Assessing Security and Privacy
Controls in Information Systems and
Organizations
(Using NIST SP 800-53 Revision 5)
Greg Witte, CISM, CISSP-ISSEP
1
1
PLATFORM INFORMATION & QUICK TIPS
• Download the presentation deck from the MATERIALS window.
• Platform Windows can be hidden or expanded to fit your preference.
• Submit questions in the Q&A window.
• Use the HELP icon at the bottom for FAQ’s and system requirements.
• Experiencing technical difficulties? Try REFRESHING your browser!
2
CPE CREDIT PROCESS
LIVE EVENT & ON DEMAND RECORDING
• You must view the live or recorded webinar for the required amount of time
(50-minutes). Check the CPE Credit window to view the timer.
• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS
tab on the MyISACA page after completing the required viewing time.
• Please be patient. This process could take up to 48 hours for your CPE Certificate
and the CPE credit to be applied to your account.
• As a reminder, ALL ISACA webinars, the CPE credits and CPE certificates expire
365 DAYS POST LIVE EVENT. Please make sure you save the appropriate
documents to your personal records.
3
•
•
•
•
•
4
Introduction to NIST
NIST’s role in Describing Security & Privacy Controls
Risk Management Framework (RMF) Publications
Other Associated Documents and Publications
Evolving NIST Activities and Opportunities
CONTROLS AND EFFECTIVE RISK
MANAGEMENT
We all know that controls are the methods we use
to manage risk, but sometimes we security people
forget that we need to balance that with value
delivery and resource management.
Based on COBIT 5 Enabling Guide, Figure 2
5
"If we guard our
toothbrushes and
diamonds with equal
zeal, we will lose fewer
toothbrushes and more
diamonds“ - former U.S.
National Security
Advisor McGeorge
Bundy
BACKGROUND OF THE U.S. NATIONAL INSTITUTE OF
STANDARDS AND TECHNOLOGY (NIST)
• Founded to standardize
weights and measures and
grew to cover safety and
security consistency
• In the U.S., and for much of
the world, NIST does not
decide what is “good”, nor
does it have any authority to
enforce use of any standard,
but its focus is on consistent
measurement and
communication.
6
FROM ENCRYPTION TO QUANTUM AND BEYOND
On March 8, NIST celebrated its
50th year supporting:
Computer Security
Information Security
Information Assurance
Cybersecurity
Cyber Security
7
SO, WHAT WOULD YOU SAY YOU DO HERE?
• One of NIST’s first security roles was for setting the standard for
data encryption – the data encryption standard, or DES – for
commercial purposes (e.g., banking)
• NIST steadily improved and shared guidance for federal information
systems, with a goal to ensure it was usable by everyone
• In the security revitalization after the events of 9/11/01, FISMA was
born and continues to drive federal security efforts today
• NIST’s work in ensuring consistent definition and assessment of
security controls has rightly expanded to include guidance on
privacy, and also for supply chain risk management
8
PRIVACY CONSIDERATIONS
Historically, security practitioners
have treated privacy controls as just
another way to consider security
controls.
There’s a great deal of overlap, but
they’re far from synonymous.
From the NIST Privacy Framework
9
FOUNDATION IN FIPS 199 AND 200
FISMA tasked NIST with responsibilities for standards and guidelines,
including the development of:
• Standards to be used by all federal agencies to categorize all
information and information systems to provide appropriate levels of
information security according to a range of risk levels (FIPS 199)
• Guidelines recommending the types of information and information
systems to be included in each category
• Minimum information security requirements (i.e., management,
operational, and technical controls), for information and information
systems in each such category. (FIPS 200)
10
REQUIREMENTS AND CONTROLS
NIST points out that there’s a difference but an important relationship
between requirements and controls:
• Requirement is generally used to refer to information security and
privacy obligations imposed on organizations.
