* No matter how you look, safety is your responsibility *

In his last article, “IB in American. Part 1. What is NIST 800-53 and what do security controls look like? ”I talked about the framework around which the entire NIST SP 800-53 document is built, namely security controls. Those. the very measures, the implementation of which reduces the risks of information security. Thus, I hope, interested part of the audience. However, the full process of working with security controls is much broader and includes a lot of other principles besides the measures themselves. We will talk about how this all should work today.

Links to all parts of the article:
IB in American. Part 1. What is NIST 800-53 and what do security controls look like?
IB in American. Part 2. Is it possible to learn more about NIST 800-53 and where does risk management go?
IB in American. Part 3. What is a basic set of controls and how to determine the criticality of systems?
IB in American. Part 4. We deal with the "fit" and "overlap" and complete this review.

')

What is this NIST SP 800-53 rev4 about?

First of all, I will allow myself to make a brief remark, once again reminding the reader that it will be a question of the most recent version of the NIST Special Publication 800-53 Revision 4 document (and here is the link for the most interested). We can say that the document is “fresh” - it is only a little more than a year old. The same ISO 27001 (we compare it again and again, well, with whom else?) Was updated to the current version for the whole 8 years and only saw the light last year. But there are more global processes. Therefore, probably, forgivable ...
So, the official name of the document can be translated as “Security and Privacy Controls for Federal Information Systems and Organizations” (“Security and Privacy Controls for Federal Information Systems and Organizations”). From here, the vector of further narration becomes immediately clear: the conversation will go not about high-level principles and concepts of information security, but about specific, well-detailed measures to ensure information security, which we learned from the control device in the previous part. Everything is very detailed and with great attention even to the smallest detail.
Also worth a little distraction to clarify the use of the word Privacy. The authors use this term not only in the title, but also quite often in the body of the document when mentioning controls (namely, in such wording “security and privacy controls”) - this suggests that privacy (read the protection of personal melons) is given in The United States is paying close attention , except that iCloud has let us down ... for someone to be happy .... However, I will further omit this word wherever it is used in conjunction with security, in order to avoid excessive cumbersome text.


* What is rubbish for one can be a real treasure for another *

Standard rubric: from the author

As much as possible avoiding direct translation, I still need to draw the reader’s attention to how the authors themselves determine the purpose of this publication. This will help to understand a little better what will be discussed further and possible positioning of the document in the process of ensuring information security.

This document is a catalog of security and privacy controls for use in federal information systems and organizations, and also includes a procedure for selecting controls necessary to ensure the protection of an organization and its operation, relevant assets and individuals, as well as other organizations and the Nation from a variety of threats, including sophisticated cyber attacks, natural disasters, infrastructure problems and the human factor (both intentional and unintentional). Controls are a highly customizable tool for managing information security risks and can be used across an organization. Also, this publication describes the process of developing specialized sets of security controls, tailored to specific tasks and functions of business, technology and business environment. In addition, it should be noted that the security control catalog provides security both in terms of functionality (durability and reliability of the proposed functions, security mechanisms, technologies, etc.) and in terms of guarantees (confidence that each control is implemented correctly, functions as planned and provides the expected result).

Multi-level risk management

Since the document not only claims compatibility with other NIST publications on security, it is also designed for use within the framework of an “organization-wide approach”, i.e. approach across the organization, and all processes are treated accordingly. Including risk management, which is a necessary component for building a complete IS management system in an organization. So, considering the risk management process, the authors identify three levels operating at different scales (shown schematically in Figure 1):
Level 1: Organization
Level 2: Business Processes
Level 3: Information Systems

Figure 1. Layered Risk Management Scheme

This approach allows for effective, comprehensive risk management with the following distinct benefits:

1. Transparency and ease of tracking decisions based on risks
2. Awareness of risks across the organization
3. Interactions both within and between different levels
4. Feedback loop for continuous improvement

Level 1

Provides the ability to prioritize business objectives and functions of the organization, which translate into investment strategy and budgeting solutions, thereby providing financially beneficial (“cost-effective”) and effective IT solutions that meet the performance requirements, as well as goals and objectives of the organization.

Level 2

Includes:

1. Definition of business processes necessary to ensure business tasks and functions of the organization;
2. Definition of security categories of dedicated information systems necessary for the execution of business processes;
3. Inclusion of IB requirements in business processes;
4. The choice of IT architecture (including information security) to facilitate the implementation of information security requirements in the organization’s information systems and their environment.

Level 3

Risk Management Framework (or RMF for short) is used to handle risks at the information system level - a set of risk management tools presented in Figure 2 below. This framework is one of the fundamental and connecting links of many NIST publications on information security, IT and management. risks. More information about its implementation is presented in the NIST SP 800-37 document. The publication NIST SP 800-53 (and, accordingly, the entire cycle of these articles) is devoted in particular to the second step of RMF: the selection of security controls.

Risk management framework

Figure 2. Risk Management Framework

Although the full description and guidance on the use of the Risk Management Framework is a separate document (or, to be precise, this is exactly this publication of NIST SP 800-37 ), I consider it necessary to provide the reader with a brief overview of this tool to improve the understanding of the process of choosing controls and its place among other processes in risk management. So, RMF answers the security issues that arise in an organization in the process of designing, developing, implementing, operating and disposing of IP and the environment in which they function. As input, the Framework uses data about the existing architecture and data about the organization (in more detail this is disclosed in the lists presented in Figure 2).
Briefly review the steps of this cycle:

• Step 1. Categorizing IP based on FIPS Publication 199 "threat assessment";
• Step 2. Selecting a set of initial security controls, based on the results of the categorization of the IP, and applying the “tailoring” guide * adaptation *;
• Step 3. Implementation of security controls, documenting the design processes, development and implementation of controls;
• Step 4. Assessment of security controls to determine the extent to which controls are correctly implemented, work as expected, and provide the necessary result in terms of achieving IS requirements for information systems.
• Step 5. Authorization of IP operation, based on risks arising for the organization, individuals, etc. as a result of the operation and use of IP and the decision to accept these risks;
• Step 6. Monitoring security controls in the IP and operating environment on an ongoing basis to determine the effectiveness of controls, the need for changes to the IP and operating environment and compliance with legal requirements.

* They may have changed jobs, but they are still in business *

And more about FIPS 200

As can be seen in the figure, the second step of the Framework refers to, in addition to the publication already known to us (for which we, in fact, have gathered here), the FIPS 200 document (Federal Information Processing Standards Publication "). This document is dedicated to determining the minimum security requirements for confidential information and information systems. In essence, the document operates with security measures divided into the same families of controls that we considered in the first part. However, since the essence of the document is in the minimum requirements, only the most basic information security measures are included there and they are described in simple text in just a few sentences for each family. Further, there is an explanation that the definition of the security category must be made in accordance with the FIPS 199 document (it will be discussed in more detail later). Then, based on the resulting category, you need to develop a set of security controls, based on one of the basic sets of controls that are presented in NIST 800-53. In more detail this process will be analyzed further. This is how FIPS turned out to be a small document, which, however, plays a big role, obliging everyone to comply with current best practices, as it refers to the regularly updated NIST 800-53.

Instead of conclusion

In this article, we familiarized with the basis necessary for understanding how the process of ensuring information security by implementing controls correlates with other processes occurring in an organization.
The following articles will discuss how to categorize information systems, select the correct sets of security controls and other activities associated with the difficult task of ensuring information security.