The purpose of this assignment is twofold.
First, I want you to get familiar with reading official documents related to information security. Security professionals need to be able to read documents like the NIST Security Publications to understand best practices. They also provide weight to recommendations when talking with executives about security decision making.
Second, I want you to be able to teach yourself new things. You may read about things in NIST 800-53 that you don’t already know about. Take time to do some research and learn more. Google is your friend.
- Look at NIST SP 800-53 (Links to an external site.), Appendix F: Security Control Catalog
- Identify one family of controls you would like to learn more about
- Review controls within that family
- Identify 2 controls you will research
- GRAD STUDENTS: 2 families, 2 controls per family.
- For the 2 controls you choose: write at least 800 words (total), grad students 1500 words.
- List control titles
- Describe what the control entails
- Describe at least one way an organization could implement that control (each control)
- Do some research and include at least one external source per control (properly cited) to support what you say
- You don’t have to cite NIST SP 800-53 unless you are quoting directly, but cite any external sources
Very basic (and short) example
I chose the family Identification and Authentication (starts on page F-90), and the controls IA-1, IA-3, and IA-5.
IA-1 Identification and Authentication Policy and Procedures
Identification and Authentication policy and procedures refers to an organization’s need to have specified policies related to these two important concepts. The policy needs to address who should be authenticated, and what types of activities require authentication. The policy can also outline how authentication will work across organizations, for example, how contractors can obtain authentication credentials for their work on internal systems. A good authentication policy will define the scope of the policy, too.
One good component of an authentication policy is the Acceptable Use policy. Requiring that all users accept some terms and conditions before accessing a network can be set as a prerequisite (Jackson Hole, n.d.).
The IA-1 requirement also specifies that the organization should review and update the policies and procedures on a regular basis. Such reviews could be a part of the policy itself, and should be carried out regularly to ensure that they are (a) being followed, and (b) serving the needs of the business.