Module 4 Security Controls Implementation White Paper



Module 4 Security Controls Implementation White PaperKeith E. Anderson, Sr.CSOL-530-04-SU19University of San DiegoAbstractThe purpose of this paper is to submit an implementation plan to build-upon the baseline security controls selected to protect our enterprise payroll system. We’ll align our implementation approach with the Risk Management Framework (RMF), understanding that we will, during some stages, drift out of sequence with the framework in support of what has been established as acceptable within our enterprise tolerance for risk. Contents PageRecommended Baseline Security Controls1Implementation of Baseline Security Controls2Implementation Strategy and Expected Results3References4Module 4 Security Controls Implementation White PaperRecommended Baseline Security ControlsBelow is a table listing the recommended baseline security controls for protecting our enterprise payroll system. These controls, which were selected based on our organization-wide risk management alignment with Tier 1 of the Cybersecurity Framework, are effective-enough in scope to provide high-level assurances in alignment with our current organizational risk appetite. As we progress toward more elevated tiers within the Cybersecurity Framework, the breadth and depth of our control selection will reflect the change in maturity and capability.Control NumberControl NamePrivacy-RelatedControl Baseline (L)Control Baseline (M)Control Baseline (H)AC-1Access Control Policy and ProceduresAC-1AC-1AC-1CA-6AuthorizationCA-6CA-6CA-6CP-1Contingency Planning Policy and ProceduresCP-1CP-1CP-1CP-9System BackupCP-9CP-9 (1) (8)CP-9 (1) (2) (3) (5) (8)IA-1Identification and Authentication Policy and ProceduresPIA-1IA-1IA-1Implementation of Baseline Security Controls According to NIST, the purpose of the Implementation step in the RMF is to implement the controls in the security and privacy plans for the system and for the organization and to document in a baseline configuration, the specific details of the control implementation (NIST, 2018). It is our objective to realize a high-level implementation of the appropriate set of initial controls to build-upon as we iterate through the RMF process. These initial baseline controls, which center around authorization, backup/recovery, and policy/procedures, will not only establish an initial outcome of system security and recoverability, they will also set the foundation for more granular operational-level projects of future controls that will continue increasing the resiliency necessary to meet organizational expectations. 3. Implementation Strategy and Expected ResultsBelow is a summary of the implementation expectations for our initial set of security controls:AC-1 ACCESS CONTROL POLICY AND PROCEDURESWe will need to:develop an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance, as well as the corresponding procedures to facilitate the implementation of the access control policy and the associated access controls (NIST, 2017)CA-6 AUTHORIZATIONWe will need to:assign a senior-level executive or manager as the authorizing official for the system and for any common controls inherited by the system, as well as ensure that the authorizing official, before commencing operations, authorizes (i) the system for processing and (ii) the common controls inherited by the system (NIST, 2017)CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURESWe will need to:develop a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance and is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines (NIST, 2017)develop corresponding procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning control (NIST, 2017)CP-9 SYSTEM BACKUPWe will need to:conduct backups of user-level information contained in the system, system-level information contained in the system, and documentation, including security-related documentation, as well as protect the confidentiality, integrity, and availability of backup information at storage locations (NIST, 2017)IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURESWe will need to:develop an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance, and that is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines (NIST, 2017)4. ReferencesSANS (2016). Physical Security and Why it’s Important. Retrieved August 4, 2019 from (2018). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved August 4, 2019 from (2017). Security and Privacy Controls for Information Systems and Organizations. Retrieved August 4, 2019 from (2018). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Retrieved August 4, 2019 from ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download