The fundamental concepts associated with security control selection and specification are, the structure of security controls and the organization of the controls, security control baselines, the identification and use of common security controls, security controls in external environments, security control assurance, and future revisions to the security controls. The process of selecting and specifying security controls for an organizational information system includes; applying the organization’s approach to managing risk, categorizing the information system and determining the system impact level, selecting baseline and assessing the security controls as part of a comprehensive continuous monitoring process.
THE FUNDAMENTALS
Security Control Organization and Structure - In the security control selection and specification process, controls are organized into seventeen families. The table below lists the identifier, the family and the class. Please see Special Publication 800-53 [2.1] Table 1.1
http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
Security Control Baselines - To assist organizations in making the appropriate selection of security controls for an information system, the concept of baseline controls is introduced in accordance FIPS 199 and FIPS 200, respectively (see urls below). http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Common Controls - The organization assigns responsibility for common controls to appropriate organizational officials and coordinates the development, implementation, assessment, authorization, and monitoring of the controls.
Security Controls in External Environments - Organizations are responsible and accountable for the risk incurred by use of services provided by external providers and address this risk by implementing compensating controls when the risk is greater than the authorizing official or the organization is willing to accept.
Security Control Assurance - Actions taken by security control assessors to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Revisions and Extensions - The security controls in the security control catalog are expected to change over time, as controls are withdrawn, revised, and added. A stable, yet flexible and technically rigorous set of security controls will be maintained in the security control catalog.
THE PROCESS
Managing Risk - The management of risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for an information system—the security controls necessary to protect individuals and the operations and assets of the organization.
Categorizing the Information System - The security controls applied to a particular information system are commensurate with the potential adverse impact on organizational operations, organizational assets, individuals, other organizations, and the Nation should there be a loss of confidentiality, integrity, or availability. FIPS 199 requires organizations to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
Selecting Security Controls - There are three steps in the control selection process carried out sequentially: selecting the initial set of baseline security controls,) tailoring the baseline security controls, and supplementing the tailored baseline.
Monitoring Security Controls - The continuous monitoring program includes an ongoing assessment of security control effectiveness to determine if there is a need to modify or update the current deployed set of security controls based on changes in the information system or its environment of operation