Lecture on Inheritance and Security Controls

let me see so D truth is saying hey Bruce I have a question for you in regards to inheritance oh man somebody else is this you asked me this question somebody asked me this today I was like in the in shopping or something I meant to answer this one what would be the best practice to review current controls than an organization should be inheriting from another Associated Enclave okay so first of all let&#39;s explain like what inheritance is and a good example of inheritance let me give you a one security control family that&#39;s really prepped for inheritance usually inherited so let&#39;s go back to missed 853 right let&#39;s just let&#39;s keep this very simple very cut and dry and very plain so we can understand it so these are all the security controls right you got technical security controls that you would maybe technical security control might be audit logs you got to turn audit logs on if you didn&#39;t know even the system that you&#39;re on your phone your laptop wherever you happen to be watching this it has something where it can collect logs and the reason why logs are important in environments to fix systems to catch somebody trying to infiltrate your system or see leaked data going out of your system things like that right that&#39;s a technical security control that you would enable by going into the to settings of the system other controls might be configuration management that&#39;s making sure that the organization has a set standard of how secure how the templates are being done on all workstations in an environment every workstation looks exactly the same it has the same security pattern on throughout all the same image throughout the whole organization that&#39;s and then whenever it&#39;s changed you would go to a meeting like normally like a CCB a board where everybody meets up and says okay we&#39;re going to change from Windows 10 to Windows 11 or Windows 11 to Windows whatever right so that would be a cm now let&#39;s talk about one that&#39;s normally inherited an inherited control would be a uh a physical security control that will be inherited the difference between these controls is one is a system control that the first example I gave you was a system control that&#39;s like you have to go on the system and turn some sort of security on the system on that particular system that is a system level control then you have something called common controls so a common control is an inherited control that means that common meaning everyone in the organization will do X anybody who comes in our facility will have X Security will do X so a physical control is typically meets this not always but it usually meets this criteria and I&#39;ll explain what I mean by that let&#39;s go into this control and I&#39;ll show you and then we&#39;ll get to your question the truth I just want to invite everybody in this conversation so that they can get an understanding of what we&#39;re talking about here so common control usually it&#39;s a physical control why is it a common control and how is it used how is it done and why is it inherited that&#39;s what we&#39;re going to talk about Okay so the reason why it&#39;s a common controls because everyone who comes in the facility is beholden to the physical security controls so if you come into the facility you can&#39;t bring your own personal laptop into the facility that&#39;s one thing that you might have an organization might have as a rule another thing is in the facility all systems All Mission essential systems have to be locked in an environment that are the only authorized Personnel can access a good example of that would be like a restricted area so all those systems in there are beholden to a common control for protecting the physical security of that control so that one would be pe3 physical control access see that one right there pe3 so this is a common control it&#39;s inherited by every system that is in that office any system that&#39;s any systems that&#39;s in the rack of servers that&#39;s in that restricted area will have control of physical access so that it&#39;s protected by of course a door um and like a key card system maybe or a locking mechanism that only authorized people can have to come in that facility so that is an inherited control it&#39;s in every system that comes in there is inheriting the that particular physical control now this isn&#39;t just physical controls you can have inherited and common controls common controls are inherited so we&#39;ll just we&#39;ll refer to them as common controls those controls are it cannot are not only physical controls like you can have a logging be a common control you can have Personnel security be law be controlled by the common control now what all common controls have in common is this it is controlled by another organization a whole other organization or body or Department within your organization is the is controlling that and those are typically called a common control provider and this is how we get into this question here so whenever we as Information Systems security officers have to do this work we have to contact the common control provider now it depends on what level of effort if we&#39;re doing a security assessment we would have to contact them and get information because they control it so we have to go through them we have to go through The Gatekeepers of this particular control family let me see your control your question was so now that we have some idea the difference between a normal technical security control and a common control now let&#39;s answer this question okay I have a question in regards to inheritance what is the best practice to review current controls that a organization should be inheriting from an Associated Enclave so they&#39;re talking about common controls from another Enclave I believe if I&#39;m interpreting this all right so I&#39;ve actually done this before I&#39;ve actually had to do this before on a couple different occasions and it depends on how the organization handles it but what I&#39;ll do is I&#39;ll just give you a couple of examples of how we did this the best practice for reviewing current controls that an organization should be inheriting from another Enclave okay so in the private sector I had to do this let&#39;s say we had I&#39;m just gonna the names will be changed to protect the innocent obviously I&#39;m a security guy I&#39;m not trying to destroy my career by using real information but let&#39;s say we were we had a health care client right and the healthcare client had just bought another company they had just bought this other company and they this little Enclave was going to inherit the controls of this other system so these guys the org in this