Okay, so in less than 1.4, we're gonna talk a little bit about how honest explains 853. Because it's important to
instead of us interpreting everything, let's see what they said so that you understand where they're going.
So this lesson we're gonna describe again the need for the common framework discussed why n'est wants to have a neutral document, neutral in a sense of technology. They don't want it specific. Any technology on income contrast, compliance versus info? Second, what they mean or why they should be different.
Why? What? Why we should
focus on one inside the other. So first, why we need a common framework kind explaining before. But this is what missed thought was important. They wouldn't see collaboration across the government,
maybe even two commercial anybody. That's implementing the arm for 853. This is changed a lot, since Miss used to be specific to the federal government because Doody and intelligence and national security they all had their own controls. But they really started it all, working at least as a base with 853
for example, i d o d
move to the dia cap, which has a little bit different, but they still use theater 53 as the base
CNN SI n s s set up a joint task force really to figure out how can we use this as a base and then add some of our controls on top of it?
And it's really wanted to have a cost effective and consistent process. Again, let's try to save money instead of everybody spending time millions of dollars trying to vent their own process. We've already got another one. We have organization that said that knows how to create standards. This let's just use this process.
They also saw as being able to have the reciprocity across organizations across the organization. So if you have multiple have multiple systems, they may be more willing to interact or accept each other's accreditation
because they both use the same process. They can look at each other's controls how they've been implemented, say this makes sense to me. I can understand this risk and how in there how it will affect my system and maybe even outside across federal agencies or different parts of the government. They're they're willing to have seen this actually in place where
you say, I need to send you date or you need to send me data.
Send me your security plan and I'll look at it. Take a look and see if it all makes sense.
And again, they wanted to be neutral, specific to policy and technology,
how the information's process store transmitted. They didn't want to focus specifically on technology and then lock out some organizations if they went. No, you must use this specific technology, and it doesn't make sense the organization for price or whatever reason
then when you build it to use this so they are neutral in the sense as best they can, but not unaware of specific technology. What what that means is
they were trying to make it as flexible as Jin General as they can without making it too generic to the point where it doesn't make sense because it's just so generally like, What does this even mean?
but there's another one. Are practitioners, notes is just because this was neutral does not mean you should be your descriptions in the in your risk assessments and the security plan should all be robust and very specific to the technology you are using
because this is your chance to say, Here's how I implement the control in here specifically what I'm doing to protect the system.
And again, this is the reason I want to be neutral is they want to focus on capabilities versus force fitting technology to the point where it's too specific and doesn't you can't even use the controls.
Another part, which is important to NIST that alluded to before, is compliance versus information Security. Another half semi acronym here is invoked that we've started to get away from this. We're calling it
cyber security or assurance, whatever it is now. But they're here. Here's a quote from this, they said Compliance is not about it. Here into static checklists are generating unnecessary fisma reporting paper. Rather, compliance necessitates organisations, organisations exact executing due diligence with regard to information security, risk management.
Do you see? I highlighted
due diligence there. That's what they're saying is don't forget the reason you're doing this is not so you comply it. So you are putting your best best effort Ford to secure the system,
and that's why they offer ability or we'll talk about later about tailoring control to meet your business goal, which means there's variables that you can set in their specific to your organization or picking which controls you don't have to
stick strictly to what the baselines they set. You really need to make this work for your organization,
but you also need to understand current threats and adjust your control. So if your organization is
his work in the financial sector, you really need to look at what threats are out to specific to the financial. Or if you're in health care, you need to understand that there's hippo controls, things like that out there that also need to be applied on top of the regular baselines
again. Brazilians is your job. This is in cyber security. This is the reason you're there is to protect the system, not make the system look secure. Thio somebody else.
So we have another quick quiz here,
which is not a reason n'est wanted to create a common framework. Should able to get this if you were listening, do they? They want not want cross agency collaboration policy and technical technology and neutrality, or do they not want to create a compliance module models.
The answer, of course, was they didn't want to create a compliance model. It's not the goal of information security. It's not the reason we do this. It's not the reason they have a common framework.