The purpose of this briefing is to address the results of a recent risk assessment analysis conducted by Red Clay Renovations. The assessment reveals many cybersecurity loopholes within the company field offices, information systems, and the overall IT infrastructure of the company. As a result, the PII data of customers and the use of smart devices and technologies in remote field offices are vulnerable to cyberattacks. In an effort to deter cyberattacks and mitigate risk to the company information systems, various security controls are required to be implemented. These security controls will be implemented to protect the company’s cybersecurity objective of integrity, confidentiality, and availability of systems and resources. Moreover, the controls will remediate the potential impact on Red Clay information systems based on the FIPS 199 categorization. According to NIST, “risk-related considerations are supported by the agency assessment of risk, and it does not affect the security-relevant information within the company information systems” (2006). Therefore, the families of security controls selected must amend the risks identified in the Red Clay risk assessment and take additional steps when applying security controls to mitigate system vulnerabilities.

They are three different types of security control classes (managerial, operation, and technical), which are further grouped into families and identifiers. The family group correlates with one of the three classes based on the characteristics of that security control family. It is important to note that the security controls can also be linked to more than one of the three security control classes. The identifier is a two-letter, abbreviation of the actual control family. For example, RA is the identifier for “Risk Assessment” in the risk assessment family of controls, which includes RA-1,2,3,5 and falls under the “managerial class of security controls.” Moreover, it can also be linked to the operational class for contingency planning with the identifier of CP. By definition, a managerial security control class “focuses on the management of the information system and the management of risk for a system” (NIST, 2006). The operation control class address security based on the mechanism that people operate or implement; it does not focus on IT systems. Technical security control will primarily focus on computer systems that execute various security controls.

Based on the risk analysis assessment conducted by Red Clay, these controls can be implemented in concert with each other to protect the company information systems, the company data, and grant access to company resources to only authorized employees. Furthermore, these controls can be implemented to enable Red Clay to remain in compliance with IT governance standards and regulations pertaining to information security in the state of Delaware. These three classes of security controls can work together to fix systems vulnerabilities, and enable the company to assess, monitor, and recover from cyber-attacks. In addition, it will help to create a security baseline for the company and grant controlled access to products and services, which can be particularly beneficial for the company field offices. To protect the IT infrastructure of Red Clay, one control family can be selected from the three security control classes to create a defense-in-depth posture for the company information systems and mitigate additional risks to the business in tier three to the company infrastructure. According to NIST (2013), “tier three identifies risks to information systems and utilized the risk management framework (RMF) to mitigate these risks.”

Red Clay CISO (Mr. Eric Carpenter), can benefit tremendously from selecting one control family from each of the three security control classes to remediate the company assessed risks. The financial controls for the company are based on the risk of information security for the company’s financial services, like credit card transactions. It covers six different control types “detective, preventive, corrective, administrative, technical, and physical” (FFIEC, 2016), from the perspective of the business process for Red Clay. These measures are aimed at addressing risk from only one aspect of the company. The control classes and control families mitigate risks to the entire architecture of the company. Moreover, three family controls from the control classes that the company can implement to meet the needs of information and systems security are i) risk assessment, ii) systems and communications protection, and iii) awareness and training.

The family control “Risk Assessment” (RA) is used to identify all the potential risks the company faces during the lifecycle of the business. It determines the probability of a risk occurring and the impact of the risk to Red Clay. This security will be used to address the current and future risks facing the company. It will identify the financial impact, as well as, the loss of reputation Red Clay will face in the event of a security breach to the company data, or from a natural disaster. In addition, it will help to identify valuable company assets such as customers PII and technology commodities. This risk assessment will further be used to prioritize the risk base on the levels of low, medium, or high impact on the company’s daily operations.

The control family “systems and communication protections” (SC), is used to protect information systems boundaries both externally and internally. In addition, this family of controls will be used to protect access to the company’s remote sites. It will enable the company to implement controls for the availability of resources and provide security for the confidentiality and integrity of the company information systems. The awareness and training controls (AT), is used to train new users on the information systems and to address any changes made to the company systems. More specifically, this control family will ensure that users are following the proper procedures when accessing systems resources and are trained on how not to introduce malware to the systems through user negligence. It will give users a general understanding of how to protect Red Clay digital commodities and customer PII data.

Two sub-family controls for risk assessment are RA-1(risk assessment policy) and RA-5 (vulnerability scanning). These sub controls will be used to ensure that the appropriate policies and procedures are developed to protect the company from unauthorized access to systems and resources emanating from cyberattacks, or malicious insider threats. The company will also conduct periodic vulnerability scans on the networks to identify and mitigate risks. The sub-family controls for awareness and training (AT) includes AT-2 and AT-3 (security awareness and role-based training). These controls will be used to help employees identify malicious system activities, analyze emails containing spam, and identify possible threats to the company’s physical infrastructure. The role-based security training will be aim at contractors and third-party vendors accessing the company networks. Also, it will address the roles of Red Clay management and the technical roles of staff members. Two of the SC controls subfamilies are SC-7 (boundary protection) and SC-28 (protecting data at rest). These sub-families will enable Red Clay to mitigate risk to their internal and external networks by implement DMZs and firewalls to safeguard systems from cyber-attacks. It will also ensure that data at rest is protected by creating the requirements for encrypting data and performing continuous backups.