case the organization said right now we just inherited him and we&#39;re still going through the legal process of of in of adopting all of their systems so right now we&#39;re not going to touch this system I say that to say that it depends on how the organization wants to handle it okay and I&#39;ll get to other examples that are probably more in line with what you want to do so the first thing you want to do as an information security officer as a security compliance person is determine what the organization wants to do all right what is the best practice for reviewing for reviewing oh shoot hold on a second wow what the heck just happened there for for reviewing current controls that a organization should be inheriting from a Associated Enclave okay so here&#39;s another example so I was working for a federal organization and their whole thing was different we had let me see we what we did was we had two different enclaves that were touching and so the security controls were overlapping so one was inheriting some of the controls from the other one so the other control the other system had its own security system security plan and this other one we were developing system security plans and we&#39;re reviewing the security plan on this one and essentially it was a cloud it was a cloud system Federal cloud system and we had to review the existing cloud system security plan and other documentation that they had and that was not controlled by us so what we did was we looked at our security control families so let&#39;s say we looked at AU controls since we&#39;ve been talking about that one and Au controls as logging controls we&#39;re looking at those login controls but then there&#39;s overlap with other log like it was a plot let&#39;s say it was a platform as a service and that means that the other organization was using AWS Cloud to do their security so in this instance what we did was we referred to we reviewed those controls that they controlled that they have complete control over those but we reviewed what they had in place to see if there&#39;s anything we can do in the documentation what we did was we referred to their document that&#39;s what we did in that particular situation it&#39;s situational right so if you give me a little bit more context I might be able to answer your question effectively in the first organization where there was two different enclaves and one had security controls and it was inheriting other security controls they told us don&#39;t worry about it all right so first of all talk to the organization they will guide you do not try to wing it do not try to improv ask the organization what they want you to do number one okay and then in the second situation I told you about was a cloud-based federal system and we had to review our side of the controls which was a system that&#39;s on premises and then there was another portion of that system that was in the cloud we didn&#39;t control the part that was in the cloud so we had to get their documentation and when we were reviewing our controls on let&#39;s say AU au3 we had to look at their documentation and then we were in our documents we refer to their we first of all reviewed their document to see how they talked about Au controls that particular au3 and then we refer to their documents that look it&#39;s in their document it&#39;s here&#39;s how they describe it we even took the text directly from their document put in all hours to address it let me see if I answered that review current controls that a organization should be inheriting from another Associated Enclave let me see if you gave me more examples and then you say Bruce it&#39;s the same person just more in-depth questions I sent before let me see Bruce have a question for you okay so what would be the best practice to review current controls number one best practice talk to the organization on how they want to don&#39;t wing it don&#39;t do improv ask the organization your organization how we handle it number one number one because they might say don&#39;t even worry about don&#39;t worry about their controls don&#39;t worry about these particular controls we&#39;re worried about ours okay that&#39;s number one how do you review current controls that the organization should be inheriting from another and okay number two number two is this if it&#39;s a if it&#39;s a common control provider that means the other enclave and they control that piece you have to talk to them to review those controls because you don&#39;t have direct control over those so you have to talk to the common control provider that would be the other Enclave and that&#39;s what we did in that in the second example I gave you we talked to them we said okay here&#39;s what we&#39;re doing we&#39;re reviewing these controls you guys control this set of controls can we get your do you have any documentation on it can we get a meeting on this we&#39;re trying to get as much information as we could about that particular part of the of the system so we got we are able to get their documentation read through it and say okay here&#39;s what they&#39;re doing so I hope that answers your question I don&#39;t maybe I hope I understood it correctly should and should be inherited from another associate that&#39;s how I&#39;ve had to do it in the past but the number one make sure you ask your organization how we want to treat it and then number two if it&#39;s if it&#39;s controlled by another organization get as much information from them as possible to see how they&#39;re controlling it and in another situation what we did was we had to get the GPO because another organization had a GPO that they controlled and so we just got their GPO on the global policy I forget what the o means but we had to look at their policies and look and see how okay how are they doing the passwords how complex are the passwords how this how that like we had to look at the actual GPO to see to determine how it&#39;s affecting our system it depends on the situation is how it&#39;s how I could best put it but if you follow those two things I just said then that will make sure you ask your organization how we&#39;re going to treat it don&#39;t wing it and then number two ask the common control provider whoever is controlling that get some insight into them from them and that should help you out hope that answers your question that&#39;s how I&#39;ve done it in the past and if I&#39;m wrong there&#39;s plenty of people who follow me who have more insight on than me on how to do that