• Controls can be viewed as descriptions of the safeguards and
protection capabilities appropriate for achieving the particular
security and privacy objectives of the organization and reflecting the
protection needs of organizational stakeholders.
• Controls are selected and implemented by the organization in order
to satisfy the system requirements.
11
SECURITY AND PRIVACY CONTROLS ARE CATALOGUED IN
NIST SPECIAL PUBLICATION 800-53, CURRENTLY REVISION 5
From NIST SP 800-53 Rev. 5
Families of controls contain base controls and control enhancements, which are
directly related to their base controls. Control enhancements either add functionality or
specificity to a base control or increase the strength of a base control.
12
NIST SP 800-53 STRUCTURE OF CONTROL DEFINITION
13
A BRIEF REVIEW OF THE RMF CYCLE
PREPARE Step Activities
• Risk Management Roles
• Risk Management Strategy
• Risk Assessment
(Organization)
• Organizationally-tailored
Control Baselines And
Cybersecurity Framework
Profiles (Optional)
• Common Control
Identification
• Impact-level Prioritization
(Optional)
• Continuous Monitoring
Strategy—organization
14
•
•
•
•
•
•
•
•
•
•
•
Mission Or Business Focus
System Stakeholders
Asset Identification
Authorization Boundary
Information Types
Information Life Cycle
Risk Assessment
(System)
Requirements Definition
Enterprise Architecture
Requirements Allocation
System Registration
CONTROL BASELINES AND OVERLAYS
• NIST SP 800-53B responds to the [need] to provide a proactive and
systemic approach to developing and making available to federal
agencies and private sector organizations a comprehensive set of
security and privacy control baselines for all types of computing
platforms, including general-purpose computing systems, cyberphysical systems, cloud-based systems, mobile devices, and
industrial and process control systems. (emphasis mine)
• The control baselines provide a starting point for organizations in
the security and privacy control selection process. Using the
tailoring guidance and assumptions provided, organizations can
customize their security and privacy control baselines to ensure that
they have the capability to protect their critical and essential
operations and assets.
15
CONTROLS AND OVERLAYS (CONTINUED)
• Baselines provide a starting point for
how to apply controls
• In some cases, they may represent a
minimum criteria, in others it might be
suggestions
• In all cases, baselines should be
reviewed and, if applicable, tailored
based on risk context, common
controls, enterprise strategy, and
compensating controls
16
NIST CONTROLS – NOW YOU CAN GET INVOLVED!
17
OVERLAYS HELP APPLY CONTROLS CONSISTENTLY
18
RMF ASSESS STEP SPELLS OUT THE ASSESSMENT
PROCESS
• Prepare – Determine the objectives, scope, and timeframe of control assessment.
• Develop Plans - Assessment procedures are selected and tailored. Then
assessment procedures are optimized to reduce duplication of effort, the plan(s) are
finalized, and organizational approval is obtained.
• Assessment - Relevant controls and control enhancements are assessed per the
security and privacy assessment plan(s) and effectiveness & weaknesses /
deficiencies are documented.
• Analysis - Identified weaknesses and deficiencies are used to determine an
approach to respond to risk in accordance with organizational priorities.
19
ONCE CONTROLS HAVE BEEN SELECTED AND
IMPLEMENTED,NOW WE CAN ASSESS THEM
Original control: AC-17 REMOTE ACCESS
a. Establish and document usage restrictions, configuration/connection requirements, and
implementation guidance for each type of remote access allowed; and
b. Authorize each type of remote access to the system prior to allowing such connections.
20
ASSESSMENT CRITERIA HIGHLIGHTS PRIVACY PARAMETERS
21
ORGANIZATION-DEFINED PARAMETERS (ODP) DECLARED
22
ODP INFORMATION CAN BE USED FOR EVALUATION
23
ASSESSMENT METHODS
800-53A Appendix C describes the three methods that may be used
by assessors during security and privacy control assessments:
• Examine (specifications, mechanisms, activities)
• Interview (individuals or groups of individuals, including external
partners and suppliers)
• Test (mechanisms, activities)
24
OTHER ASSESSMENT METHODS DESCRIBED
• While the control assessment above is important for security and
privacy planning, especially as part of system authorization, other
assessment methods are used for information systems:
• Penetration testing is conducted as a controlled attempt to breach
the security and privacy controls employed within the system
using the attacker’s techniques and appropriate hardware and
software tools.
