IB in the American way. Part 4. Understanding “fit” and “overlap” and complete this review

  • Tutorial

* Leave your work in the workplace! *

So, the hard way to review creating an overview of NIST SP 800-53 comes to its logical end. I am glad that I was able to complete my plan and write a small but finished content cycle of articles without stopping at the first or second part. In the future, I hope it will turn out from time to time to share with the public our thoughts on the topic of information security, IT and audit.

So, this article will finally talk about choosing a set of security controls, tailoring it to the needs of a particular organization and creating so-called “overlays” that are applicable outside the scope of a particular organization.

Links to previous articles:

IB in the American way. Part 1. What is the NIST 800-53 and what do the security controls look like?
IB in the American way. Part 2. And can you elaborate on NIST 800-53, and where does risk management?
IB in the American way. Part 3. What is a basic set of security controls and how to determine the criticality of information systems?
IB in the American way. Part 4. Understanding “fit” and “overlap” and complete this review


Selection of a basic set of controls


In a previous article, I presented my vision of the methodology for determining the criticality of IP, presented in the FIPS 199 document and performed at the first step of the Risk Management Framework, discussed in the second article. What remains to be done?
After determining the criticality level of IP, the process of determining the necessary security controls begins. The first step is to choose a basic set of controls based on the results of categorization. One of three sets is selected, corresponding to a low, medium and high level of criticality. Of course, it is worth noting that not all controls are included in these sets. The least of them are presented in the set for the low level, which is obvious. Once again, I dare to recall that the basic sets are only the starting point of the further process of creating a suitable set of controls. Subsequently, in the process of “fitting”, controls can be added, removed or refined to meet the organization’s security requirements.
Also important is the fact that, due to its versatility, the basic sets presented in the document have certain assumptions, within which they are relevant. In other words, these kits were created for specific, very specific conditions of use. However, do not blame the authors for the narrowness of views, because these conditions are specially selected in such a way as to cover the most massive segment of IP. So, I present to you these assumptions:
  1. ISs are located on physical objects ( initially the sets were not sharpened for virtualization );
  2. User information in the organization’s IS is relatively constant ( users do not create and do not destroy information in significant quantities on a regular basis );
  3. IPs operate in multi-user mode;
  4. Some user information in the organization’s IS is not available to other users who have authorized access to the same IS ( after all, access control is a basic principle, isn’t it? );
  5. IPs exist in a networked environment;
  6. ICs are essentially general purpose systems ( i.e., we are not trying to protect Iranian uranium enrichment centrifuges );
  7. The organization has the necessary structure, resources and infrastructure for the implementation of controls.

If some of these assumptions do not correspond to reality, it is necessary to make an additional “adjustment” of controls to the needs of the organization (which will be discussed in more detail below).

The authors also present a number of possible situations that do not overlap with protective measures implemented in the basic sets of controls:
  1. There is an insider threat in the organization ( as they say, “there is no reception against scrap” );
  2. Regarding the organization, there are constant threats from serious violators ( for example, the banking sector );
  3. Certain types of information require additional protection in accordance with the requirements of legislation, regulators, etc. ;
  4. IS should interact with other systems through environments that differ in the level of security ( for example, through a public network segment ).

If any of these assumptions are true for the organization, then it is necessary to turn to a set of additional controls and carry out “adjustment” of protective measures in accordance with the results of the risk assessment in the organization.


* Santa can relax ... But you are not! Safety doesn't have a weekend *

“Adjustment” of basic control sets


Let me remind you that “tailoring” refers to the process of optimizing, refining, or improving a set of controls in such a way that it meets the security requirements of a particular IS or organization. This activity is usually carried out after selecting a basic set of controls and includes:
  1. Identification and characterization of general security controls in the basic set (here we mean the type: general / system / hybrid);
  2. Analysis of the possible areas of application of the remaining controls of the basic set;
  3. Selection of compensating safety controls if necessary;
  4. Setting security control parameters already defined in the organization;
  5. Supplementing the basic set with additional controls and “reinforcements” of controls, if necessary;
  6. Providing additional information on the implementation of controls, if necessary.

