SECURITY CONTROL SELECTION PHASE 2

C&A analyst selects Recommended controls from NIST SP 800-53 base on the system categorization-Low, Moderate or High to develop the Security Control Baseline draft
C&A Analyst provides Draft of the Security Control Baseline to the information System Security Officer (ISSO) and the System Owner for review
ISSO and System Owner identify common control, Hybrid control, system specific control and control Not applicable
The above process is called Tailoring of Security control baseline
Final Security Control Baseline is created after system owner and ISSO review and tailor the security control baseline

SECURITY CONTROL SELECTION PHASE 2

C&A analyst selects Recommended controls from NIST SP 800-53 base on the system categorization-Low, Moderate or High to develop the Security Control Baseline draft
C&A Analyst provides Draft of the Security Control Baseline to the information System Security Officer (ISSO) and the System Owner for review
ISSO and System Owner identify common control, Hybrid control, system specific control and control Not applicable
The above process is called Tailoring of Security control baseline
Final Security Control Baseline is created after system owner and ISSO review and tailor the security control baseline

Security Control Selection Phase 2

Lesson Progress

0% Complete

Now that we have finished classifying the system, the next step is to selected NIST recommended security controls that apply to the system’s classification (High, Moderate or Low).
NIST Publication
- FIPS 200-Minimum security requirement h t tp ://csr c .nist.g o v/publication s /fip s /fip s 200/F IP S –20 0 – fina l –ma r ch.pdf
- NIST SP 800-53 Rev4-NIST Recommended security controls (New version with the privacy family-Total of 26 families: Management, Operational, technical, and Privacy) h t tp ://n vlpub s .nist.g o v/ni s tpubs /Sp e cialP u blications /N I ST .S P .80 0-53 r 4 .pdf
SANS Top20 critical Security Control-SANS controls are mapped to NIST controls h t t p ://ww w .sa ns .o r g /critic a l –sec u ri t y –c on t r o ls
The security controls selected is termed System Security Control Baseline. This is usual in a form of a spread sheet.
The security controls (e.g., AC-2) prescribe specific security-related activities or actions to be carried out by organizations or by information systems.
The security control enhancements (e.g., AC-2 (7)) provides statements of security capability to: (i) add functionality/specificity to a control; and/or (ii) increase the strength of a control.