I’ve been waiting all year to show this video and the grading rubric lets me write in the First Person! Yahoo! Check this out: https://www.youtube.com/watch?v=tiBiErPaRqM.
Save your time - order a paper!
Get your paper written from scratch within the tight deadline. Our service is a reliable solution to all your troubles. Place an order on any task and we will take care of it. You won’t have to worry about the quality and deadlinesOrder Paper Now
Now, what do the Three Stooges have to do with IT Security controls? It’s simple! If security controls are not fully implemented as a complete suite of tools, the CISO ends up with a Rube Goldberg security solution just like the plumbing solution in the film. Curly tried to fix the leak using individual pipes and did not take a holistic approach to solving the problem. The result: A mess!
Interestingly enough, there are 256 (National Institute of Standards and Technology, 2016) individual security controls as identified by NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (National Institute of Standards and Technology, 2013). These 256 security controls are individual tools which are designed to reduce risk on specific vulnerabilities. These 256 tools fall under 18 security control families. (National Institute of Standards and Technology, 2013)
Which are the four most important? I cannot say because each enterprise brings with it a unique set of issues. Enterprise context aside, however, the four control families that resonate the most with me are: Awareness and Training, Personnel Security, Physical/Environmental Protection and Access Control.
Awareness and Training refers to indoctrination and recurring education designed to impart on employees a security mindset. I believe it to be a critical family because it goes a long way towards instilling a security culture within an organization. Personnel Security is focused on the human-element within an organization. Security begins and ends, ultimately, with people. This control family is focused on the people-actions for the human-aspect of the organization. Physical/Environmental Protection is concerned with the physical aspects of an enterprise. Specifically, it addresses physical access, visitor controls, electric power, ventilation, etc. I consider it to be important because at times CISOs may take some of these elements for granted. Lastly, Access Control refers to the authorizing process for individuals to gain access to the enterprise. Simply speaking, a strong Access Control program keeps the bad guys out.
Process and Policy controls are a mixture of the Operational and Management Control metagroupings. I don’t consider them to be a true safeguard because they serve as only one set of tools in the kit bag. Remember the Three Stooges plumbing solution? Curly needed to take a holistic approach to the entire problem. Processes and policy controls offer only one piece of the solution. The other pieces are technical, operational and managerial controls. In short an enterprise requires all 18 control family members.
Awareness and Training, Personnel Security, Physical/Environmental Protection and Access Control are only four tools out of many in the entire NIST 800-53 kitbag. Security managers need to take a holistic approach when looking at their entire enterprise to get a clear picture of needed security measures. The NIST 800-53 family goes a long way to round out this tool bag.
National Institute of Standards and Technology. (2013, 4 1). NIST Publications: Special Publications. Retrieved from NIST.gov: http://nvlpubs.nist.gov/nistpubs/SpecialPublicatio…
National Institute of Standards and Technology. (2016, 10 26). National Vulnerability Database. Retrieved from National Institute of Standards and Technology: https://web.nvd.nist.gov/view/800-53/Rev4/results