let me see so D truth is saying hey Bruce I have a question for you in regards to inheritance oh man somebody else is this you asked me this question somebody asked me this today I was like in the in shopping or something I meant to answer this one what would be the best practice to review current controls than an organization should be inheriting from another Associated Enclave okay so first of all let&amp;#39;s explain like what inheritance is and a good example of inheritance let me give you a one security control family that&amp;#39;s really prepped for inheritance usually inherited so let&amp;#39;s go back to missed 853 right let&amp;#39;s just let&amp;#39;s keep this very simple very cut and dry and very plain so we can understand it so these are all the security controls right you got technical security controls that you would maybe technical security control might be audit logs you got to turn audit logs on if you didn&amp;#39;t know even the system that you&amp;#39;re on your phone your laptop wherever you happen to be watching this it has something where it can collect logs and the reason why logs are important in environments to fix systems to catch somebody trying to infiltrate your system or see leaked data going out of your system things like that right that&amp;#39;s a technical security control that you would enable by going into the to settings of the system other controls might be configuration management that&amp;#39;s making sure that the organization has a set standard of how secure how the templates are being done on all workstations in an environment every workstation looks exactly the same it has the same security pattern on throughout all the same image throughout the whole organization that&amp;#39;s and then whenever it&amp;#39;s changed you would go to a meeting like normally like a CCB a board where everybody meets up and says okay we&amp;#39;re going to change from Windows 10 to Windows 11 or Windows 11 to Windows whatever right so that would be a cm now let&amp;#39;s talk about one that&amp;#39;s normally inherited an inherited control would be a uh a physical security control that will be inherited the difference between these controls is one is a system control that the first example I gave you was a system control that&amp;#39;s like you have to go on the system and turn some sort of security on the system on that particular system that is a system level control then you have something called common controls so a common control is an inherited control that means that common meaning everyone in the organization will do X anybody who comes in our facility will have X Security will do X so a physical control is typically meets this not always but it usually meets this criteria and I&amp;#39;ll explain what I mean by that let&amp;#39;s go into this control and I&amp;#39;ll show you and then we&amp;#39;ll get to your question the truth I just want to invite everybody in this conversation so that they can get an understanding of what we&amp;#39;re talking about here so common control usually it&amp;#39;s a physical control why is it a common control and how is it used how is it done and why is it inherited that&amp;#39;s what we&amp;#39;re going to talk about Okay so the reason why it&amp;#39;s a common controls because everyone who comes in the facility is beholden to the physical security controls so if you come into the facility you can&amp;#39;t bring your own personal laptop into the facility that&amp;#39;s one thing that you might have an organization might have as a rule another thing is in the facility all systems All Mission essential systems have to be locked in an environment that are the only authorized Personnel can access a good example of that would be like a restricted area so all those systems in there are beholden to a common control for protecting the physical security of that control so that one would be pe3 physical control access see that one right there pe3 so this is a common control it&amp;#39;s inherited by every system that is in that office any system that&amp;#39;s any systems that&amp;#39;s in the rack of servers that&amp;#39;s in that restricted area will have control of physical access so that it&amp;#39;s protected by of course a door um and like a key card system maybe or a locking mechanism that only authorized people can have to come in that facility so that is an inherited control it&amp;#39;s in every system that comes in there is inheriting the that particular physical control now this isn&amp;#39;t just physical controls you can have inherited and common controls common controls are inherited so we&amp;#39;ll just we&amp;#39;ll refer to them as common controls those controls are it cannot are not only physical controls like you can have a logging be a common control you can have Personnel security be law be controlled by the common control now what all common controls have in common is this it is controlled by another organization a whole other organization or body or Department within your organization is the is controlling that and those are typically called a common control provider and this is how we get into this question here so whenever we as Information Systems security officers have to do this work we have to contact the common control provider now it depends on what level of effort if we&amp;#39;re doing a security assessment we would have to contact them and get information because they control it so we have to go through them we have to go through The Gatekeepers of this particular control family let me see your control your question was so now that we have some idea the difference between a normal technical security control and a common control now let&amp;#39;s answer this question okay I have a question in regards to inheritance what is the best practice to review current controls that a organization should be inheriting from an Associated Enclave so they&amp;#39;re talking about common controls from another Enclave I believe if I&amp;#39;m interpreting this all right so I&amp;#39;ve actually done this before I&amp;#39;ve actually had to do this before on a couple different occasions and it depends on how the organization handles it but what I&amp;#39;ll do is I&amp;#39;ll just give you a couple of examples of how we did this the best practice for reviewing current controls that an organization should be inheriting from another Enclave okay so in the private sector I had to do this let&amp;#39;s say we had I&amp;#39;m just gonna the names will be changed to protect the innocent obviously I&amp;#39;m a security guy I&amp;#39;m not trying to destroy my career by using real information but let&amp;#39;s say we were we had a health care client right and the healthcare client had just bought another company they had just bought this other company and they this little Enclave was going to inherit the controls of this other system so these guys the org in this case the organization said right now we just inherited him and we&amp;#39;re still going