Selecting Security Control Baselines

Published Date: 02 Nov 2017

ï‚· Selecting appropriate security control baselines

ï‚· Tailoring the baselines

ï‚· Documenting the security control selection process

ï‚· Applying the control selection process to new development and legacy systems.

Selecting Security Control Baselines

Organizations first perform security control baseline while categorizing the information which determines the criticality and sensitivity of the information to be processed, stored, or transmitted by information systems. Basic goal is to determine the potential adverse impact for organizational information systems and helps in selection of appropriate safeguards and countermeasures to adequately protect those information systems.

Second step in baselining is using the impact values for the confidentiality, integrity, and availability for each information type. There are three impact values among them first of impact value is low-impact which specify information system in which all three of the security objectives are low. Second is moderate-impact system where at least one of the security objectives is moderate and no security objective is more than moderate while in high-impact at least one of objective is high. Generalized equation form for security and their object is given by:-

SC (information system) = {(confidentiality, impact), (integrity, impact), (availability, impact)}

Next organization determine the information system security categorization, that is, the highest impact value for each security objective (confidentiality, integrity, availability) from among the categorizations for the information types associated with the information system and finally determine the overall impact level of the information system from the highest impact value among the three security objectives in the system security categorization.

Tailoring Baseline Security Controls

Organization carried out tailoring process to modify and line up the baseline security controls more closely with the specific conditions within the organization related to organization mission, its information systems and environments of operation. Tailoring decisions can also be based on timing and applicability of selected security controls under certain defined conditions. For example overlays can define these special situations, conditions, or timing-related considerations.

The tailoring process is integral part of organizational comprehensive risk management process for security control selection and specification. Organizations use risk management guidance to facilitate risk-based decision making regarding the applicability of security controls in the security control baselines. Ultimately, organizations use the tailoring process to achieve cost-effective, risk-based security that supports organizational mission/business needs.

Following security controls related to the general security topic of the family identified uniquely by two characters are given by:- ID

FAMILY

ID

FAMILY

AC

Access Control

MP

Media Protection

AT

Awareness and Training

PE

Physical and Environmental Protection

AU

Audit and Accountability

PL

Planning

CA

Security Assessment and Authorization

PS

Personnel Security

CM

Configuration Management

RA

Risk Assessment

CP

Contingency Planning

SA

System and Services Acquisition

IA

Identification and Authentication

SC

System and Communications Protection

IR

Incident Response

SI

System and Information Integrity

MA

Maintenance

PM

Program Management

These tailoring activities are approved by authorizing officials in prior to implementing the security controls. Organizations have the flexibility to perform the tailoring process at the organization level for all information systems. Organization documents significant risk management decisions in the security control selection process.

The tailoring process includes identifying and designating common controls in initial security control baselines. To avoid duplication of work and save the security expenditure of the organization if organization find that if any part of an information system inherits a security control, then that system does not need to implement that security control in other part because the security capability is being provided by another entity.

By applying scoping considerations to the remaining baseline security controls organization make decisions about where to apply which security controls within organizational information systems in order to achieve best possible security capability and while satisfying security requirements as defined in organization missionary statement. Baseline security controls are tailored to meet the organization's information security need based on organizational technical, environmental, functional and security requirements.

Due to some financial or technical reason organization select recompense security controls when an organization is not able to implement some required baseline security control. These compensating controls can be selected from table as given above in table a.

Organization assign specific values to organization defined security control parameters while these security control parameters are defined and their parameter values depends on organization rules, procedure, guidelines within the federal outlines.

After applying appropriate set of security controls organization adopt supplementing baselines with additional security controls and control enhancements to alleviate possibility that any threat or vulnerability is left unaddressed after risk assessment.

Organization Provides additional specification information for control implementation along with necessary technical specifications while making sure that objective and level of security provided by this control is not changed.

After tailoring a set of of initial baseline security controls to achieve more focused and relevant security capability organization apply tailoring guidance to the baselines to develop a set of security controls for community wide use or to address specialized requirements, technologies, or unique missions. For example Federal Government approves and enforces a policy to use public key infrastructure (PKI) systems uniformly in all public sector organization.

Overlays are the panorama which provides opportunity to build consensus across communities of interest and develop security plans for organizational information systems for specific circumstances. Categories of useful overlays includes:-

• Communities of interest

• Information technologies like PKI, Smart cards.

