Wk 2 - NIST RMF Step 2: Select Security Controls [due Mon]

Wk 2 - NIST RMF Step 2: Select Security Controls [due Mon]

Assignment Content

As the team leader for Phoenix Security Services SureMarket account, you continue your SOX assessment of compliance using the NIST RMF as described in NIST SP 800-37:

Step 1: Categorize Information Systems

Step 2: Select Security Controls

Step 3: Implement Security Controls

Step 4: Assess Security Controls

Step 5: Authorize Information System

Step 6: Monitor Security Controls

Review each security family you identified in Step 1. Use NIST SP 800-53a to determine the specific security controls for each as it applies to the SureMarket Sarbanes-Oxley Act (SOX) assessment.

Your next task is to complete Step 2 of the NIST RMF process by continuing to document information needed for your presentation to the SureMarket leadership in Part B of the Week 4 assignment.

To prepare your documentation, create a 5- to 6-page table in Microsoft Word mapping each security family to the specific security controls contained with NIST SP 800-53a. Each security family will have more than one security control. Organize your information in a table with the following columns:

Security Family Area

Specific Security Controls Within Each Family Area

Description of Each Security Control

Note: You will use this weeks assignment to help you complete your Week 3 assignment.

Submit your assignment.

Resources

Center for Writing Excellence

Reference and Citation Generator

Grammar and Writing Guides

3.1 PREPARING FOR SECURITY AND PRIVACY CONTROL ASSESSMENTS Conducting security control assessments and privacy control assessments in todays complex environment of sophisticated information technology infrastructures and high-visibility, missioncritical applications can be difficult, challenging, and resource-intensive. Security and privacy control assessments may be conducted by different organizational entities with distinct oversight responsibilities. However, success requires the cooperation and collaboration among all parties having a vested interest in the organizations information security or privacy posture, including information system owners, common control providers, authorizing officials, chief information officers, senior information security officers, senior agency officials for privacy/chief privacy officers, chief executive officers/heads of agencies, security and privacy staffs, Inspectors General, and OMB. Establishing an appropriate set of expectations before, during, and after an assessment is paramount to achieving an acceptable outcomethat is, producing information necessary to help the authorizing official make a credible, risk-based decision on whether to place the information system into operation or continue its operation. Thorough preparation by the organization and the assessors is an important aspect of conducting effective security control assessments and privacy control assessments. Preparatory activities address a range of issues relating to the cost, schedule, and performance of the assessment. From the organizational perspective, preparing for a security or privacy control assessment includes the following key activities: Ensuring that appropriate policies covering security and privacy control assessments, respectively, are in place and understood by all affected organizational elements; Ensuring that all steps in the RMF22 prior to the security or privacy control assessment step, have been successfully completed and received appropriate management oversight;23 Establishing the objective and scope of assessments (i.e., the purpose of the assessments and what is being assessed)