through the legal process of of in of adopting all of their systems so right now we&amp;#39;re not going to touch this system I say that to say that it depends on how the organization wants to handle it okay and I&amp;#39;ll get to other examples that are probably more in line with what you want to do so the first thing you want to do as an information security officer as a security compliance person is determine what the organization wants to do all right what is the best practice for reviewing for reviewing oh shoot hold on a second wow what the heck just happened there for for reviewing current controls that a organization should be inheriting from a Associated Enclave okay so here&amp;#39;s another example so I was working for a federal organization and their whole thing was different we had let me see we what we did was we had two different enclaves that were touching and so the security controls were overlapping so one was inheriting some of the controls from the other one so the other control the other system had its own security system security plan and this other one we were developing system security plans and we&amp;#39;re reviewing the security plan on this one and essentially it was a cloud it was a cloud system Federal cloud system and we had to review the existing cloud system security plan and other documentation that they had and that was not controlled by us so what we did was we looked at our security control families so let&amp;#39;s say we looked at AU controls since we&amp;#39;ve been talking about that one and Au controls as logging controls we&amp;#39;re looking at those login controls but then there&amp;#39;s overlap with other log like it was a plot let&amp;#39;s say it was a platform as a service and that means that the other organization was using AWS Cloud to do their security so in this instance what we did was we referred to we reviewed those controls that they controlled that they have complete control over those but we reviewed what they had in place to see if there&amp;#39;s anything we can do in the documentation what we did was we referred to their document that&amp;#39;s what we did in that particular situation it&amp;#39;s situational right so if you give me a little bit more context I might be able to answer your question effectively in the first organization where there was two different enclaves and one had security controls and it was inheriting other security controls they told us don&amp;#39;t worry about it all right so first of all talk to the organization they will guide you do not try to wing it do not try to improv ask the organization what they want you to do number one okay and then in the second situation I told you about was a cloud-based federal system and we had to review our side of the controls which was a system that&amp;#39;s on premises and then there was another portion of that system that was in the cloud we didn&amp;#39;t control the part that was in the cloud so we had to get their documentation and when we were reviewing our controls on let&amp;#39;s say AU au3 we had to look at their documentation and then we were in our documents we refer to their we first of all reviewed their document to see how they talked about Au controls that particular au3 and then we refer to their documents that look it&amp;#39;s in their document it&amp;#39;s here&amp;#39;s how they describe it we even took the text directly from their document put in all hours to address it let me see if I answered that review current controls that a organization should be inheriting from another Associated Enclave let me see if you gave me more examples and then you say Bruce it&amp;#39;s the same person just more in-depth questions I sent before let me see Bruce have a question for you okay so what would be the best practice to review current controls number one best practice talk to the organization on how they want to don&amp;#39;t wing it don&amp;#39;t do improv ask the organization your organization how we handle it number one number one because they might say don&amp;#39;t even worry about don&amp;#39;t worry about their controls don&amp;#39;t worry about these particular controls we&amp;#39;re worried about ours okay that&amp;#39;s number one how do you review current controls that the organization should be inheriting from another and okay number two number two is this if it&amp;#39;s a if it&amp;#39;s a common control provider that means the other enclave and they control that piece you have to talk to them to review those controls because you don&amp;#39;t have direct control over those so you have to talk to the common control provider that would be the other Enclave and that&amp;#39;s what we did in that in the second example I gave you we talked to them we said okay here&amp;#39;s what we&amp;#39;re doing we&amp;#39;re reviewing these controls you guys control this set of controls can we get your do you have any documentation on it can we get a meeting on this we&amp;#39;re trying to get as much information as we could about that particular part of the of the system so we got we are able to get their documentation read through it and say okay here&amp;#39;s what they&amp;#39;re doing so I hope that answers your question I don&amp;#39;t maybe I hope I understood it correctly should and should be inherited from another associate that&amp;#39;s how I&amp;#39;ve had to do it in the past but the number one make sure you ask your organization how we want to treat it and then number two if it&amp;#39;s if it&amp;#39;s controlled by another organization get as much information from them as possible to see how they&amp;#39;re controlling it and in another situation what we did was we had to get the GPO because another organization had a GPO that they controlled and so we just got their GPO on the global policy I forget what the o means but we had to look at their policies and look and see how okay how are they doing the passwords how complex are the passwords how this how that like we had to look at the actual GPO to see to determine how it&amp;#39;s affecting our system it depends on the situation is how it&amp;#39;s how I could best put it but if you follow those two things I just said then that will make sure you ask your organization how we&amp;#39;re going to treat it don&amp;#39;t wing it and then number two ask the common control provider whoever is controlling that get some insight into them from them and that should help you out hope that answers your question that&amp;#39;s how I&amp;#39;ve done it in the past and if I&amp;#39;m wrong there&amp;#39;s plenty of people who follow me who have more insight on than me on how to do that

Transcript for:Lecture on Inheritance and Security Controls

Transcript for:
Lecture on Inheritance and Security Controls