Domain 3 Flashcards
What is the purpose of the NIST RMF SELECT step?
The purpose of the Select step is to:
- select,
- tailor
- document
the controls necessary to protect the information system and organization commensurate with risk to:
- organizational operations,
- assets,
- individuals,
- other organizations,
- and the Nation.*
NIST 800-37
What is the purpose of the NIST RMF Categorize step?
In Step 2 (Categorize) of the Risk Management Framework, the organization determines the value of the system to the organization’s mission (Categorization).
Simultaneously, the level of Confidentiality required for the system and its information Classification will be established.
What two decisions inform the NIST RMF Select step?
- Categorization
(value of the asset) - Classification
(confidentiality required)
Different frameworks have different terminology for various control types:
What term uses the NIST Risk Management Framework?
The NIST RMF prefers the term operational controls.
What kind of controls does the ISACA COBIT framework recognize?
The ISACA COBIT framework recognizeses:
- administrative
- technical
- management
- legal
forms of control.
What does the selection and approval of security and privacy controls require?
The selection and approval of security and privacy controls requires an understanding of:
- what a control is,
- what it is designed to do,
and what policy decisions shape the controls environment.
By what are the resulting controls decisions are shaped or influenced by?
The resulting controls decisions are shaped by a variety of influences, including:
- statutory or regulatory obligations,
- organizational security or privacy policies
- the organizations risk management practices
- existing controls
- system capabilities
- contractual requirements
associated with the operation of the system, and other factors.
Many influences shape the control decisions process (e.g.
- statutory or regulatory obligations,
- organizational security or privacy policies
- the organizations risk management practices
- existing controls
- system capabilities
- contractual requirements)
What is required from the security professionals to make such a decision?
Such a diverse group of influences requires security professionals to fully understand the business context in which the system operates to ensure the control suite is appropriate for, and effective at, security the system from compromise.
What kind of information help you define the control objectives?
The categorization and classification inputs help the organization define the control objectives, which state the desired outcomes expected from the proper implementation of the control.
What does the control objective define?
Thus, a control is a mechanism through which the desired result is accomplished.
There is no point in having a control without a control objective - the control objective defines the value of the control to the system or organization.
What 3 major types of controls exist according to NIST RMF
Types of controls might include:
- physical
- technical
- administrative actions
What is are physical controls?
Physical controls are designed to shape the individual’s access to:
- space
- system
- environments
or to address the effects of environmental hazards on information system’s operations.
Typical physical controls include:
- Doors & Locks
- mantraps
- turnstiles
- bollards
- physical and the physical characteristics of buildings and environments (e.g.
reinforced concrete
site selection).
Name some examples for physical controls.
Typical physical controls include:
- Doors & Locks
- mantraps
- turnstiles
- bollards
- physical and the physical characteristics of buildings and environments (e.g.
reinforced concrete
site selection).
What are technical controls?
Technical controls are applied to an information system through mechanisms contained in the:
- hardware
- software
- or firmware
components of the system.
These include:
- identity and access management tools,
- cryptographic algorithms,
- parity mechanisms to identify Integrity errors in information,
- and other system configurations and capabilities.
Name some examples for technical controls.
These include:
- identity and access management tools,
- cryptographic algorithms,
- parity mechanisms to identify Integrity errors in information,
- and other system configurations and capabilities.
What are adminstrative controls?
Administrative controls provide direction to people to properly:
- manage,
- operate,
- and use a system.
Policies, instructions, standards, procedure manuals, and signage are only a few of the many different forms of administrative controls organizations use to shape the risk of system operation.
Name some examples for administrative controls.
- Policies,
- instructions,
- standards,
- procedure manuals,
- and signage
are only a few of the many different forms of administrative controls organizations use to shape the risk of system operation.
Controls can be also divided into seven categories. Name those 7 control cateogries.
In practice, a single control may span several categories.
- Directive controls
- Deterrent controls
- Preventive controls
- Detective controls
- Corrective controls
- Recovery controls
- Compensating controls
What is are directive controls?
Directive controls. These are generally administrative in nature, providing guidance to the people operating the system.
Directive controls are established before the risk event. In their execution, the actions they direct may become the:
- detective
- corrective
- recovery
controls discussed below.
What is are deterrent controls?
Deterrent controls. These change the risk/reward calculation of the [[Threat|threat actor]]. Some consequence will be advertised to the human threat actor, which will cause them to reassess whether to cause harm to the system.
