Considering the recent risk assessment, it was identified that Red Clay Renovations need to formalize their security measures to protect informational infrastructure in the company’s headquarters and field offices. Furthermore, in order to preserve the data system efficiently, there is a need to revise security controls and establish effective responses to prevent information leakage and other incidents. Therefore, this beefing aims to observe security control classes and security control families to address potential Red Clay risks.
NIST SP-800-18 Guide for Developing Security Plans for Federal Information Systems suggests three different control classes: management, operational, and technical. Management control class focuses on the general design for risk control. This class is often referred to as administrative control since it established the guidelines and rules to ensure a secure environment. Operational controls are responsible for the effectiveness of security systems. These controls relate to security methods that concentrate on mechanisms installed and executed by people (Swanagan, 2020). Besides, they require technical specialization since they are partially dependent on technical controls. At the most basic level, technical controls mitigate the risks of vulnerabilities in hardware and software (Swanagan, 2020). In addition, the use of automated tools helps to protect vital assets. For instance, they can recognize traffic misuse and security violations. All these controls are necessary to prevent information systems, especially when they are installed together.
Three Family Controls that can mitigate risks for Red Clay Renovation are planning, system and communication protection, and access control. Planning controls are specific to the organization’s security planning policy. They should consider the purpose, scope, roles, responsibilities, obligations of management, coordination between departments, and compliance with the organization’s requirements. The system and communication protection control family is responsible for installing communication protection programs. It also includes such procedures as border protection, information shield, cryptographic protection, denial of service protection, and others (Swanagan, 2020). Finally, the access controls deal with regulating the users’ access to information services. According to Peacock (n. d.), “this includes who has access to what assets and reporting capabilities like account management, system privileges, and remote access logging” (para. 2). They are mainly used to determine which user has access and at what level.
The planning control family can be divided into PL-1 Security Planning, Policy, Procedures, and PL-2 System Security Plan. The first sub-family can benefit Red Clay Renovation in controlling the company’s domain and updating documentation on security guidance (Assessment of pivotal cloud, n. d.; Tierney, 2021). The second sub-family will be helpful for the organization because it establishes the security requirements and describes the operational context of the data systems.
The system and communication protection family include two sub-families that can help mitigate risks for Red Clay. First, SC-3 Security Function isolation implies that applications hosted on the network service are separated from privileged security features (Assessment of pivotal cloud, n. d.). Second, SC-7 Boundary Protection will benefit Red Clay as well due to the fact that it controls inner and outer communicative traffic and limits the number of viral network connections.
Finally, the access control family can suggest two beneficial sub-families to Red Clay. Primarily, AC-8 System Use Notification implies that Red Clay may install notification systems displayed on the user’s website before logging in (NIST 800-53 rev. 5, 2019). In addition, the exchange of AC-21 Information Sharing control will benefit the company in terms of allowing the user to choose whether to provide access to data or not. This is the safest method to prevent information leakage.
References
Assessment of pivotal cloud foundry against NIST SP 800-53(r4) controls. (n. d.). VM Ware. Web.
NIST 800-53 rev. 5: What it is, and why you should care. (2019). Securicon. Web.
Peacock, J. (n. d.). NIST SP 800-53 control families explained. CyberSaint Security. Web.
Swanagan, M. (2020). The 3 types of security controls (Expert explains). Purplesec. Web.
Tierney, M. (2021). NIST 800-53: A guide to compliance. Netwrix. Web.