• Industry sectors

• Environments of operation

• Types of information systems

• Operating modes either standalone or multiuser system

• Coalitions and partnerships

• Statutory and regulatory requirements

Documenting the Security Controls

Organizations document the security control selection process since it plays vital role in the organizational risk management process. The selection of various security controls, along with their rational and enhancement is documented so that authorizing officials have access to the necessary information to make informed decisions for organizational information systems and make future enhancements in the risk mitigation and management policy.

New Development and Legacy Systems

Organizations apply the control selection process to information systems for which the security controls are developed which can be of two types; a new system started from scratch or a legacy system. In case of new system, the security control selection process is influenced by the requirements analysis since the systems do not yet exist and organizations are conducting initial security categorizations. While in the case of legacy system, the control selection is influenced by the revised risk assessment executed after major up gradation, modification or out sourcing of the information system also known as gap analysis.

Many organizations operate and maintain complex information systems where the complex system are divided into two or more subsystems and then apply separate impact levels to each subsystem which does not change the overall impact level of the information system. Since subsystems are interlinked organizations develop security architectures to allocate security controls among subsystems including monitoring and controlling communications while deploying same control for same vulnerabilities by avoiding redundancy and mitigating the threat at the same time.

Risk in general is defined as a measure of the extent to which an entity is threatened by a potential circumstance or event, and is a function of the adverse impacts (if occurs) and likelihood of its occurrence. In the context of information security, risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems.

Risk assessment is the process of identifying, estimating, and prioritizing information security risks to organizational operation, organizational assets and individuals. Risk assessment is second step and before this preparatory step is performed which define purpose, scope and constraints of assessment and then sources of threats are identified along with which assessment approach to be used.

Conducting risk assessment is beneficial significantly for organization for achieving organization wide goals. However, once risk assessments are complete, to keep risk assessments up to date continues support is required from the risk monitoring step to observe changes in organizational information systems and environments of operation that reduces future assessment costs. These incremental risk assessments consider only new information whereas differential risk assessments consider how changes affect the overall risk determination.

During risk assessment step following specific tasks are performed.

ï‚· Identify threat sources relevant to organization and threat events that could be produced by these sources.

ï‚· Identify vulnerabilities within organizations that could be exploited by threat sources through specific threat events.

ï‚· Determine the probability that the identified threat sources would initiate specific threat events and the likelihood that the threat events would be successful;

ï‚· Determine the adverse impacts to organizational.

ï‚· Determine information security risks as a combination of likelihood of threat exploitation of vulnerabilities and its impact.

Identify Threat Sources

In this task identification and characterization of threat sources of concern are done including capability, intent, and targeting characteristics for adversarial threats and range of effects for non-adversarial threats. This task yield in identify and assessment of following items.

ï‚· Identification of threat source inputs and threat sources.

ï‚· Determine if threat sources are relevant to the organization and in scope.

ï‚· Create or update the assessment of threat sources

ï‚· Assess adversary capability and adversary intent

ï‚· Assess adversary targeting

ï‚· Assess the range of effects from threat sources to the organization.

Identify Threat Events

In this task identification of potential threat events, relevance of the events, and the threat sources that could initiate the events are completed. This task comes up with following items.

ï‚· Identification of threat event inputs and threat events as tailor by organization.

ï‚· Identification of threat sources that could initiate the threat events are defined.

ï‚· Assess the relevance of threat events to the organization

ï‚· Update and summarizes the results of threat event identification.

Identify Vulnerabilities and Predisposing Conditions

In this task identification of vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts are done. This task comes up with following items.

ï‚· Identification of vulnerability and predisposing condition inputs

ï‚· Identification of vulnerabilities using organization defined information sources are done.

ï‚· Assess the severity of identified vulnerabilities and identify predisposing conditions and assess the pervasiveness of these conditions.

ï‚· Update and summarizes the results of identifying predisposing conditions.

Determine Likelihood

This task determines the likelihood that threat events of concern result in adverse impacts considering events:-

ï‚· Identification of likelihood determination inputs and likelihood determination factors using organization defined information sources.

ï‚· Assess the likelihood of threat event initiation for adversarial threats and the likelihood of threat event occurrence for non-adversarial threats.

ï‚· Assess the likelihood of threat events resulting in adverse impacts, given likelihood of initiation or occurrence.

ï‚· Assess the overall likelihood of threat event initiation/occurrence and likelihood of threat events resulting in adverse impacts.

Determine Impact

This task determines the adverse impacts from threat events of concern considering such events.

ï‚· Identification of impact determination inputs and its impact using organization defined information sources.

ï‚· Identification of adverse impacts and affected assets of organization.

