Red Clay Renovations is an internationally recognized, awarding winning firm that specializes in the renovation and rehabilitation of residential buildings and dwellings. The company specializes in updating homes using “smart home” and “Internet of Things” technologies while maintaining period correct architectural characteristic.

With all the recent cybersecurity attacks and considering the speed technologies are evolving and the security risks related to the type of technologies (IoT, smart devices) used by the company , it will be important to reconsider Some of Red clay’s IT security practices. As a first step, a risk assessment was performed on Red Clay Renovation’s IT systems and infrastructure; according to the findings it was recommended for the company to formalize the security measures required to protect information, information systems, and the information infrastructures for the company’s headquarters and field offices. So this briefing paper will help propose a plan of action which will help develop system security plans including Security Control Classes and Security Control Families related to Red Clay risks.

When talking about system security plans for companies such as Red clay, we immediately touch bases with concepts such as Security Control Classes and Security Control Families. Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. According to recent studies, they are 3 well known classes of security control classes (Lord, 2018):

• Management controls: The security controls that focus on the management of risk and the management of information system security.
• Operational controls: The security controls that are primarily implemented and executed by people (as opposed to systems).
• Technical controls: The security controls that are primarily implemented and executed by the system through the system’s hardware, software, or firmware.

All these 3 classes of controls are necessary for robust security. For example, a security policy implemented at the Wilmington, DE Offices (Red Clay’s Headquarters) (Bring Your Own Device policy) is a management control, but its security requirements are implemented by people (operational controls) and systems (technical controls) within the company. Think of phishing attacks, Red Clay Renovation may have implemented an acceptable use policy that specifies the conduct of users, including not visiting malicious websites. Security controls to help thwart phishing, besides the management control of the acceptable use policy itself, include operational controls, such as training employees and users from all the fields not to fall for phishing scams, and technical controls that monitor emails and web site usage for signs of phishing activity (MDNDocs, 2019).

According to the NIST Special Publication SP 800-53, there is a total of 18 security control families. But on this paper, we will focus on the following security control families (NIST, 2013):

• Planning (management control class): this control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. This family contains subfamilies such as PL4 Rules of Behavior (Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage) and PL-8 information security architecture (addresses actions taken by organizations in the design and development of information systems).

• Identification & Authentication (Technical control class): the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. This family contains subfamilies such as IA-3 device authentication and identification (Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type/device) and IA-7 cryptographic module authentication (The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication).

• Incident Response (Operational control access): This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. This family contains subfamilies such as IR-2 incidence response training (the organization provides incident response training to information system users consistent with assigned roles and responsibilities) and IR-3 incidence response testing (the organization employs automated mechanisms to more thoroughly and effectively test the incident response capability).