After the security assessment plan or privacy assessment plan is approved by the organization, the assessor(s) or assessment team executes the plan in accordance with the agreed-upon schedule. Determining the size and organizational makeup of the assessment team (i.e., skill sets, technical expertise, and assessment experience of the individuals composing the team) is part of the risk management decisions made by the organization requesting and initiating the assessment. The 35 Organizations establish a security and privacy assessment plan approval process with the specific organizational officials (e.g., information systems owners, common control providers, information system security officers, senior information security officers, senior agency officials for privacy/chief privacy officers, authorizing officials) designated as approving authorities. CHAPTER 3 PAGE 23 Special Publication 800-53A Assessing Security and Privacy Controls in Federal Information Systems Revision 4 and Organizations Building Effective Assessment Plans ________________________________________________________________________________________________ results of security control assessments and privacy control assessments are documented in security assessment reports and privacy assessment reports, respectively, which are key inputs to the authorization package developed by information system owners and common control providers for authorizing officials.36 Security assessment reports and privacy assessment reports include information from assessors (in the form of assessment findings) necessary to determine the effectiveness of the security or privacy controls employed within or inherited by the information system. These assessment reports are an important factor in an authorizing officials determination of risk. Organizations may choose to develop an assessment summary from the detailed findings that are generated by assessors during the security control assessments and privacy control assessments. An assessment summary can provide an authorizing official with an abbreviated version of an assessment report focusing on the highlights of the assessment, synopsis of key findings, and recommendations for addressing weaknesses and deficiencies in the security or privacy controls assessed. Appendix G provides information on the recommended content of assessment reports. Assessment objectives are achieved by applying the designated assessment methods to selected assessment objects and compiling/producing the evidence necessary to make the determination associated with each assessment objective. Each determination statement contained within an assessment procedure executed by an assessor produces one of the following findings: (i) satisfied (S); or (ii) other than satisfied (O). A finding of satisfied indicates that for the portion of the security or privacy control addressed by the determination statement, the assessment information obtained (i.e., evidence collected) indicates that the assessment objective for the control has been met producing a fully acceptable result. A finding of other than satisfied indicates that for the portion of the security or privacy control addressed by the determination statement, the assessment information obtained indicates potential anomalies in the operation or implementation of the control that may need to be addressed by the organization. A finding of other than satisfied may also indicate that for reasons specified in the assessment report, the assessor was unable to obtain sufficient information to make the particular determination called for in the determination statement. For assessment findings that are other than satisfied, organizations may choose to define subcategories of findings indicating the severity and/or criticality of the weaknesses or deficiencies discovered and the potential adverse effects on organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Defining such subcategories can help to establish priorities for needed risk mitigation actions. Assessor findings are an unbiased, factual reporting of what was found concerning the security or privacy control assessed. For each finding of other than satisfied, assessors indicate which parts of the security or privacy control are affected by the finding (i.e., aspects of the control that were deemed not satisfied or were not able to be assessed) and describe how the control differs from the planned or expected state. The potential for compromises to confidentiality, integrity, and availability due to other than satisfied findings are also noted by the assessor in the security or privacy assessment report. This notation reflects the lack of a specified protection and the exploitation that could occur as a result (i.e., workstation, dataset, root level access). Risk determination and acceptance activities are conducted by the organization post-assessment as part of the risk management strategy established by the organization. These risk management activities involve the senior leadership of the organization including, for example, heads of agencies, mission/business owners, information owners/stewards, risk executive (function), and 36 In accordance with Special Publication 800-37, the security authorization package consists of the security plan, the security assessment report, and the plan of action and milestones (POAM). CHAPTER 3 PAGE 24 Special Publication 800-53A Assessing Security and Privacy Controls in Federal Information Systems Revision 4 and Organizations Building Effective Assessment Plans ________________________________________________________________________________________________ authorizing officials, in consultation with appropriate organizational support staff (e.g., senior information security officers, senior agency officials for privacy/chief privacy officers, chief information officers, information system owners, common control providers, and assessors). Security control assessment and privacy control assessment results are documented at the level of detail appropriate for the assessment in accordance with the reporting format prescribed by organizational policy, NIST guidelines, and OMB policy. The reporting format is appropriate for the type of assessment conducted (e.g., self-assessments by information system owners and common control providers, independent verification and validation, independent assessments supporting the authorization process, automated assessments, or independent audits or inspections). Information system owners and common control providers rely on the expertise and the technical judgment of assessors to: (i) assess the security and privacy controls in the information system and inherited by the system; and (ii) provide recommendations on how to correct weaknesses or deficiencies in the controls and reduce or eliminate identified vulnerabilities. The assessment results produced by the assessor (i.e., findings of satisfied or other than satisfied, identification of the parts of the security or privacy control that did not produce a satisfactory result, and a description of resulting potential for compromises to the information system or its environment of operation) are provided to information system owners and common control providers in the initial security assessment reports and privacy assessment reports. System owners and common control providers may choose to act on selected recommendations of the assessor before the assessment reports are finalized if there are specific opportunities to correct weaknesses or deficiencies in the security or privacy controls or to correct and/or clarify misunderstandings or interpretations of assessment results.37 Security or privacy controls that are modified, enhanced, or added during this process are reassessed by the assessor prior to the production of the final assessment reports.