The document discusses information security frameworks, specifically focusing on the NIST 800-53 framework, outlining its structure, control families, and management of security controls. It identifies four common pitfalls when using frameworks: false frameworks, compliance via assertion, tailoring by judgment, and treating it as a one-time effort. The conclusion emphasizes the need for ongoing maintenance and adaptation of frameworks to ensure effective information security management.

1. @NTXISSA
Four Deadly Traps in Using
Information Security Frameworks
Doug Landoll
CEO
Lantego
April 25, 2015
www.lantego.com
(512) 633-8405
dlandoll@lantego.com

2. @NTXISSA
Session Agenda
• Framework Definition & Uses
• NIST 800-53 Framework Intro & Uses
• Four Traps of Frameworks
• Conclusion

3. @NTXISSA
Framework – skeletal structure designed to
support something.
Security Frameworks – structure to help
organize and prioritize information security
programs.
Framework Definition

4. @NTXISSA
Structure
• Organization for the creation or review of an
information security program
Reference
• Connection with other frameworks, standards, and
requirements.
Completeness
• Thorough treatment of security controls
Security Framework Uses

5. @NTXISSA
NIST 800-53 Intro: “FISMA Five”
FIPS Pub 199:
Security
Categorization
NIST 800-37:
Guide for C&A
FIPS Pub 200:
Minimum
Security Controls
NIST 800-53:
Recommended
Security Controls
NIST 800-53A:
Techniques for
Verifying Effectiveness
System:
Low,
Moderate,
or High
18 Control
Families
Certification &
Accreditation
Process
800+
security
controls
How to
audit
controls

6. @NTXISSA
SP 800-53 Catalog of Controls
• Organized and structured set of security controls
• 18 Security Control Families
ID FAMILY ID FAMILY
AC Access Control MP Media Protection
AT Awareness and Training PE Physical and Environmental Protection
AU Audit and Accountability PL Planning
CA Security Assessment an Authorization PS Personnel Security
CM Configuration Management RA Risk Assessment
CP Contingency Planning SA System and Services Acquisition
IA Identification and Authentication SC System and Communications
Protection
IR Incident Response SI System and Information Integrity
MA Maintenance PM Program Management*

7. @NTXISSA
SP 800-53 Control Structure
• Security Control Structure
Control Ref. # and Name
Control Section
Supplemental Guidance
Control Enhancements
References
Priority & Baseline Allocation

8. @NTXISSA
Control Reference & Name
• Within each security control family are a number of
security controls. These security controls are numbered.
Ref.
AU-1 Audit and Accountability Policy and Procedures
AU-2 Audit Events
AU-3 Content of Audit Records
AU-4 Audit Storage Capacity
AU-5 Response to Audit Processing Failures
AU-6 Audit Review, Analysis, and Reporting
AU-7 Audit Reduction and Report Generation
AU-8 Time Stamps
AU-9 Protection of Audit Information
… …

9. @NTXISSA
Control Section
• Each security control is describes as a requirement.
Control: The information system generates
audit records containing information that
establishes what type of event occurred, when
the event occurred, where the event occurred,
the source of the event, the outcome of the
event, and the identity of any individuals or
subjects associated with the event.

10. @NTXISSA
Supplemental Guidance
• Supplemental guidance provides non-prescriptive additional
information to guide the definition, development, and
implementation of the security control.
• Operational considerations
• Mission/business considerations
• Risk assessment information.
Supplemental Guidance: Audit record content that may be necessary to satisfy the
requirement of this control includes, for example, time stamps, source and destination
addresses, user/process identifiers, event descriptions, success/fail indications, filenames
involved, and access control or flow control rules invoked. Event outcomes can include
indicators of event success or failure and event-specific results (e.g., the security state of
the information system after the event occurred). Related controls: AU-2, AU-8, AU-12, SI-
11.

11. @NTXISSA
Control Enhancements
• Control enhancements provide statements of security capability to:
• Add function/specificity to the control, or
• Increase the strength of the control.
Control Enhancements:
(1) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION
The information system generates audit records containing the following additional
information: [Assignment: organization-defined additional, more detailed information].
(2) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT
RECORD CONTENT
The information system provides centralized management and configuration of the
content to be captured in audit records generated by [Assignment: organization-defined
information system components].

