Understanding Security Controls

Quincey Jackson

CSOL, University of San Diego

CSOL-530-04-SU22 - Cyber Security Risk Management

July 25, 2022

Review of Selected Controls

BioHuman proposed to implement the following baseline controls into the risk

management framework: AC-1, AT-1, AU-1,CA-1,IA-1, IR-1, MA-1, PT-1, RA-1, SC-1, and

SI-1. Table 1 displays the security-control identifiers and complete names of each family.

Table 1: Security and Privacy Control Families (NIST SP 800-53, 2020)

Implementing Policies and Procedures

The newly selected security controls will cover the policy and procedures of each control

within the payroll system. Adopting and implementing policies and procedures will be essential

for adequate risk management of BioHuman’s high-impact payroll system. With organization

members accessing the information system from remote locations, on corporate networks, and

via IoT devices, the newly implemented policies and procedures are important because they will

contribute to security and privacy assurance. According to NIST (2020), policies are also

flexible. They can be included as part of the general security and privacy policy or be

represented by multiple policies. Procedures are needed because they describe how policies and

controls are implemented (NIST, 2020).

Implementing to meet Physical, Technical and Administrative Requirements

 To achieve adequate protection from the selected security controls, it is imperative to

ensure that all controls are working together to achieve maximum protection. There are no

universal controls capable of covering every border of an information system so cybersecurity

organizations implement security safeguareds that are tailored to fit physical, technical, and

administrative requirements of their information systems. Physical safeguards prevents or limits

physical access to company resources (Kruse, 2017). An example of a physical security control

is the Acccess Control safeguard that was selected. This type of safeguard is designed to prevent

any unauthorized access to information or resources. An example of this would be physical

access to HumanBio’s corporate offices. A receptionist or clerical worker with a keycard at the

corporate office would only be authorized to use their keycards in limited places of the office

building. Management however would have a keycard that has full access to the building. The

receptionist has no need for a keycard with full access. This is way to limit internal and external

attack.

Technical safeguards are similar to physical safeguards because both are designed to limit

access to only authorized personnel (Kruse, 2017). Access control can also be categorized as a

technical safeguard. Instead of facility access and physical safeguards, technical access control

would limit data and private information to authorized users only. For example, if an

organization member needed to reset their password to the payroll system, only Human resources

would be equipped to handle this matter. Allowing a team member or manager to change your

password or access information from your account could cause security threats. Human

resources would have a designed plan for readministering a new password link.
 Administrative safeguards make use of resources such as policies, procedures and

organizational-wide practices (Kruse, 2017). For the BioHuman payroll system, policies and

procedures will be used for every security control implemented, to ensure all members and users

of the payroll system will be held accountable for all activity on the system.

Physical safeguards like Access Control and administrative safeguards like Awareness

Training controls are two controls that would help manage both internal threats, however, there

may be technical areas that need to be protected more. Adding technical safeguards like

Maintenance or Incident Reporting; two controls that constantly updates the systems and makes

reports on behavior within the information system while suggesting new controls to adopt is an

example of how BioHuman’s controls are implemented to meet physical, technical and

administrative requirements.

Conclusion

Some information systems may accommodate thousands of members in an organization.

Without policies and procedures adopted to set the expectations for proper and adequate risk

management, the information systems will be full of threats and vulnerabilities that put the

organization and information systems at serious risk of undergoing an attack. While policies and

procedures are not enough to protect an information system, they are needed to govern the

minimum security requirements of an information system (FIPS, 2006). Therefore, AC-1, AT-1,

AU-1,CA-1,IA-1, IR-1, MA-1, PT-1, RA-1, SC-1, and SI-1 will be implemented and tailored to

meet physical, technical and administrative requirements. This will give the organization the best

shot at maximum, cost-efficient, protection.

 References

Kruse, C. S., Smith, B., Vanderlinden, H., & Nealand, A. (2017). Security techniques for the

electronic health records. Journal of medical systems, 41(8), 1-9.

NIST (2020) NIST Special Publication 800-53 Revision 5. Retrieved From

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

Pub, FIPS 200. (2006). Standards for security categorization of federal information and

information systems. NIST FIPS, 200.

Ross, R., Katzke, S., Johnson, A., Swanson, M., Stoneburner, G., Rogers, G., & Lee, A. (2005).

Recommended security controls for federal information systems. NIST Special

Publication, 800, 53.