🛡️

Lecture on Inheritance and Security Controls

Jun 6, 2024

Lecture on Inheritance and Security Controls

Key Topics

  1. Understanding Inheritance in Security Controls
  2. Types of Security Controls
  3. Common Controls and Their Characteristics
  4. Practical Examples and Best Practices

Understanding Inheritance in Security Controls

  • Inheritance: The practice of adopting controls from another system or environment.
  • Often seen in organizations with overlapping or integrated systems.

Types of Security Controls

  • Technical Security Controls: Direct interactions with the system (e.g., enabling audit logs).
  • Configuration Management: Standardizing configurations across an organization’s devices.
  • Physical Security Controls: Restrictions on physical access to systems (e.g., locked rooms, key card access).

Common Controls and Their Characteristics

  • Common Controls: Controls that are inherited by multiple systems within an organization.
  • Examples of Common Controls:
    • Physical Security Control: e.g., PE3 (Physical Access)
    • Personnel Security: Security protocols involving employees
    • Logging: Can be a common control, e.g., Audit logs
  • Controlled by a different part of the organization known as Common Control Provider.

Practical Examples and Best Practices

General Steps

  1. Identify Organization’s Approach: Consult with organizational guidelines.
  2. Contact Common Control Provider: Engage with the body that controls the common controls.

Example Scenarios

  1. Private Sector Example:

    • Organization inherited controls from another acquired company.
    • Determined not to change inherited system until legal processes were complete.

  2. Federal Organization Example:

    • Overlapping of two enclaves; one inheriting controls from the other.
    • Referring to system security plans and documentation for controls review.
    • Involves reviewing audit (AU) controls and referring to documentation of cloud-based systems.

Best Practices

  1. Consult Organization: Determine how the organization wants to handle inherited controls.
  2. Documentation Review: Obtain necessary documentation from common control provider to review and reference in your own system security plans.
  3. Avoid Improvisation: Always align with organizational policies and common control providers.
  4. Detailed Review: For critical controls like AU (logging) or GPO (Global Policy Objects), review the specifics provided by the control provider.

Miscellaneous Tips

  • Understand the terminologies (e.g., CM for Configuration Management, AU for Audit Controls).
  • Use practical, non-sensitive examples for better clarity in explaining procedures.
  • Engage in meetings and gather all necessary documents and information from relevant departments or bodies controlling those common controls.

Conclusion

By following these best practices and steps, one can effectively manage and review inherited security controls within an organization, ensuring compliance and robust security across integrated systems.

Full transcript