12. @NTXISSA
References
• References section includes a list of applicable
documents relevant to the security control:
• federal laws,
• Executive Orders,
• directives,
• policies,
• regulations,
• standards, and
• guidelines

13. @NTXISSA
Priority & Baseline Allocation
• Priority provides guidance for sequencing decisions
• Baseline Allocation –starting point for the security control selection
process based on system categorization (Low, Moderate, High)
MOD HIGHLOW

14. @NTXISSA
Control Assignment
• Controls may be augmented through assignment and
selection options within control statements.
• Assignment: Organizationally defined
AU-2 AUDIT EVENTS
The organization:
…
(3) AUDIT EVENT | REVIEWS AND UPDATES
The organization reviews and updates the audited events
[Assignment: organization-defined frequency].
800-53
Example

15. @NTXISSA
Control Selection
• Controls may be augmented through assignment and
selection options within control statements.
• Selection: Organizationally defined
IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION
Control: The information system uniquely identifies and authenticates [Assignment:
organizational defined specific and/or types of devices] before establishing a
[Selection (one or more): local, remote, network] connection.
800-53
Example

16. @NTXISSA
Security Controls: Risk-based Process
• NIST:
• An organizational risk assessment validates the initial
security control selection and determines if additional
controls are needed.
• Example:
• System categorization (Standard | Protected) determines
initial security control selection.
• Organizational | System risk assessment provides rationale
for additional, compensating, or deleted security controls
from initial selection.

17. @NTXISSA
Structure
• 18 Security Control Families
Reference
• Includes crosswalks to ISO27001 & CC
• CC -> 800-53; 800-53 -> CC
• ISO 27001 -> 800-53; 800-53 -> ISO 27001
Completeness
• Organizational, Management and Technical Controls
Framework Uses: NIST 800-53 Example

18. @NTXISSA
Policy # Policy Name Policy # Policy Name
P8110 Data Classification P8310 Account Management
P8120 Information Security Program P8320 Access Control
P8130 System Security Acquisition P8330 System Security Audit
P8210 Security Awareness Training and
Education
P8340 Identification and
Authentication
P8220 System Security Maintenance P8350 System and Communication
Protection
P8230 Contingency Planning P8410 System Privacy
P8240 Incident Response Planning
P8250 Media Protection
P8260 Physical Protections
P8270 Personnel Security Control
P9280 Acceptable Use
Example Policies Based on 800-53
Framework

19. @NTXISSA
Four Framework Traps
1. False Frameworks
2. Compliance via Assertion
3. Tailoring by Judgment
4. One and Done

20. @NTXISSA
False Frameworks
• Regulations and Standards not Frameworks:
• Incomplete and focus solely on specific data and
security policies
• HIPAA
• PCI DSS
• “Industry Best Practices”
• No available references, not industry recognized,
likely incomplete and not structured.
• AKA: Our own secret sauce
• Smoke and Mirrors

21. @NTXISSA
Compliance via Assertion
• Embracing a Framework is step one.
• Next Steps
• Interpret
• Apply
• Assess
• Address gaps

22. @NTXISSA
Tailoring by Judgment
• Frameworks are tailorable through an
exception process or a risk based process.
• Tailoring based on gaps, “judgment”, and
cost limits the benefits of a framework

23. @NTXISSA
One and Done
• A security program based on a framework will
require maintenance
• Frameworks get updates
• ISO 27001/2: Updated Sept 2013
• NIST 800-53: Updated April 2013
• COBIT 5: Updated 2012
• Other Updates
• References, Mappings, Business & Customer
Requirements
• Reassess regularly

24. @NTXISSA
Conclusions
• Determine appropriate framework for the
business
• Add requirements (these are not frameworks)
• Embrace the framework and its tailoring
process
• Beware framework traps
• It’s just a framework – there is a lot more
work to do.

25. @NTXISSA@NTXISSA
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – April 24-25, 2015 25
Thank you