I’ve been waiting all year to show this video and the grading rubriclets me write in the First Person! Yahoo! Check this out: https://www.youtube.com/watch?v=tiBiErPaRqM.
Now, what do the Three Stooges have to do with IT Security controls?It’s simple! If security controls are not fully implemented as acomplete suite of tools, the CISO ends up with a Rube Goldberg securitysolution just like the plumbing solution in the film. Curly tried tofix the leak using individual pipes and did not take a holistic approachto solving the problem. The result: A mess!
Interestingly enough, there are 256 (National Institute of Standardsand Technology, 2016) individual security controls as identified by NISTSpecial Publication 800-53, Security and Privacy Controls for FederalInformation Systems and Organizations (National Institute of Standardsand Technology, 2013). These 256 security controls are individual toolswhich are designed to reduce risk on specific vulnerabilities. These256 tools fall under 18 security control families. (National Instituteof Standards and Technology, 2013)
Which are the four most important? I cannot say because eachenterprise brings with it a unique set of issues. Enterprise contextaside, however, the four control families that resonate the most with meare: Awareness and Training, Personnel Security, Physical/Environmental Protection and Access Control.
Awareness and Training refers to indoctrination andrecurring education designed to impart on employees a security mindset.I believe it to be a critical family because it goes a long way towardsinstilling a security culture within an organization. Personnel Securityis focused on the human-element within an organization. Securitybegins and ends, ultimately, with people. This control family isfocused on the people-actions for the human-aspect of the organization.Physical/Environmental Protection is concerned withthe physical aspects of an enterprise. Specifically, it addressesphysical access, visitor controls, electric power, ventilation, etc. Iconsider it to be important because at times CISOs may take some ofthese elements for granted. Lastly, Access Control refersto the authorizing process for individuals to gain access to theenterprise. Simply speaking, a strong Access Control program keeps thebad guys out.
Process and Policy controls are a mixture of the Operational andManagement Control metagroupings. I don’t consider them to be a truesafeguard because they serve as only one set of tools in the kit bag.Remember the Three Stooges plumbing solution? Curly needed to take aholistic approach to the entire problem. Processes and policy controlsoffer only one piece of the solution. The other pieces are technical,operational and managerial controls. In short an enterprise requiresall 18 control family members.
Awareness and Training, Personnel Security, Physical/Environmental Protection and Access Controlare only four tools out of many in the entire NIST 800-53 kitbag.Security managers need to take a holistic approach when looking at theirentire enterprise to get a clear picture of needed security measures.The NIST 800-53 family goes a long way to round out this tool bag.
National Institute of Standards and Technology. (2013, 4 1). NIST Publications: Special Publications. Retrieved from NIST.gov: http://nvlpubs.nist.gov/nistpubs/SpecialPublicatio…
National Institute of Standards and Technology. (2016, 10 26). National Vulnerability Database. Retrieved from National Institute of Standards and Technology: https://web.nvd.nist.gov/view/800-53/Rev4/results