NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
Welcome back to cyber. Is this? Of course. I'm your instructor, Brad Roads. Let's jump into this special pub 853 and these air our security controls.
00:11
So in this video, we're gonna look at the RMF again. That probably shouldn't surprise you. We're gonna talk about security controls, and they were gonna do an example. Application of a security control in this case, access control.
00:25
So there's two charts on this particular slide one you should be familiar with. This is the arm s security lifecycle. We talked about this. You need to memorize this chart. You need to understand that we go, we categorize, we select, we implement, we assess we authorized and we wanted her. You will note on this chart
00:43
each one of the areas where we're going to do that
00:46
is specified in in this publication or a Phipps manual. And this chart super handy because it shows you which ones apply to which of those areas. So when you're thinking about Theis of content and you need to say study security controls in this case here where we're at in this particular lesson you're going to go to in this special pub 800 Tech 53. Now,
01:06
the second chart on this slide
01:07
is a defense in depth diagram. So we start and you can start at the top or the bottom. We'll start at the top, right? We have the perimeter are edge of our organization. Within that perimeter, we have our network, which connects host on the hosts or applications which ultimately access access data. So
01:26
there are security controls in 853
01:32
for data security controls for applications, the certain controls for host networks and the perimeter. Right. So if you need an idea of a security control, those could be a technical control and non technical control. Preventive detective, whatever. You're gonna find those controls in 800
01:49
53.
01:52
So here are the security controls that you will find in 853. You'll notice there's access control contingency. There's incident response, maintenance controls, planning controls, risk assessment services and and system acquisitions. All of these things these air all controls these I. D. S right
02:12
are actually tied out to very specific controls in each of these areas that you will find in 853.
02:17
You don't need to memorize all of them,
02:21
right. But it helps to understand that when you see something that says, uh, au dot a one control is dealing with audit and accountability. You need to know that a U is the idea for for the audit and accountability category very important to understand each of these different I. D. S.
02:39
So let's do a quick access control example. So if you notice here's a control number, here's your control name. This is a direct cut out of 853 to get you familiar with that, right? And you can see there's lots of controls here.
02:53
Um, there's access control. There's least privilege. There's session like there's terminate. So when you think about, say, hardening a system protecting a system right,
03:00
the controls are literally listed for you, right? You don't have to reinvent the wheel. It's very important to understand that that NUS gives you the ability to grab controls and then figure out what you're going to use in your organization in the access enforcement area. This is where we find things like
03:16
when we get a little deeper and then we find things like Mac and DAC and are back are back and
03:22
t back, right? Well, those are our access control models. Where when you remember ah, mandatory access control. Is it specified for the users? Discretionary access control is the users can specify that themselves. Role based is unique because that's where we get to the granular level of Okay, you know,
03:38
user Bob is an administrator, so he's gonna get a certain set of things based on his role
03:42
and user. Frank is just a power user, so he's going to get a certain amount of things. Rule based is a little bit different than role based. Rule based is based on the data, right? What systems and what data do you need access to and why do you need access to it? And maybe that rules could be inclusive of a access at a certain time
04:00
during certain work hours during certain shifts. Right?
04:02
So that that makes the management and tracking of say, I triple a ah lot easier. And then, of course, task base. Right? Let's say that you have somebody that that you hire and what they do is babysit and run your scripts. Great. Well, guess what? You could give them tasks based access control. So that's all they can do, right? So lots of ways to do that. But all of these
04:23
types of controls are listed in the access enforcement
04:26
control in 853.
04:30
So, in this lesson, we reviewed again the arm at that security lifecycle that you should memorize that particular tart and the flow. Right? You We talked about security controls and that they come from where they come from in the types, right? And, of course, there's a laundry list of them, which is great if you don't know where to start with security controls, start with this 853
04:48
aan den. Of course, we talked about access control
04:51
are back T back. The other are back. Mandatory access control, discretionary access control in our access control example. We'll see you next time
Up Next
Information Systems Security Engineering Professional (ISSEP)

This ISSEP course provides students with the foundational knowledge of the concentration area of the CISSP certification that includes a focus on the processes used to develop secure systems. Students will learn key concepts and skills of the five ISSEP domains.

Instructed By