Professional Documents
Culture Documents
Lect 09
Lect 09
http://fpt.edu.vn 05/11/202 2
4
In-Place Controls vs. Planned Controls
• In-Place Controls
– installed in an operational system
– have three primary objectives: Prevent, Recover and Detect
• Planned Controls
– Planned controls - that have been approved but not installed yet
http://fpt.edu.vn 05/11/202 3
4
Control Categories
http://fpt.edu.vn 05/11/202 4
4
NIST Control Classes
http://fpt.edu.vn 05/11/202 5
4
NIST SP 800-53
Technical Controls
• Access Control (AC)
• Audit and Accountability (AU)
• Identification and Authentication (IA)
• System and Communications Protection (SC)
http://fpt.edu.vn 05/11/202 6
4
NIST SP 800-53
Management Controls
• Certification, Accreditation, and Security Assessment (CA)
• Planning (PL)
• Risk Assessment (RA)
• System and Services Acquisition (SA)
• Program Management (PM)
http://fpt.edu.vn 05/11/202 7
4
NIST SP 800-53
Operational Controls
• Awareness and Training (AT)
• Configuration Management (CM)
• Contingency Planning (CP)
• Incident Response (IR)
• Maintenance (MA)
• Media Protection (MP)
• Physical and Environment Protection (PE)
• Personnel Security (PS)
• System and Information Integrity (SI)
http://fpt.edu.vn 05/11/202 8
4
Controls
• Administrative controls
• Technical controls
• Physical controls
http://fpt.edu.vn 05/11/202 9
4
Administrative Control Examples
http://fpt.edu.vn 05/11/202 10
4
Administrative Control Examples (cont.)
http://fpt.edu.vn 05/11/202 11
4
Technical Control Examples
• Logon identifier
• Session timeout
• System logs and audit trails
• Data range and reasonableness checks
http://fpt.edu.vn 05/11/202 12
4
Technical Control Examples (cont.)
http://fpt.edu.vn 05/11/202 13
4
Firewalls and Routers
http://fpt.edu.vn 05/11/202 14
4
Digital Signatures
http://fpt.edu.vn 05/11/202 15
4
Physical Control Examples
http://fpt.edu.vn 05/11/202 16
4
Best Practices for Risk Mitigation
Security Controls
http://fpt.edu.vn 05/11/202 17
4