all right. Welcome to missed 853 security privacy controls. Where we'll be talking about the document. Some of the ideas behind that this one doesn't understand. Not really focusing on specifically every one of the hundreds of controls.
And so for Model One will be getting a known estate and 53 1st just said, get the background to it
First, let me give you introduction. My name is Phil Cope. I'm a system administrator before going to cyber our disciple Security Or I start working as a pen tester Auditor. I've been doing instant response without testing more recently,
so I have 20 years of cybersecurity experience. My undergrad was in information systems. My master's degree with an e commerce. Why was a self employed So I was trying to get a bit of a mix between business and not specific. I t
I finish up my doctor in cyber security
and I have a C i S S P certification and a couple of the offensive security certifications.
I said there's a picture of ah computer there. It actually looks like a keyboard was my first, uh,
computer when I was when I was young, when I'm not doing I t stuff. I still like programming, but I also like, try to get out, do mountain biking, hiking, photography. There's a picture up there about what off when a shot I took from Harpers Ferry, West Virginia
If you're interested in contacting me, Lincoln is my best the best way, and I have been up there on the screen.
So for less than 1.1 disc over a little bit on the course, just kind of get a free where prerequisites and understand what the course is about. What's gonna be important?
I mentioned the prerequisites. They're not hard too fast, but you should understand a little bit about the NIST risk management framework. I'll be calling it the arm F Cyber security People love jargon link are this lingo. So just get to get to know
that said I might be switched between Arm F and risk member Mr Rist Magic Framework.
You need a little bit about Phipps wanting that fits 1 99 I'll talk about it, give you information, but it is the prerequisite to 853 to understand.
There's also missed 812 which is core principles. That is good to understand. So if you know the kind of the terminology says you're reading 353 is it really rains? In this document? You understand their definitions of what things mean
and also confidentiality. Integrity, availability are three very important concepts.
They come up a lot of lots of times throughout the throat, through through the documents role
otherness, documentations Well,
so within the course materials
provided links here, you can get that. They're also very easy to find. So that's 853. Guess that's what we're really talking about. There's a dinner 37 with It's the risk management framework, said 51 99 200 are prerequisites.
You don't have to read all these, Understand? Of course, we'll talk about them, but maybe looking at them and getting idea what there are will help understand.
And as you mentioned, 812 which is the introduction of information security
and also within the course materials later on in module to will be talking about the ESCAP tools, which is automated tools for establishing baselines. So have a windows and a Lennox one. There you can you can take a look at those later on but will be referencing those documents as well.
The target audience is really anybody in cyber security. Now, just because 853 is important everybody where you might come into it, no matter what your role. So as an authorising official, you're gonna be looking You're gonna be trying to assess risk across your systems across the organization,
and you probably see these nous controls mapped. And if not, you'll you can understand the source material.
The same thing would be for ah, sis. Oh, with the be assessing risk and then as an isis so you might be looking at or you're the interface between the system owner and the the technical staff into you're really gonna be trying to understand those risks mapping Tunis controls and being able to talk to executives.
Even if you're a technical person. Azad ministrations. Er, you might be seeing these controls coming coming in. And when you're running your automated tools or you may get reports from somebody's you need toe, really understand what they mean in the context of the risk to your system and how the map vulnerabilities.
So just kind of some of the notes will be using missed 800 revision for everybody calls the Red For another jargon, our lingo did to get used to.
There's red five that's coming out at the time of this recording, but it's not finalized. We're not gonna be using that will be focusing mostly on ref or we'll talk a little bit about red five within the course. Just understand where it's going.
So a couple places you'll see this little pencil icon. I tried to put it in there to say reference that external material that I mentioned, you know that their source material, if you want to look at
and then the other one is this little character there that I'm calling practitioners notes. I've tried to intersperse that throughout the videos, of course, to say, you may not read this or get this understanding specifically from reading the documents, but this is something that's important from somebody who's actually practices in the real world.
Here's the 1st 1 a practitioner notes. Always check the revision used by the organization, so it's it's not guaranteed that an organization is right is using the most recent version just because it's a lot to do to transition from a new one to an old one usually takes a couple of years, and it may not apply. So
working on a revision and then go back and you ask him. And then also, you worked on all these controls that aren't applicable.
All right, here's a rough outline. So first with the module one. Except we're getting noticed a little bit. Well, we're doing this introduction. We understand how it fits into the arm F process because it's the core that it goes across all the different phases.
I said, We're focusing on revision for, but we'll talk a little bit about region revision five and just kind of understand how to transition even beyond that.
And then I'm gonna look at a little bit. How honest explains 853 just so because it's their documents. So you need to understand why they have to use a certain charm terminology and just understand throughout this. Like I say, they is n'est they're the ones that publish it, but it's put out there for
many, many cycles, and there's many revisions. Hundreds of people respond to it, so it it's a community effort, but we just say n'est
as they're not the only ones talking about the document
and the module to will focus a little more on actually using the security controls. See how they apply.
He's learning objectives just kind of set here on all the objective I've created. You'll see this inverted pyramid, which is Bloom's taxonomy. It's just a way of organizing the way, acknowledges learned. So the term, remember would be has the action. Verbs like list
described things like that, Uh, and as you get
further on its more concentrated form or
it's not more important but a little bit different. So down at the bottom we have created is thes objective you create, so you would actually be developing things like that.
So you see that throughout the just kind of understand what you're learning,
but specific to this, we're gonna be learning. About 853 control families described where it belongs in the arm F process. Explain the need of, ah, for common taxonomy. I call it a taxonomy. Just cause I like to use that worries. It's these buckets that if it fits into so we're all using the same lingo.
It's it's a taxonomy, it's a framework.
And then we're gonna demonstrate the selection of a baseline. We'll talk a little more what that means, but that's just understanding that what controls apply based on your categorization, and then you'll be able to differentiate the parts of 853 control. So understanding what each part means. So that again,
I'm not gonna explain all of them to you. It's easier to stay. Here's how to interpret them and then you can you can you be able to do it yourself.
And we're gonna learn about common hybrid system controls and what those mean in the context of a crediting a system.
And then we'll talk about mapping a weakness to 853 control. So you have these automated tools. They output results. How does it How does that work into the 8 53