The “fit” process, which is part of the selection stage and specification of controls, is part of the risk management process used in the organization. In essence, the organization uses a “fit” to achieve cost-effective security based on risk assessment and contributing to the achievement of business needs (after all, no one needs information security that is not able to close actual threats or whose cost exceeds possible losses). All activities to “adjust” the controls must undergo mandatory coordination with the persons appointed by the organization before they are implemented.
In general, the fitting process occupies one of the central places in this publication and is described in great detail, since it is one of the fundamental activities that contributes to the construction of an information security system that meets the needs of the organization and mitigates the actual risks of information security. Perhaps this topic will be covered in more detail later.


* Safety is a necessary concern at any time of the year *

The development of "overlays" ("overlays")


So, briefly familiarizing yourself with the process of “fitting” the basic sets of controls, which provides the opportunity to obtain more accurate and realistic measures to ensure information security, you need to turn your eyes to another very useful possibility of using the publication NIST SP 800-53.
In certain situations, it may be advantageous for an organization to use the “fit” tool to obtain a generalized set of controls, called “overlap”, applicable at the scale of any industry, or, for example, necessary to meet any specific requirements, technologies or functioning tasks ( further we will call such "overlap" industry). The development of such a set can be carried out both by the organization itself and by federal authorities within the framework of any industry. For example, the government may issue a set of controls that must be implemented in all federal institutions where PKI infrastructure is used. Thus, a set of security controls can be developed by any interested person to adequately respond to information security risks and then distributed to other participants in any industry or users of any technology or equipment. This feature of applying the “fit-in” methodology provides a good basis for ensuring standardization of information security capabilities in various technological areas or in specific operating conditions (the universality and uniformity of approach laid down by the authors in the very foundations of NIST SP 800-53 find their application here).
The concept of “overlap” is introduced to provide the possibility of developing both industry-specific and specialized sets of IS compensation measures for information systems and organizations. “Overlap” is a completely defined set of security controls, “amplifications” and additional information on their implementation, developed in accordance with the rules of the “fitting” process.
“Overlappings” supplement the basic sets of security controls by:
  1. Providing the ability to add and remove controls;
  2. Providing the applicability of security controls and their interpretation for specialized information technologies, computer paradigms, types of information, runtimes, technology industries, legal requirements and regulators, and so on.
  3. Setting industry-wide values ​​for the parameters of security controls and “amplifications”;
  4. Extensions of additional information on the use of controls as necessary.

Typically, organizations use “overlaps” in the event of discrepancies with assumptions within which the basic sets of security controls are created (we already talked about these assumptions earlier in the corresponding section). If the organization does not have significant discrepancies with the assumptions of the basic sets, most often there will be no need to create and use “overlap”.
“Overlappings” provide an opportunity to achieve unanimity within an industry (in other words, areas of interest) and develop a security plan for the organization’s IP, which will receive support among other participants, despite the specific conditions and circumstances in a particular industry. Overlapping categories can be useful for various areas of interest, for example:
  1. Industrial sectors, coalitions and corporations (healthcare, energy, transport, etc.);
  2. Information technology / computer paradigms (cloud services, BYOD, PKI, cross-domain solutions, etc.);
  3. Functioning environment;
  4. Types of IS and functioning modes (industrial / test systems, single-user systems, weapon systems, isolated systems);
  5. Types of tasks / functioning (counter-terrorism, emergency response, research, development, testing, evaluation, etc.);
  6. Legislation and regulatory requirements (here American requirements are not applicable to us).

When developing “overlaps”, the authors of the publication advise to use the risk management concepts inherent in NIST SP 800-39 to achieve greater efficiency. Successful development of “overlap” requires mandatory participation:
  • Information security professionals who understand the specifics of the field, which is the goal of developing “overlap”;
  • Domain experts for whom the development of floors is carried out, having an understanding of the essence of security controls, the assignment of basic sets of controls and the structure of development of "floors".

Several “overlaps” can be applied to one set of controls. A “tailored” set of controls obtained as a result of overlap development can be either more or less stable (strong) with respect to the original one. Risk assessment helps to determine whether the risk of implementing a “tailored” set is acceptable within the framework of the risk-taking strategy adopted by the organization or “area of ​​interest” that developed the overlap. In the case of the introduction of several “overlappings”, a situation is not ruled out in which different overlaps contradict each other in separate moments. In the event that such a contradiction is found that may result in a conflict during implementation or even a refusal of any specific security control, the controversial situation should be resolved with the involvement of responsible persons, developers of the ceiling,
In general terms, “overlaps” are designed to reduce the need for “fitting” sets of controls on the go (in haste) by developing a set of controls and “amplifications” that best suits specific conditions, circumstances and / or situations. Thus, a more mature and, in the future, unified approach to ensuring information security should be achieved. At the same time, the use of “overlappings” does not eliminate the need to make further “adjustments” to meet the needs of the organization, the restrictions and assumptions in force in it. “Adjustment” of “overlap” is also allowed and is done with the approval and coordination of responsible persons and developers. However, in the general case, the expected number of changes in the structure of security control sets carried out in haste is significantly reduced.