ï‚· Assess the maximum impact associated with the affected assets.

ï‚· Update and summarizes the adverse impacts.

Determine Risk

Determine the risk to the organization from threat events of concern considering the impact its likelihood for events that would result from the events:

ï‚· Identification of risk and uncertainty determination inputs.

ï‚· Summarizes the determine risk.

Risk determination is the output of risk assessment step which are risks to organizational operations, organizational assets, individuals. Although this largely depends on organization approach, in the next step determined risks are communicated to decision maker for responding and taking further actions. Outputs from the risk assessment step can also be useful inputs to the risk framing and risk monitoring steps. For example, risk assessments can include recommendations to monitor specific elements of risk.

RESPONDING TO RISK

After risks have been identified, organizations next employ risk response action plans to mitigate, avoid and evaluates risks resulting from the operation and use of information systems by implementing appropriate courses of action defined at organization level. Although organizations can implement risk decisions at any of the risk management level with different objectives and utility of information produced. Following activities are performed to respond to identified risks. Risk assessment step yields inputs and preconditions to these activities which include:-

ï‚· Identification of threat sources and threat events

ï‚· Identification of vulnerabilities that are subject to exploitation

ï‚· Estimates of potential consequences and their impact if threats exploit vulnerabilities

ï‚· Probability estimates that threats exploit vulnerabilities

ï‚· Determination of risk to organizational operations i.e., mission, functions, image, and reputation of organization, organizational assets, individuals etc.

ï‚· Risk response guidance from the organizational risk management strategy

ï‚· General organizational directions and guidance on appropriate responses to risk.

ï‚· Organizational constraints, preferences and tolerances

Risk response activities starts with Risk Response Identification. Under this activity Identification of alternative courses of action to respond to risks that are determined during the risk assessment phase. Organizations can respond to risk in a variety of ways and first of them is risk acceptance which is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions.

Organizations typically make determinations regarding the general level of acceptable of risk and the types of acceptable risk with consideration of organizational priorities and trade-offs between short-term mission/business needs and potential for longer-term mission/business impacts and organizational interests and the potential impacts on organization and related entities such as individuals, other organizations. For example considering the current situation of terrorism organization may decide to share very sensitive information with first responders who do not typically have access to such information due to time-sensitive needs to stop pending terrorist attacks through the loss of confidentiality of information.

Next is risk avoidance which is the appropriate risk response when the identified risk exceeds the organizational risk tolerance. Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business

processes to avoid the potential for unacceptable risk. For example organizations planning to employ wireless network connectivity to remote site.

Now during risk assessment phase it was identified that there is unacceptable risk in establishing such wireless network connections and hence is impractical. Thus, the organizations decide to avoid the risk by eliminating the wireless network connection and deploying own wired network or seek other course of actions like transferring information by secondary devices.

Under the belt of risk response, next is risk reduction which is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. For example a potential risk is where adversaries gain access to mobile devices like laptop computers or PDAs while users are traveling. Possible risk reduction measures include enforcing organizational policies prohibiting transport of mobile devices to certain areas.

Next is Risk sharing or risk transfer which is the appropriate risk response when organizations shift a portion of risk responsibility or liability to other organizations usually that are more qualified to address the risk. Another form of risk transfer shifts the entire risk responsibility or liability from one organization to another organization for example to insurance company. But that risk transfer reduces neither the likelihood of harmful events occurring nor the consequences in terms of harm to organization. Further mission critical organization and public sector organizations don’t trust on these approaches rather this concept is limited to private organization only.

During the risk response phase next organization evaluate alternative courses of action for responding to risk. The evaluation of alternative courses of action include the expected effectiveness in achieving desired risk response and anticipated feasibility of implementation, including, for example, mission/business impact, political, legal, social, financial, technical, and economic considerations. Economic considerations include costs throughout the expected period of time during which the course of action is followed. For example, organizations concerned about the potential for mobile devices by removing hard drives from laptops and operate from CDs or DVDs while they are on the go.

Next organizations decide on the appropriate course of action for responding to risk that includes some form of prioritization. Some risks may be of greater concern than other risks. In that case, more resources may need to be directed at addressing higher-priority risks than at other lower-priority risks. This does not necessarily mean that the lower-priority risks would not be addressed. Rather, it could mean that fewer resources might be directed at the lower-priority risks or addressed later.

