure Plan (HSPD 7)
PM - Program Management– Capital Planning and Investment Control (SP 800-65)– Measures of Performance (SP 800-55)– Enterprise Architecture (FEA BRM)
RA - Risk Assessment– Security Categorization– Risk & Vulnerability Assessments
SA - System and Services Acquisition