CySA+ Chapter 11: Frameworks, Policies, Controls,
and Procedures
What is NIST? - ANS-The National Institute of Standards and Technology (NIST) is an
organization within the U.S. Department of Commerce that is charged with promoting innovation
and industrial competitiveness. NIST develops and publishes standards and guidelines aimed at
improving practices, including cybersecurity across a variety of sectors.
What is NIST SP 800-53? - ANS-SP 800-53, the "Security and Privacy Controls for Federal
Information Systems and Organizations," is a document cataloging the security and privacy
controls of federal information systems. SP 800-53 includes a helpful process for selecting
controls to protect organizational operations (including mission, functions, image, and
reputation), organizational assets, individuals, other organizations, and the nation from a diverse
set of threats including hostile cyber attacks, natural disasters, structural failures, and human
errors.
SP 800-53 breaks down the different control categories (e.g., access control, awareness and
training, configuration management, contingency planning, incident response, risk assessment,
and so on) into 1 of 3 different classes (either technical, operational, or management). This
publication helps organizations outline controls they can place on their information systems to
remain compliant with FIPS 199, which I'll get into later.
What is NIST SP-800-61 (Revision 2)? - ANS-NIST Special Publication 800-61 (Revision 2) is
the "Computer Security Incident Handling Guide" and it deals specifically with Incident
Response (IR). SP 800-61 helps organizations respond efficiently and effectively to incidents big
and small. Every organization is going to experience and incident at one point, so being able to
appropriately respond and analyze incident-related data to determine an appropriate response
is crucial in a time where IR has become an important aspect of Information Technology.
SP 800-61 provides organizations with a way to develop incident handling policies, plans,
procedures, teams, and recommendations. It also prepares organizations the detection and
analysis of cyber attacks as well as the containment, eradication, and recovery from cyber
incidents.
What is NIST SP 800-37? - ANS-Special Publication 800-37 is the "Guide for Applying the Risk
Management Framework to Federal Information Systems." SP 800-36 provides a life cycle
approach and guideline for applying an organization-wide Risk Management Framework (RMF)
to federal information systems. RMF is a 6-step process that includes the following:
1. security categorization,
2. security control selection,
, 3. security control implementation,
4. security control assessment,
5. information system authorization, and
6. security control monitoring
SP 800-37 places a heavy emphasis on continuous monitoring (#6) of controls, risk, and
response, which entails appropriate, cost-effective decisions that not only mitigate the risk
involved, but also remain inline with the organization's core missions and business functions.
What is FIPS 199? - ANS-"FIPS" stands for the "Federal Information Processing Standards."
During the business impact analysis (BIA), each system or asset is identified and prioritized
according to the guidelines laid out in the FIPS 199 publication. Because information systems
are complex and often possess multiple mission-critical processes, it can be difficult to
determine the importance of each system and its security categorization. CIOs and contingency
planning coordinators can therefore work with management, IT specialists, and internal/external
points of contact to validate the importance of each system and its proper security
categorizations. Creating resource tables are helpful when identifying the value of mission
critical systems.
FIPS 199 assists organizations with providing appropriate levels of information security by
helping organizations classify their assets according to a range of potential impact levels (e.g.,
low, moderate, and high potential impact from potential disruption). Additionally, estimated
downtime can also be estimated for each disaster, which is also extended by the estimated
maximum amount of downtime tolerable for maintaining business operations. Three security
objectives are also defined: confidentiality, integrity, and availability of data (or the CIA triad).
Both the potential impact level and the security objective are used to produce a security
categorization (SC) for each system and component. For example, the security categorization
for a SCADA system at a power plant is expressed as Confidentiality = moderate; Integrity =
high; Availability = high.
What is CSF? - ANS-The CSF was created by the NIST in response to Executive Order 13636,
which called for the development of a voluntary cybersecurity framework for organizations that
are part of the nation's critical infrastructure. But the biggest factor of CSF is that it had to be
flexible, repeatable, and cost effective.
The CSF is split into its 3 main components, which are the Framework Core, the Implementation
Tiers, and the Framework Profile.
The Framework Core is split into 5 functions (Identify, Protect, Detect, Respond, and Recover).