Finally, organizations implement course of action selected to respond to risk that are dependent on the size and complexity of organizations since the actual implementation of risk response measures may be challenging and varying. Some measures are of tactical in nature that can be implemented quickly for example applying patches to identified vulnerabilities in organizational information systems and some of them are of more strategic in nature and reflect solutions that take much longer to implement.

Risk response plans and actions result in implementation of the selected courses of action with consideration for:

ï‚· Individuals or organizational elements responsible for the selected risk response measures.

ï‚· Dependencies of each selected risk response measure on risk response measures and other factors.

ï‚· Timeline for implementation of risk response measures.

ï‚· Plans for monitoring the effectiveness of risk response measures

ï‚· Identification of risk monitoring triggers.

ï‚· Communication and sharing of information between organization potential elements.

RISK MONITORING

Risk monitoring is a way by which organization verify compliance, determine the ongoing effectiveness of risk response measures taken by risk response team and actions and identify risk impacting changes to information systems. Further monitoring result are analyzed which give the capability to maintain awareness of the risk being incurred and provide way forward to effectively improve risk assessment and response activities.

Activities in risk mentoring take inputs and preconditions from risk response step which include implementation strategies for selected courses of action for risk responses and the actual implementation of selected courses of action. In addition to the risk response step, the risk monitoring step can receive inputs from the risk framing step. The risk framing step also directly shapes the resource constraints associated with establishing and implementing an organization-wide monitoring strategy. In some instances, outputs from the risk assessment step may be useful inputs to the risk monitoring step as well. For instance risk assessment threshold conditions.

First activity that is performed during risk monitoring is to develop risk monitoring strategy for the organization that includes the purpose, type, and frequency of monitoring activities with following purposes.

ï‚· To verify that required risk response measures are implemented and that information security requirements as defined in regulation and policies of organization are satisfied also refer to compliance monitoring.

ï‚· To determine the ongoing effectiveness of risk response measures taken by risk response team and procedures also refer to effectiveness monitoring.

ï‚· To identify changes to organizational information systems and the environments in which the systems operate refer to change monitoring.

Organizations also determine the type of monitoring to be employed, including approaches that rely on automation or approaches that rely on procedural/manual activities with human intervention. Finally, organizations determine how often monitoring activities are conducted, balancing value gained from frequent monitoring with potential for operational disruptions due for example, to interruption of mission/business processes, reduction in operational bandwidth during monitoring, and shift of resources from operations to monitoring.

After developing monitoring strategy compliance monitoring is employed to ensure that organizations are implementing needed risk response measures. This includes ensuring that the risk response measures selected and implemented by organizations in response to risk determinations produced from risk assessments are implemented correctly and operating as intended. Failure to implement the risk response measures selected by organizations can result in the organizations continuing to be subject to the identified risk.

Organization employ monitoring effectiveness to determine if implemented risk response measures have actually been effective in reducing identified risk to the desired level. Although determining the effectiveness of risk response measures is not easy but these activities may result in organizations developing and implementing entirely new risk responses. In addition organization also monitor environment in which information system is operating which is helpful in detecting changes that could introduce risk to organization assets.

Organizations can conduct monitoring either by automated or manual methods. Since automated monitoring is efficient and cost effective so it is desirable to use it where feasible. For instance compliance monitoring can be supported by automated monitoring. Further, automated monitoring steps are accurate but these steps require continues manual intervention and monitoring to ensure that automated activities and mechanism are providing the information needed and such mechanisms should be appropriately validated, updated and monitored.

The depth and frequency of risk monitoring depends largely on the missionary function and stature of organization e.g. defence organization are more sensitive and hence require frequent monitoring in depth of risks. Other key factors that define the frequency of monitoring are

ï‚· The likely frequency of changes in organizational information systems and operating environments

ï‚· The potential impact of risk if not properly addressed

ï‚· The degree to which the threat space is changing.

Moreover, if manual monitoring is employed by organizations, it is generally inefficient to perform the monitoring with the higher frequency as compared to automated monitoring.

After developing monitoring strategies and implementing organization wide, it is imperative for organization to monitor information systems and environments in which it operate on an ongoing basis to verify compliance, determine effectiveness of risk response measures, and identify changes is the last activity in risk monitoring.

Last but least organizations attempt to coordinate the various monitoring activities which facilitate the sharing of risk related information that may be useful for organizations in providing trend information and hence introducing risk response measures in a timely and efficient manner.

Thus risk monitoring steps yield make sure that required risk response measures are implemented, their effectiveness by identifying changes to information systems and environments of operation while meeting organizational regulations, policies, guidelines and standards in efficient manner.