Saturday, September 19, 2009

NIST 800-53, Chapters 2 & 3

Chapter 2 of the NIST special publication 800-53 explains the elementary concepts of the selection and specification of security controls for a given IT system. Some of the various topics covered in this chapter regarding security controls include: security controls organization and structure, security control baselines, the identification and use of common security controls, security controls in external environments, security control assurance, revisions and extensions to security controls. The below table from chapter 2 illustrates the different families of security controls along with their unique two-character identifier (which corresponds to the security control catalog located in Appendix F of NIST 800-53). The class column refers to the three different types of security control classes; management, operational, technical.


Chapter 3 of the NIST special publication 800-53 takes it a step further, and explains the specific processes involved in specifying and choosing security controls. Some of the specific topics covered include; managing risk, security categorization, selecting and tailoring the initial baseline controls, supplementing the tailored baseline controls, and updating the security controls. Table 3-1 (shown below) is a graphical representation of the risk management framework security life cycle. It explicitly illustrates the flow of processes within the system security life cycle along with relevant NIS (and other standardized, regulatory, or policy related initiative documents) that will assist in guiding the risk management process.

References:
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf