From the course: Cybersecurity Foundations
Cybersecurity control framework
- [Instructor] While controls can be applied by an enterprise as a customized response to business risks, in many cases, an external authority will direct that a predefined set of controls be adopted as a baseline for security. An example of government policy is SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, which federal organizations are required to adopt. An authority may be an industry body, such as the Payment Card Industry Council, which requires that merchants adhere to the Payment Card Industry Data Security Standard. NIST's SP 800-53 is one of two important control frameworks used in cybersecurity, the other being ISO 27002. They're both structured as a set of control categories within each existing number of specific controls. While the categories and the controls are different for each standard, they can be mapped against each other. These two control frameworks are widely referenced by other security schemes. In particular, the NIST Cybersecurity Framework. The controls in ISO 27002 are described in a three-tier hierarchy of security category, security control objective, and control. Let's have a look at an example. Here, we can see access control is the main category, operating system access control is the control objective, and user identification and authentication is the control. The NIST SP 800-53 controls are described in a two-tier hierarchy. In this example, identity and authentication is the control family and identity and authentication, organizational users, is the control. The description is very similar to the description of the ISO 11.5.2 control. An important first stage in implementing a control framework is to create what's known as a Statement of Applicability. The Statement of Applicability is the main link between the risk assessment and the selection of controls, and its purpose is to provide evidence that all controls have been considered. The controls that aren't applicable won't be implemented, and the rationale for emitting them is recorded in the Statement of Applicability. Developing a clear Statement of Applicability is a good way to reduce the effort required to meet and maintain a compliant and effective security posture. There are a number of specific considerations around controls. Common controls can be inherited by one or more systems, reducing both deployment and ongoing operational effort and cost. Where specific controls are called for but are either not yet present or can't be implemented, then compensating controls will be required, such as sample checks of manual authorizations in the absence of an electronic authorization process. Once a control has been implemented, it needs regular testing, and this should be a routine part of any compliance program. Control testing involves two stages: testing design effectiveness, and testing operational effectiveness. Design effectiveness is checked by verifying that the control, as implemented, meets the original design requirements. For example, to carry out a design test of control ISO 11.5.2, user identification and authentication would involve verifying configuration files. To confirm, the taxes to the system requires entry of a user identifier and that a password or some other form of authentication is required prior to allowing access into the system. Operational effectiveness involves testing the system and making sure that the control is continuing to be effective against attack. For example, a penetration testing might attempt an SQL injection on the user identifier field in a log-on form to see whether access can be gained without entering valid credentials.
Contents
-
-
-
-
The Orange Book: Early concepts in computer security4m 23s
-
Understanding the NIST Cybersecurity Framework3m 20s
-
Adopting the NIST Cybersecurity Framework2m 51s
-
Understanding the basics of cyber risk4m
-
Analyzing cyber threats and controls1m 59s
-
Recording, reporting, and the risk context3m 32s
-
An advanced risk framework5m 32s
-
Managing security with COBIT3m 47s
-
COBIT for operational security5m 43s
-
Introduction to cybersecurity controls2m 35s
-
Cybersecurity control framework4m 27s
-
Cybersecurity standards of good practice3m 3s
-
-
-
-
-