Selecting & Implementing Security Controls

Introduction

To all members on the Red Clay Renovation Board of Directors and IT Governance Board, the following briefing will present some of the high interest items related to Security Controls and how they align with the needs of Red Clay Renovation Information Security program. The purpose of this briefing is to explain the definitions and needs for each specific Security Control identified along with sub-family controls related to their hierarchy.

Description of Control Classes

Security control classes define and shape the security planning for an organization. According to Swanson, M., Hash, J., & Bowen, P. (2006), security control classes are used in the planning of security systems. Management controls involve the management of information systems and risks in relation to these systems. Management controls are practices that are usually focused on at the management level. Operational controls involve security measures that are performed by human controls. Operational controls are in position to enhance the security of systems. Technical controls involve security measures that are performed by computer or technological controls. Technical controls can conduct various functions such as automated protection against unauthorized access, detection of violations, and assist in the security of data and applications (p. 25-26). These standard security controls are commonly recognized around the globe and form a foundation for sound security practices.

According to Scarfone, K., Jansen, W., & Tracy, M. (2008), management, operational, and technical controls are essential in creating a strong security environment. In relation to each other, a policy will fall under management control, but the requirements are executed by human or operational control and systems or technical controls (Scarfone, K., Jansen, W., & Tracy, M., 2008). As all three security controls are essential and must work in relation to each other, Red Clay Renovation must use the same principles in protecting the IT Infrastructure for the Wilmington, DE Offices (Headquarters). Through training, education, and acknowledgment, each user must abide by company policies in executing operational controls coming down from management controls and supplemented with technical controls. Scarfone, K., Jansen, W., & Tracy, M. (2008), further add that too many security controls may become a barrier. Therefore, there should be a proper mix of controls with the goal of balancing security, functionality, and usability. Finally, it is important to emplace multi-layered security such as protecting sensitive data on a server using network-based firewalls, host-based firewalls, OS patching, etc. This allows for coverage if one security layer fails, then the other security layers can compensate for the loss (Scarfone, K., Jansen, W., & Tracy, M., 2008).

Red Clay Renovations Selection of Family Controls and Sub-Family Controls

Based on the network configurations and the many facility locations, physically separated geographically, Red Clay Renovation requires employees to travel and telework. This section will focus on three separate control classes specific to the needs of Red Clay Renovation while identifying two sub-family controls for each control class selected. In it, we will begin by focusing our attention to Risk Assessment under Management Controls with Risk Assessment Policy and Procedures and Vulnerability Scanning for its sub-family controls. Then we will focus our attention to Access Controls under Technical Controls with Remote Access and Access Control for Mobile Devices. Finally, we will focus our attention on Awareness & Training under Operational Controls with Security Awareness Training and Role-Based Security Training for its sub-family controls. The following will provide a description of each family with sub-family controls most applicable to Red Clay Renovation operations based on NIST definitions and guidance.

According to National Institute of Standards and Technology (2013, April), Risk Assessment is a tailored approach of identifying risks to an organization based on its assets, personnel, associates, and the nation in relation to its information system(s). Under RA-1, Risk Assessment Policy and Procedures, these controls are designed to align with federal laws, directives, regulations, executive orders, policies, standards, and guidance. Under RA-5, Vulnerability Scanning is designed to identify vulnerabilities affecting a system, specify flaws/misconfigurations, format checklists, test procedures, measure vulnerability impacts, produce security control assessments, remediate vulnerabilities, and share information results to assists with other systems with similar vulnerabilites. Access Control is a broad term that encompasses the granting of digital access for personnel to data/information, based on their individual privileges. Under AC-17, Remote Access is the use of gaining access to an organizations information system(s) from outside of the local network via methods such as the Internet which can be accessed through mediums such as wireless, broadband, dial-up, etc. The use of Virtual Private Networks (VPNs) is a way to use encryption while increasing the surety of integrity and confidentiality of information. Under AC-19, Access Control for Mobile Devices provides guidelines for restrictions/implementation and configuration/connection requirements for mobile devices in the control of Red Clay Renovation. Under AC-19 (5), mobile devices must have the capability for full device/container encryption to protect confidentiality and integrity of information. Awareness & Training is fundamental which directly relates to human operations. Under AT-2, Security Awareness Training is designed for all system users to include managers, executives, and contractors. Training should be tailored to meet the needs of the organization and provide the basic knowledge for users to understand the need for information security, maintain appropriate level of security, and respond to incidents accordingly. Under AT-3, Role-Based Security Training is tailored specifically based on an employee’s roles and responsibilities. This type of training must be completed prior to an employee having granted access to information systems or executing duties. Based on the Role-Based Training, one can be tailored to have a myriad of subject to include management, operations, technical roles/safeguards, countermeasures, etc. (p. 164-195).

Summary

In summary, this briefing covered the different Security Controls along with sub-family controls that are essential in the basic building blocks for the sustainment and prosperity of Red Clay Renovation through practicing standard security procedures through the guidance of NIST publications. Specifically, this briefing began by covering Risk Assessment through establishing Risk Assessment Policy and Procedures and practicing regular Vulnerability Scanning. Next, this briefing covered Access Control through establishing encrypted procedures and preserving confidentiality and integrity using VPNs and Access Control for Mobile Devices using encrypted and acceptable practices according to policies and regulations. Finally, this briefing covered Awareness & Training through Security Awareness Training tailored for all users and Role-Based Training tailored based on each employees’ roles and responsibilities. Based on the makeup of Red Clay Renovation employee’s and how they conduct business as a whole, these specific Security Controls would fit in with the companies needs regarding Information Security. With the implementation of the Security Controls mentioned in this briefing, Red Clay Renovation will assuredly be better equipped to execute secure operations while fostering a culture that is conducive to security awareness.