Deterrent controls must exist before the threat event happens. If the risk event happens before the control exists, the use of this control is irrelevant.
- A deterrent control aims to discourage potential attackers or unauthorized users from engaging in malicious activity by making the consequences clear or by creating the perception of a high likelihood of detection and punishment.
- It’s more about discouraging harmful actions rather than stopping them outright.
What is are preventive controls?
Preventive controls. These are any other controls implemented before the risk event that change the likelihood or consequence of the risk event.
These controls are designed to proactively identify and mitigate potential threats, thus reducing the chance of the risk event happening or diminishing its effect should it occur.
- A preventive control is designed to stop security incidents from occurring in the first place by blocking or limiting certain actions or behaviors.
- It works proactively to prevent harm before it happens.
What is are detective controls?**
Detective controls. These identify that the risk event has occurred. As described, the decision to implement a control is different from that of identifying a risk event.
So, a policy might direct the use of an intrusion detection system (IDS), but the actual IDS and its operation is a detective control.
A detective control uses a sensor to communicate with a controller to determine whether an acceptable tolerance has been exceeded.
If it has, an enunciator generates an alarm. It is the job of the detective control to simply identify and announce the out-of-normal-state.
Once a detective control has identified the risk event, controls that affect the likelihood of the risk event have failed.
What is are corrective controls?
Corrective controls. These limit further damage from the risk event.
Corrective controls might be a manual process or could be automatic actions performed by a system to limit the impact of the risk event.
Regardless of the form they take, a corrective control’s focus is on the harm from the event.
What is are recovery controls?
Recovery controls. These return the system to an acceptable state of operation.
These may be the actions taken to execute a directive control (e.g. implementing a business continuity plan), or they may be automatic system actions that restore normal operation to an out-of-normal condition.
They are informed by the detective controls] without which they cannot operate effectively.
As with detective and corrective controls, recovery controls are only relevant to the risk event after it has occurred.
What is are compensating controls?
Compensating controls.
These may be relevant before or after the threat event.
These controls will either augment the primary control to achieve the needed risk reduction level or take over for the primary control if it fails.
Compensating controls may be associated with any other control category.
Name examples of directive controls.
Examples
- Security Policies
- Training and Awareness Programs
- Standard Operating Procedures (SOPs)
- Security Guidelines and Best Practices
- Regulatory Compliance Requirements
Name examples of deterrent controls.
Example:
- Visible security cameras
- warning signs that tell people they are being monitored.
Name examples of preventive controls.
Example:
- Firewalls,
- access control systems,
- and encryption
they actively block unauthorized access or harmful actions.
Name examples of detective controls.
Examples
- Intrusion Detection Systems (IDS)
- Security Information and Event Management (SIEM)
- Audit Logs
- File Integrity Checkers
- CCTV
- Vulnerability Scanning
- User Activity Monitoring
Name examples of corrective controls.
Examples
- Incident Response Plans
- Patch Management
- Access Control Adjustments
- Restoration of Backups
- Reconfiguration of Systems
- User Education and Re-Training
- Network Segmentation
- Strengthening Firewalls or Security Controls
Name examples of recovery controls.
Examples
- Data Backups and Restoration
- Disaster Recovery Plans (DRP)
- Business Continuity Plans (BCP)
- Failover Systems
- Cloud-based Disaster Recovery
- Hot/Cold/Warm Sites
- Redundancy and Load Balancing
- Alternate Work Locations
- System and Application Recovery
- Testing and Drills
Name examples of compensating controls.
Examples
- Multi-Factor Authentication (MFA)
- Increased Monitoring and Logging
- Manual Access Control Procedures
- Use of Encryption on Backup Media
- Virtual Private Network (VPN) for Remote Access
- Physical Security for High-Risk Areas
- Regular Security Audits
- Manual Data Review Processes
- Third-Party Security Services
- Contractual Agreements and Audits for Vendors
What do traditional information security models use to create a controls matrix for a control objective?
Traditional information security models use the three control types and seven control categories to create a controls matrix for a control objective.
What is a control matrix for a control objective?
This matrix is useful for auditing and monitoring the proper operation of the system. The matrix also helps organizations evaluate the risks of single points of failure in the control environment, as it documents the defense in depth used to achieve a control objective.
To be effective in achieving the control objective, a control must:
- be implemented as designed
- operate as expected
- achieve the desired result
What is necessary to determine whether the control objective is achieved?
Without effective controls assessment and monitoring, it is not possible to determine whether the control objective is achieved.
