A recent risk assessment has determined that Red Clay Renovations should adopt a formalized security program to help protect our IT infrastructure. This paper describes how the IT Security Control framework is set up and how Red Clay can utilize it to mitigate risk. Since we already have a start in using the NIST SP-800-18, Guide for Developing Security Plans for Federal Information Systems, we will continue to pull from this valuable resource. Similar to financial controls, the NIST controls allow for us to direct, monitor, and measure our efforts (bcorporation.net).

NISP SP 800-53 specifies these controls and breaks them down into groups called families and further into sub-families. Each family is a is a member of the Management, Operational, or Technical classes. The Management class of controls focus on the management of the information system as well as the risk. Red Clay management would benefit from these controls as they would lay the framework for their duties in securing our IT infrastructure. The Operational class of controls focus on how people interact with systems or groups of systems and usually incorporates the other two classes. These controls would help create a secure structure around what we want our employees to be doing when it comes to secure computing. The Technical class of controls focus on computer controls that prevent unwanted access or misuse of data. These controls would prevent our employees from accidentally or maliciously destroying data (Swanson, Hash, & Brown, 2006).

To get a better understanding of these controls we should look into a few that will positively impact Red Clay. The family control Planning falls under the management controls class and would provide a framework for managers to build their plans from. Central Management is a sub-family control of the Planning family and provides guidelines on how to centralize security efforts for things such as continuous monitoring. Security Planning and Policy Procedures is another sub-family control that will assist our management team in identifying all the policies required for a successful risk mitigation strategy.

The Technical Control class contains many family controls that Red Clay could benefit from. Specifically, the Access Controls family contains the very thorough Account Management control as well as the Access Enforcement control. Red Clay already conducts account management, but implementing this structured control will help our IT team enforce the policy preventing accidental or malicious deviations from our risk mitigation plans. The access enforcement control will further this endeavor by ensuring Red Clay has a plan for revoking access once it is no longer needed.

The Operational Control contains many controls as well. Perhaps the most important control is the Awareness and Training family control. This control contains the sub controls Security Awareness Training and Security Training Records. Without these controls to help our team train our employees we will have already lost the fight against our adversaries. According to the control, conducting training should be part of the initial onboarding process, when information systems change, and on a routine basis thereafter (NIST JOINT TASK FORCE TRANSFORMATION INITIATIVE, 2013). Securing training records provides our legal team the power they need when litigation issues arise surrounding misuse of information systems.

These are just a few examples of how incorporating a formal security framework can help Red Clay bolster our security and provide our stakeholders the understanding that we are conducting our due diligence. We should implement this as soon as possible to prevent needless risk from damaging our company.