Identifying and Analyzing Risk

Mitigation Security Controls

 Objectives

• In-place and planned controls

• The different categories of controls defined by NIST
• Administrative controls
• Technical controls
• Physical controls
• Best practices for risk mitigation security controls

http://fpt.edu.vn 05/11/202 2
4
 In-Place Controls vs. Planned Controls

• In-Place Controls
– installed in an operational system
– have three primary objectives: Prevent, Recover and Detect
• Planned Controls
– Planned controls - that have been approved but not installed yet

http://fpt.edu.vn 05/11/202 3
4
 Control Categories

• NIST SP 800-53 “Recommended Security Controls for

Federal Information Systems and Organizations”
• Implementation method
• COBIT

http://fpt.edu.vn 05/11/202 4
4
 NIST Control Classes

http://fpt.edu.vn 05/11/202 5
4
 NIST SP 800-53
Technical Controls
• Access Control (AC)
• Audit and Accountability (AU)
• Identification and Authentication (IA)
• System and Communications Protection (SC)

http://fpt.edu.vn 05/11/202 6
4
 NIST SP 800-53
Management Controls
• Certification, Accreditation, and Security Assessment (CA)
• Planning (PL)
• Risk Assessment (RA)
• System and Services Acquisition (SA)
• Program Management (PM)

http://fpt.edu.vn 05/11/202 7
4
 NIST SP 800-53
Operational Controls
• Awareness and Training (AT)
• Configuration Management (CM)
• Contingency Planning (CP)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Physical and Environment Protection (PE)
• Personnel Security (PS)
• System and Information Integrity (SI)

http://fpt.edu.vn 05/11/202 8
4
 Controls

• Administrative controls
• Technical controls
• Physical controls

http://fpt.edu.vn 05/11/202 9
4
 Administrative Control Examples

• Policies and procedures

• Security plans
• Insurance and bonding
• Background checks and Financial checks

http://fpt.edu.vn 05/11/202 10
4
 Administrative Control Examples (cont.)

• Data loss prevention program

• Awareness and training
• Rules of behavior
• Software testing

http://fpt.edu.vn 05/11/202 11
4
 Technical Control Examples

• Logon identifier
• Session timeout
• System logs and audit trails
• Data range and reasonableness checks

http://fpt.edu.vn 05/11/202 12
4
 Technical Control Examples (cont.)

• Firewalls and Routers

• Encryption
• Public Key Infrastructure (PKI)

http://fpt.edu.vn 05/11/202 13
4
 Firewalls and Routers

http://fpt.edu.vn 05/11/202 14
4
 Digital Signatures

http://fpt.edu.vn 05/11/202 15
4
 Physical Control Examples

• Locked doors, guards, access logs, and closed-circuit

television.
• Fire detection and suppression.
• Water detection.
• Temperature and humidity detection.
• Electrical grounding and circuit breakers.

http://fpt.edu.vn 05/11/202 16
4
 Best Practices for Risk Mitigation
Security Controls

• Ensuring the control is effective.

• Reviewing controls in all areas.
• Reviewing NIST SP 800-53 classes.
• Redoing a risk assessment if a control is changed.

http://fpt.edu.vn 05/11/202 17
4