Control selection

- Okay so let's start on lesson 2.4, where we're going to talk about control selection and how you pick from the baseline and what that actually means. So in this lesson, you'll learn about, like I said, control baselines, explain their priority levels, talked about a little bit, but we'll talk about them a little more just to make sure, you understand what that means. Interpret the need for tailoring, distinguish some of the control changes. So here, you'll notice the similarities from when I showed the actual control. So in appendix D, they created a matrix that shows all the requirements and gives you a nice matrix. So instead of having to go through each one of those controls individually, you can look at this baseline and say, okay, whichever my system is, this is the controls I need to implement. Instead of having to go through 'em again individually on each one, just kind of break it out in a little pieces here. So again, you have the control number, which is the family dash, the actual number, and then the control name, which is a description about each one of the controls. This is a good way of looking at the matrix. In the middle there is the priority. I mentioned that in the previous one, there's a P1, P2, P3. The only time you really need this to look at this priority is when you're going to implement a control and say you have, who knows how many number of controls to implement, but you're not sure how to do it, where you should allocate your resources. And this provides this priority to say one goes first, two goes for, you know, second, like that. So you can, again, allocate your time. And then as you saw in the actual control, this is the baseline. So you can say, my system is high, I'm going to look at the third column and just go straight down. And when I go to write my security plan, here's all the controls I need to address as well as the enhancements. Kind of going back to this, if you look at AC2 there, you can see again, reinforce what I said about security categorization. So you can see from AC2 low, there was no enhancements you had to do and at a high, you have to do one, two, three, four, five, 11, 12. There's a lot more you have to do in a lot of them, as you get to the high system, start talking about automation and those more specific technologically heavy controls. So again, don't overdo your categorization if you don't need to. We talked about tailoring a couple times, but really this is NIST fundamental, that this is the most important part, they say or they want to reinforce. And you can see from this quote here. So they said the tailoring process is part of a comprehensive organizational risk management process, framing, assessing, responding to, and monitoring information security risk. What does that mean? What they're really saying is, this is the first step you should do after you've selected the baseline and decide is go through, or sorry, before your baseline is really go through all the organization defined variables, explain or decide across your organization what these mean or how these should be defined. And then you can actually do this for separate. You can define the variables separately for security categorization. So a low may have one variable defined, one way versus a high. It may have it defined a different way. They really want you to apply scoping consideration, look at the risk and decide, you know, you take the baseline of what NIST suggested, and then even look through some of the controls that were not part of, or even the enhancements that were not part of the baseline, and look at 'em and say, do these make sense for my organization or for my business needs. Should I add additional controls above and beyond what NIST suggests? Or are there controls in the baseline that don't really make sense? Should I work through those beforehand so that when new systems come online, you say, here's the baseline specific to your organization, here's what you want to do or here's what you want to implement, here's how you want to document the controls to protect your system. So for control changes, this is what we really talked about. You can add compensating controls, which just means, there may be some risk to my system, but I have these other controls in place that compensate the risk or reduce some of the risk to it. You may want to add more controls to supplement it. You may want to add controls for technological reasons or for technology, maybe the organization requires it. There may be some specific policy or legal requirements. So if you're processing credit cards, there might be some PCI requirements that are not met specifically by the baseline. Or if you're in healthcare, there are additional HIPAA requirements on top of that. And then something else we'll talk about later is these specific technical and management benchmarks that are out there. So for the DOD, they use a STIG, which is the security technical implementation guide. On the federal side, you may use that or you may use a different benchmark, say like the center for internet security, which is CIS. These benchmarks go through and say, here's how you should implement security controls to adequately protect. They come from a perspective of, like I said, a benchmark, but then they map 'em back to the NIST requirements, which helps you then identify between the two.