Control by Control

Page content

You don’t read the glossary because no one reads that but how often do you jump straight to the end of a document to read an appendix?

Be truthful.

Well maybe you don’t but sometimes you really should.

Building the Tower

Information Security controls have been a hot topic lately. Actually the discussion has been more around the lack of controls or how poorly the controls were implemented. In the InfoSec industry there are lots of definitions for these controls. Many major governing, financial and auditing bodies have their own set of them or their own framework to explain them. In doing so they just about build their own security language.

This proliferation is also how we got to the infamous number of cross-references for controls we have in the security world. You have three pages of controls and then ten pages of cross-references where they explain why their controls are almost just the same but somehow they add extra value. The many sets of controls have become The Tower of Babel for security professionals.

The Need for Esperanto

Maybe we don’t need Esperanto but we do need to look for more ways to use what we have and build upon it to make it better. We could be putting more energy into refactoring and improving than building new.

No matter how much you like or dislike them the most stable set of control definitions is from NIST. To be more specific it is the NIST Special Publication 800-53 Rev 4. These controls are the most widely referenced controls for security today.

One of the most interesting points about the 800-53 document is that all the good stuff is at the end.

F-1 is a full list or catalog of all the main security controls. These controls covered the main security goals of Confidentiality, Integrity and Availability (CIA). This was good for government agencies but it was missing an aspect for the commercial sector. The commercial sector is also worried about regulations and privacy issues. These are alluded to in the basic CIA triad but the triad does not provide the full coverage needed.

Revision 4 of the NIST 800-53 included a control catalog just for privacy issues. For many industries this is an important change. It now makes the 800-53 a lot more cross-industry capable and should eventually remove some of the need for so many different control frameworks.

Here is the first half of what is included:

With the addition of the privacy controls industries can now use this as a much broader reference than before. This is especially true if you are a regulated company.

The End

Revisit the NIST offerings. It continues to be updated and be made more useful.

Now we need to take a look at how this fits into the CyberSecurity Framework update that was just released a couple of weeks ago. Maybe we can look at that next time.