These are all cybersecurity activities that will help organizations enable risk
management decisions, address threats, and improve by learning from previous
activities. Functions are further split into 22 categories (e.g, access control and detection
processes) and 98 subcategories (e.g., Data-at-rest is protected).
and Procedures
What is NIST? - ANS-The National Institute of Standards and Technology (NIST) is an
organization within the U.S. Department of Commerce that is charged with promoting innovation
and industrial competitiveness. NIST develops and publishes standards and guidelines aimed at
improving practices, including cybersecurity across a variety of sectors.
What is NIST SP 800-53? - ANS-SP 800-53, the "Security and Privacy Controls for Federal
Information Systems and Organizations," is a document cataloging the security and privacy
controls of federal information systems. SP 800-53 includes a helpful process for selecting
controls to protect organizational operations (including mission, functions, image, and
reputation), organizational assets, individuals, other organizations, and the nation from a diverse
set of threats including hostile cyber attacks, natural disasters, structural failures, and human
errors.
SP 800-53 breaks down the different control categories (e.g., access control, awareness and
training, configuration management, contingency planning, incident response, risk assessment,
and so on) into 1 of 3 different classes (either technical, operational, or management). This
publication helps organizations outline controls they can place on their information systems to
remain compliant with FIPS 199, which I'll get into later.
What is NIST SP-800-61 (Revision 2)? - ANS-NIST Special Publication 800-61 (Revision 2) is
the "Computer Security Incident Handling Guide" and it deals specifically with Incident
Response (IR). SP 800-61 helps organizations respond efficiently and effectively to incidents big
and small. Every organization is going to experience and incident at one point, so being able to
appropriately respond and analyze incident-related data to determine an appropriate response
is crucial in a time where IR has become an important aspect of Information Technology.
SP 800-61 provides organizations with a way to develop incident handling policies, plans,
procedures, teams, and recommendations. It also prepares organizations the detection and
analysis of cyber attacks as well as the containment, eradication, and recovery from cyber
incidents.
What is NIST SP 800-37? - ANS-Special Publication 800-37 is the "Guide for Applying the Risk
Management Framework to Federal Information Systems." SP 800-36 provides a life cycle
approach and guideline for applying an organization-wide Risk Management Framework (RMF)
to federal information systems. RMF is a 6-step process that includes the following:
1. security categorization,
2. security control selection,
, 3. security control implementation,
4. security control assessment,
5. information system authorization, and
6. security control monitoring
SP 800-37 places a heavy emphasis on continuous monitoring (#6) of controls, risk, and
response, which entails appropriate, cost-effective decisions that not only mitigate the risk
involved, but also remain inline with the organization's core missions and business functions.
What is FIPS 199? - ANS-"FIPS" stands for the "Federal Information Processing Standards."
During the business impact analysis (BIA), each system or asset is identified and prioritized
according to the guidelines laid out in the FIPS 199 publication. Because information systems
are complex and often possess multiple mission-critical processes, it can be difficult to
determine the importance of each system and its security categorization. CIOs and contingency
planning coordinators can therefore work with management, IT specialists, and internal/external
points of contact to validate the importance of each system and its proper security
categorizations. Creating resource tables are helpful when identifying the value of mission
critical systems.
FIPS 199 assists organizations with providing appropriate levels of information security by
helping organizations classify their assets according to a range of potential impact levels (e.g.,
low, moderate, and high potential impact from potential disruption). Additionally, estimated
downtime can also be estimated for each disaster, which is also extended by the estimated
maximum amount of downtime tolerable for maintaining business operations. Three security
objectives are also defined: confidentiality, integrity, and availability of data (or the CIA triad).
Both the potential impact level and the security objective are used to produce a security
categorization (SC) for each system and component. For example, the security categorization
for a SCADA system at a power plant is expressed as Confidentiality = moderate; Integrity =
high; Availability = high.
What is CSF? - ANS-The CSF was created by the NIST in response to Executive Order 13636,
which called for the development of a voluntary cybersecurity framework for organizations that
are part of the nation's critical infrastructure. But the biggest factor of CSF is that it had to be
flexible, repeatable, and cost effective.
The CSF is split into its 3 main components, which are the Framework Core, the Implementation
Tiers, and the Framework Profile.
The Framework Core is split into 5 functions (Identify, Protect, Detect, Respond, and Recover).
These are all cybersecurity activities that will help organizations enable risk
management decisions, address threats, and improve by learning from previous
activities. Functions are further split into 22 categories (e.g, access control and detection
processes) and 98 subcategories (e.g., Data-at-rest is protected).