* Ignoring safety, you walk on thin ice *

Documentation of the control selection process


In NIST, of course, there is a section devoted to the issues of documenting all actions carried out in the process of working with security controls. Of course, Americans are notable bureaucrats and, like workers in many domestic institutions, like to back up any activity with some piece of paper. However, this time it is still about expedient things.
So, it is necessary that all decisions about the choice of controls should be accompanied by argumentation of the decision. This is necessary to facilitate the success of subsequent assessments of potential threats to the organization’s assets. The final set of security controls, including any restrictions on the use of both individual information systems and their combination, should be reflected in the appropriate security plan. It is necessary to ensure that any significant decisions are documented as part of the risk management process, in order to further provide responsible persons with access to this information.

Additional findings


Decisions made in the process of “fitting” sets of controls do not exist by themselves, but in the context of any particular organization. This means that while they are focused on ensuring information security, it is necessary to ensure the consistency of these decisions with other risk factors existing in the organization. Factors such as cost, schedule, performance, should be considered in determining the controls that are planned for implementation in the organization.


* Security requires attention to detail *

New developments and legacy systems


The process of choosing the security controls discussed in this article can be applied to the organization’s information systems with two different approaches: as legacy systems or as new developments.
For the systems under development, the process of selecting security controls is carried out from the point of view of “determining requirements at the design stage”, since the system does not yet exist in its finished form and only a preliminary categorization of IP is carried out. In this case, the controls included in the security plan of the information system serve as security requirements and are included in the system at the stages of development and implementation. For the rest, the full RMF cycle is simply applied.
For legacy systems, on the contrary, the process of selecting controls is carried out from the point of view of gap analysis, when the organization plans to make significant changes in the information system (for example, during an update or modification). Since inheritance means that IP is already in use, most likely the organization has already categorized the system and the choice of security controls will result in the adjustment of the previously selected set of controls, which should already be present in the agreed security plan for this system, and in the subsequent implementation of these controls in the IP. Therefore, gap analysis can be performed as follows:
  1. Confirmation or updating of the criticality value and levels of negative impact on the information system is carried out, based on the information that is currently being processed, stored or transmitted by the system;
  2. An analysis is made of an existing security plan that describes the implemented security controls. Any changes in security categories, levels of negative impact, as well as other changes in the organization, business processes, systems and functioning environment are taken into account. A reassessment of the risks and the safety plan are mandatory, as well as the documentation of any additional safety controls that must be implemented so that the risks remain at an acceptable level for the organization.
  3. The controls presented in the updated security plan are being implemented, as well as the documentation of the action plan and key points of the not implemented controls are documented.
  4. Also, the steps are taken, which are presented in the cycle of the Risk Management Framework in the same manner as is done for newly developed systems.


Instead of a conclusion


On this, perhaps, we can finish the review of the publication NIST SP 800-53. Outside of this series of articles, much remains interesting, because the document contains more than 450 pages of printed text. However, it is not possible to familiarize yourself with all the details and subtleties of using this document in 4 short articles on Habr, especially without the experience of actually applying the principles presented in the document and implementing the described controls.
I hope that I managed to interest someone in the publication of NIST SP 800-53, and for those who have already heard something about her, tell a little more about her device.
And finally, another poster:

* Add a pinch of security. This is a key ingredient! *

I say goodbye to you for the sim. If you have questions, comments and suggestions - feel free to use comments and PM.
Thanks for attention!

Only registered users can participate in the survey. Please come in.

A brief summary in the form of a survey. Opinions and comments can be in the comments

  • 28.9% I read all 4 articles. 24
  • 19.2% I quickly went over all 4 articles. 16
  • 40.9% Looked only at pictures. 34
  • 1.2% Read, but not all and not entirely. 1
  • 9.6% Only went to vote. 8

Also popular now: