Cybersecurity control framework

- [Instructor] While controls can be applied by an enterprise as a customized response to business risks, in many cases, an external authority will direct that a predefined set of controls be adopted as a baseline for security. An example of government policy is SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, which federal organizations are required to adopt. An authority may be an industry body, such as the Payment Card Industry Council, which requires that merchants adhere to the Payment Card Industry Data Security Standard. NIST's SP 800-53 is one of two important control frameworks used in cybersecurity, the other being ISO 27002. They're both structured as a set of control categories within each existing number of specific controls. While the categories and the controls are different for each standard, they can be mapped against each other. These two control frameworks are widely referenced by other security schemes. In particular, the NIST Cybersecurity Framework. The controls in ISO 27002 are described in a three-tier hierarchy of security category, security control objective, and control. Let's have a look at an example. Here, we can see access control is the main category, operating system access control is the control objective, and user identification and authentication is the control. The NIST SP 800-53 controls are described in a two-tier hierarchy. In this example, identity and authentication is the control family and identity and authentication, organizational users, is the control. The description is very similar to the description of the ISO 11.5.2 control. An important first stage in implementing a control framework is to create what's known as a Statement of Applicability. The Statement of Applicability is the main link between the risk assessment and the selection of controls, and its purpose is to provide evidence that all controls have been considered. The controls that aren't applicable won't be implemented, and the rationale for emitting them is recorded in the Statement of Applicability. Developing a clear Statement of Applicability is a good way to reduce the effort required to meet and maintain a compliant and effective security posture. There are a number of specific considerations around controls. Common controls can be inherited by one or more systems, reducing both deployment and ongoing operational effort and cost. Where specific controls are called for but are either not yet present or can't be implemented, then compensating controls will be required, such as sample checks of manual authorizations in the absence of an electronic authorization process. Once a control has been implemented, it needs regular testing, and this should be a routine part of any compliance program. Control testing involves two stages: testing design effectiveness, and testing operational effectiveness. Design effectiveness is checked by verifying that the control, as implemented, meets the original design requirements. For example, to carry out a design test of control ISO 11.5.2, user identification and authentication would involve verifying configuration files. To confirm, the taxes to the system requires entry of a user identifier and that a password or some other form of authentication is required prior to allowing access into the system. Operational effectiveness involves testing the system and making sure that the control is continuing to be effective against attack. For example, a penetration testing might attempt an SQL injection on the user identifier field in a log-on form to see whether access can be gained without entering valid credentials.