Implementing Baseline Security Controls

Quincey Jackson

CSOL, University of San Diego

CSOL-530-04-SU22 - Cyber Security Risk Management

July 18, 2022

Baseline security controls must be selected and tailored to adequately manage the risks

associated with a high-risk payroll information system such as that of BioHuman. Before this can

be achieved, BioHuman will need to develop policies and procedures to address the minimum

security requirements needed to protect the confidentiality, integrity and availability of

BioHumans payroll system (FIPS 200, 2006). These requirements may include: code of ethics,

acceptable use policies, password policies, etc. Once these minimum requirements have been

met, BioHuman will be able to select and implement controls that satisfy the established security

and privacy requirements based on categorization of impact levels.

Categorization

For a payroll system like HumanBio’s, employee tax information, private financial

information, company applications and many other private information reside in the information

system. All of the information is considered confidential and should be protected. The potential

impact from a loss in confidentiality would be high. If there is an attack that pinpoints company

applications, employee private financial information can be compromised. Internal attacks can

even lead to employee accounts and credentials within the company’s applications being

compromised as well. These types of attacks would cause lawsuits , fines and similar

catastrophic effects on BioHuman operations, assets and individuals.

The potential impact from a loss of integrity is also high because employees are protected

by laws, policies and procedures that prohibit any unauthorized modification or destruction of

payroll information. Before the implementation of full cloud services, the potential impact from

a loss of availability in a payroll system would be moderate because of paper timesheets as a

applications will make it nearly impossible to backup everything on paper. This alone makes the

potential impact from a loss of availability in BioHuman’s new payroll system, high. According

to (FIPS 200,2006), a high-impact system is an information system in which at least one security

objective is high. It is safe to conclude that the payroll system is a high-impact system and

security controls can be implemented.

Managerial, Operational and Technical Controls

Security controls are categorized by function and can be managerial, operational or

technical (NIST SP 800-53, 2020). Managerial controls contain controls that focus on things like

security assessments, risk identification, the planning and selecting of controls and several other

system oversight elements. BioHuman will certainly need to run reports to actively manage risks.

Operational controls contain physical elements such as security guards, employee training and

security procedures carried out by people (NIST, 2020). Trainings for all employees fall under

this category and will certainly be used for managing risks. Technical controls focus on system

implementation, where IPS devices, access control lists and firewalls are created to protect the

information system. BioHuman will need to have secure networks and cloud services with

anti-malware applications to adequately secure all system deployment and implementations.

The policies and procedures that will be selected for BioHuman will focus on data

retention, strong password policies, acceptable use policies for employees and data ownership

policies that ensures the organization’s framework adequately manages risks. BioHuman will use

an inheritable approach to implementing the payroll system’s security controls. This is possible

because there are other payroll systems that BioHuman can adopt policies and procedures from.

Control Types
 The functions of BioHuman’s security controls will be based on preventative, detective

and compensating functions. Administrative preventative controls such as organizational-wide

policies and procedures will be implemented to prevent internal attacks on the payroll system

while technical preventative controls such as anti-malware applications will be implemented.

Detective controls such audit reports and incident reports will be neccessary to adequately

manage risks in all BioHuman information systems. Compensating controls will be necessary to

protect BioHuman’s payroll system in the case of an attack. It is important to have back-up

systems and contingency plans in place in the event of an attack.

Selecting Baseline Security Controls

After policies, procedures and the functions of necessary security controls have been

defined, it is possible to select the proper security and privacy controls needed for the

organization. It is important to keep cost and effectiveness in mind when selecting these controls

NIST (2020). Based on the high-level impact that the BioHuman payroll system falls under, the

following high-level security controls and their families have been selected: Access control

(AC), Awareness and Training (AT), Audit and Accountability (AU), Assessment, Authorization

and Monitoring (CA), Identification and Authentication (IA), Incident Response (IR),

Maintenance (MA), PII Processing and Transparency (PT), Risk Assessment (RA), System and

Communications Protection (SC), System and Information Integrity (SI). Table 1 displays the

security and privacy control families.

Discussion

The selection of every security control is based on the impact of the loss of

confidentiality, integrity, and availability to the BioHuman payroll system. Once these controls

have been implemented, enhancements can be made to either add functionality or specificity to a

base control to increase the strength and effectiveness of the control (NIST, 2020).

Enhancements will also be needed to address the adverse organizational or individual impacts

that organizations may encounter.

Conclusion

Since BioHuman’s new payroll system will process personal identifiable information, the

organization has the responsibility of managing the security risks within the system. With other

responsibilities and policies to fulfill the selections of security controls may seem excessive

before tailoring takes place. The following baseline security controls that were chosen for

BioHuman’s payroll system are Access control (AC), Awareness and Training (AT), Audit and

Accountability (AU), Assessment, Authorization, and Monitoring (CA), Identification and

Authentication (IA), Incident Response (IR), Maintenance (MA), PII Processing and
Transparency (PT), Risk Assessment (RA), System and Communications Protection (SC),

System and Information Integrity (SI). The security controls will address the confidentiality,

integrity, and availability in BioHuman’s payroll system. The controls will have to be tailored to

specific risks and threats unique to BioHuman, but the first phase of selecting inheritable

controls similar to those adopted by similar organizations and their payroll systems has been

completed.
 References

NIST (2020) NIST Special Publication 800-53 Revision 5. Retrieved From

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

Pub, FIPS 200. (2006). Standards for security categorization of federal information and

information systems. NIST FIPS, 200.