• Skip to main content
  • Skip to primary sidebar

ConvoCourses

Cyber Security Compliance and IT Jobs

  • Cyber Security Training
  • about me.
  • Information Assurance Jobs

security controls

ISSO NIST Security Control Family Interpretation

March 27, 2021 by Leave a Comment


The interpretation of baseline controls and enhancements is one of most common question that I get. That’s why I made that other course about it:
https://securitycompliance.thinkific.com/courses/rmf-isso-security-controls-documentation

This course interprets and breaks down NIST security controls. We explain what’s going on in a simple practical way. This is something that I wish somebody would have done for me but as if you’ve been looking out there’s not a lot of people doing this.

Filed Under: Information Assurance, security compliance Tagged With: interpret security control, security controls

RMF ISSO Mentorship and Security Control Course

February 22, 2020 by Leave a Comment


Sign up for free:
http://convocourses.com

Filed Under: certification & accreditation, cyberspace workforce, diarmf - implement, security compliance Tagged With: convocourses, RMF course, security controls

risk mitigation

February 5, 2014 by Bruce Brown Leave a Comment

Risk mitigation can only be done by first identifying the risk.  And risk identification can only be done by characterization of the assets, discovery of vulnerabilities of those assets and determination of threats and/or possible harm to that system.

So risk mitigation is based on the results of risk assessments.

Risk assessment is a 9 step process.

 

1)  System characterization – a system is an organization asset.  So the first step is to discover all the features of that system and understand why it is important.

2)  Threat Identification – risk is determined by the likelihood of a threat affecting the weakness of an asset.  To limit the risk (risk mitigation), a security practitioner must determine the possible threat, find the weakness and then come up with a way to protect that system.

3)  Vulnerability Identification – The security practitioner (information system security officer, information system security analyst, system security engineer etc) must find the weakness of a system.

4)  Security Control Analysis – The security control protecting the vulnerability is the actual risk mitigation.  Analysis is determining what is needed, when and how much it will cost.

5)  Likelihood determination – The importance of risk mitigation is directly proportionate to the likelihood of the threat impacting the organization and its assets vulnerabiltiy.

6)  Impact Analysis – The bottom line of risk is the impact that will occur if harm should come to an asset.  If the asset ceases to function, what happens to the organization?   That question should drive how and why risk is mitigated.

7)  Risk Determination / Risk Identification – Based on all the data gathered you can make a pretty good risk determination.  You should have defined the systems components and what data is important, made a pretty good conclusion on threat sources and likelihood of the vulnerability exploits and know exactly what kind of impact there will be if the system goes down.

8)  Control Recommendation – This is where the actual RISK MITIGATION comes in.  All data is gathered from the risk assessment and risk has been identified and evaluated.  Risk is mitigated by applying to correct security controls.

9)  Results Documentation – The mitigation of risk must be documented for future reference.  Sometimes it can only be mitigated later and documented in a Plan of Action and Milestone.

Who does Mitigates the Risk:

First of all, risk cannot always be mitigated.  In this cases it is documented in something called a Plan of Action and Milestone (POA&M).  And sometimes risk is simple accepted because there is just nothing that can be done.  The mitigation of risk is the responsibility of the system owner.  The system owner will sometime have a right hand adviser on matters of security, a Chief Security Officer who is not afraid to say NO and will always give the system owner (CIO) the facts no matter how gruesome.  The CSO (or equivalent) delegates risk mitigation (implementation of security controls) to security practitioners (DoD 8140 compliant professionals) who hopefully know what they are doing.

 

Filed Under: DIARMF Tagged With: IA controls, risk, risk determination, risk identification, risk impact, risk management, risk managment, risk mitigation, rmf, security controls

physical risk

January 29, 2014 by Bruce Brown Leave a Comment

physical risk
physical risk – bollards used for physical security

The physical risk to an information system is perhaps the most important to consider.  You MUST limit physical access to a system or any technical or administrative controls you implement are meaningless because they can be bypassed easily.  With direct physical access ANYONE can boot a server into a Kali Linux Live CD/USB or do a Password Recovery on your Cisco Router PWNAGE!!!!  If you can physically touch a system, then you can own it.

Additionally, you should have a contingency plan for the most likely avenue of physical disaster to a system.  This limits the potential of intentional and unintentional harm to the system.

To limit the physical risk to an information system the NIST SP 800-53/DIARMF prescribes “Physical and Environmental Protection” Controls:

  • PE-1 Physical and Environmental Protection Policy and Procedures
  • PE-2 Physical Access Authorizations
  • PE-3 Physical Access Control
  • PE-4 Access Control for Transmission Medium
  • PE-5 Access Control for Output Devices
  • PE-6 Monitoring Physical Access
  • PE-7 Visitor Control
  • PE-8 Access Records
  • PE-9 Power Equipment and Power Cabling
  • PE-10 Emergency Shutoff
  • PE-11 Emergency Power
  • PE-12 Emergency Lighting
  • PE-13 Fire Protection
  • PE-14 Temperature and Humidity Controls
  • PE-15 Water Damage Protection
  • PE-16 Delivery and Removal
  • PE-17 Alternate Work Site
  • PE-18 Location of Information System Components
  • PE-19 Information Leakage

 

Filed Under: DIARMF, physical risk Tagged With: nist risk management framework 800-37, nist sp 800-53, Physical and Environmental Protection, physical risk, risk, risk management, risk management framework, rmf, security controls

Primary Sidebar

search

Learn to Make 6 Figures in CyberSecurity

Cyber Security How to make up to 6 Figures
6 figures in Cyber Security

This course explains how I have been able to consistently make 6 figures doing cyber security. There is a method that I have used during my development in cyber security. I am presenting that method to you.

View Course

Teleworking - IT Remote Work
Teleworking – IT Remote Work

Teleworking is something I have been doing for the last 5 years. This is how I did it.

Find Teleworking IT Jobs

View Course

RMF ISSO Foundations Training
RMF ISSO Foundations Training

RMF ISSO Foundations

I was an Information System Security Officer (ISSO) doing Risk Management Framework (NIST SP 800-37) for over a decade. I am a Cybersecurity veteran and I can explain (in plain English) what you DO in the Risk Management Framework process as an ISSO.

View Course

NIST SP 800-37 Presentation
NIST SP 800-37 Presentation

View Course

login

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Posts

  • ConvoCourses podcast: Cyber Security day to day activity
  • ConvoCourses podcast – Cyber Security Therapy Sessions
  • ConvoCourses podcast: privacy protection overview resume review
  • Listing Lab work on Cybersecurity Resume
  • My Security Control Assessor Course

Meta

  • Register
  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Recent Comments

  • horloge on SCAP Compliance Checker SCC)
  • 218 Information assurance Success Criteria – ITSECURITYSURVIVAL.COM on Information Assurance Vulnerability Alert
  • Disa Help Desk | VinHomesData.com on STIG Update – DISA has released the Oracle Java Runtime Environment (JRE) 8 STIG Version 1
  • Bruce Brown on DIARMF – Continuous Monitoring
  • dpresbit on DIARMF – Continuous Monitoring

Tags

8140 8570 ArcSight c&a CISSP colorado cyber cybersecurity cyber security denver DIACAP DIARMF diarmf - implement disa DISA STIG dodd 8140 dodd 8140 cyberspace workforce HBSS IA implement implementation info assurance information assurance information security ISSO job jobs Linux mcafee nist nist risk management framework nist risk management framework 800-37 podcast risk risk assessment risk management risk management framework rmf security SIEM STIG stigs unix VMWare windows

Copyright © 2021 · Author Pro on Genesis Framework · WordPress · Log in