• Ongoing assessment (described in NIST SP 800-137) provides
for manual and automated means to continually review whether
the controls remain in place, effective, and efficient. NIST
integrates this with the Information System Continuous Monitoring
(ISCM) processes and procedures.
25
HOW DO YOU MEASURE SUCCESS?
• Notably, the NIST RMF Control Assessment process is primarily
intended to help ensure that controls (and control enhancements)
are properly and adequately implemented to achieve an acceptable
level of risk.
• Keep in mind that this assessment, like many in our industry, can be
extended to determine how well the organization is doing at fully
implementing a control, doing so consistently and repeatably, and
proactively considering what’s over the horizon.
• Methods like ISO 33020 (Process assessment — Process
measurement framework for assessment of process capability) and
our own CMMI criteria help to move beyond “binary” assessment
26
PROTECTING CONTROLLED UNCLASSIFIED INFORMATION
• Controlled Unclassified Information (CUI) is any information that
law, regulation, or governmentwide policy requires to have
safeguarding or disseminating controls
27
ENHANCED CUI REQUIREMENTS
Remember the opening quote about toothbrushes and
diamonds? Sometimes we need to define more advanced
requirements where the risk is “really unacceptable”.
NIST SP 800-172 describes enhanced security
requirements that are applicable to a nonfederal system
or nonfederal organization as mandated by a federal
agency in a contract, grant, or other agreement.
These apply to the components of nonfederal systems
that process, store, or transmit CUI associated with a
critical program or a high value asset or that provide
protection for such components.
28
From ISACA RiskIT (2009)
ASSESSMENT OF CUI PROTECTIONS BASED ON
REQUIREMENTS
SP 800-171A (CUI requirement
assessment) and the just-released
SP 800-172A (Enhanced
requirements) provide similar
guidance to those described in 53A.
The level of rigor and depth of
assessment should be agreed upon
between federal stakeholders and
managers of the nonfederal system.
As with most NIST models, this
approach can be extended anywhere
that sensitive info is shared.
29
FURTHER NIST STEPS TOWARD AUTOMATION!
From NIST IR 8278
Frameworks and models are
connected and related – and
we can document those connections,
and our rationale, and the extent
of the relationships.
30
INTEGRATION OF CYBER RISK DATA INTO ERM
31
REQUEST FOR INFORMATION FOR IMPROVING NIST MODELS
• Regarding CSF, NIST wants to better understand how it is being
used today and to learn what’s working and what’s not. V1.0 was
created in 2013, updated in 2018, so time for an update.
• Other NIST resources - better ways to align the CSF with other
NIST guidance, such as the Privacy Framework, Secure Software
Development Framework, RMF, Workforce Framework, IoT, and AI.
• Focus on supply chains - NIST recently launched a public-private
partnership called the National Initiative for Improving Cybersecurity
in Supply Chains (NIICS) to address supply chain cybersecurity
risks.
32
This training content (“content”) is provided to you without warranty, “as is” and “with
all faults”. ISACA makes no representations or warranties express or implied, including
those of merchantability, fitness for a particular purpose or performance, and noninfringement, all of which are hereby expressly disclaimed.
You assume the entire risk for the use of the content and acknowledge that: ISACA
has designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls
that are not included may not be appropriate; ISACA does not claim that use of the
content will assure a successful outcome and you are responsible for applying
professional judgement to the specific circumstances presented to determining the
appropriate procedures, tests, or controls.
Copyright © 2022 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
33
THANK YOU FOR ATTENDING