Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
2 likes424 views
The document outlines the categorization, implementation, and assessment of security controls for information systems according to NIST standards, particularly NIST SP 800-53 and SP 800-37. It emphasizes the importance of selecting appropriate controls based on data sensitivity and provides guidance on developing an information system security plan. The document also discusses the concept of compensating security controls for risk management in various security baselines.
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Controls
- 12. NIST SP 800-53
- 15. Data Type Data Description Data Sensitivity
- 16. Data Type Confidentiality Integrity Availability Personal Identity and Authentication Moderate Moderate Moderate Help Desk Services Low Low Low Budget & Finance Moderate Moderate Low Accounting Low Moderate Low Space Operations Low High High High Watermark Moderate High High Overall High Watermark High
- 31. NSTISSI No. 1000
- 34. NIST SP 800-18 Rev 1
- 38. Appendix A: Sample Information System Security Plan Template
- 39. NSTISSI No. 1000
- 41. Plan Initiation Plan Development Plan Implementation Plan Maintenance Recertification or Retirement
- 47. System 1 Subsystem A Subsystem B Subsystem C
- 49. Information Criteria Security Impact Confidentiality Low / Moderate / High Integrity Low / Moderate / High Availability Low / Moderate / High Based on: NIST SP 800-60 and FIPS Pub 199
- 58. “Compensating security controls are the management, operational, or technical controls used by an agency in lieu of prescribed controls in the low, moderate, or high security control baselines, which provide equivalent or comparable protection for an information system.” Source: NIST SP 800-100 § 8.4.4
- 59. 1 • Select controls from 800-53 2 • Complete and convincing rationale 3 • Assess and formally accept risk
- 60. 1 • Agency has developed on documented common controls 2 • Agency has assigned responsibility of the common control 3 • Systems owners should be made aware 4 • Expert in the common control consulted 5 • Agency, Campus or Center Common Control
- 64. Source: NIST SP 800-100 § 8.4.1
- 65. Criteria Rating Confidentiality Moderate Availability Low Integrity Low