How to Customize IT Security Controls

NIST Unveils Overlays as Tools to Help Tailor Security Controls

By , May 17, 2013.
How to Customize IT Security Controls

Organizations in and out of government can more easily tailor their information security plans to fit their specific business missions and operational environments by using overlays, new tools introduced in the latest revision of the National Institute of Standards and Technology's information security controls guidance.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

"We realize that organizations have to be able to develop their security plans that really talk to their specific mission," says NIST Fellow Ron Ross, who oversaw the drafting of the latest catalogue of IT security and privacy controls. "The overlay concept is introduced to allow that specialization."

NIST last month issued the latest version of its quintessential guidance: Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations [see NIST Unveils Security, Privacy Controls].

Introduced in revision 4 is the concept of overlays. Overlays provide a structured way to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific business functions, environments of operations and/or technologies.

"You can select the right controls to do the job," Ross says in an interview with Information Security Media Group [transcript below]. "You start with our baseline controls and the low, the moderate and the high impact baselines. But it allows the customization that can eliminate controls or add additional controls as necessary."

In the interview, Ross discusses:

  • The growing importance of privacy in the new controls;
  • NIST's consideration of updating new controls online so users of the guidance don't need to wait until a printed version of the next revision is issued in 2015 or later; and
  • The reintroduction of the notion of assurance, or trustworthiness, of information systems.

Besides leading the Joint Task Force Transformation Initiative Interagency Working Group, Ross heads NIST's Federal Information Security Management Act Implementation Project, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure. He also serves as the architect of the risk-management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program.

Growing Importance of Privacy

ERIC CHABROW: NIST first published the catalog of controls in 2005, and the last time NIST updated 800-53 in 2009, the word "privacy" wasn't in the title. Why is privacy now an important element of Revision 4 of the guidance?

RON ROSS: Privacy has been a very important topic area for a very long time. We had our first special publication, 800-122, come out several years ago. That dealt with the confidentiality of personally identifiable information. In working with the CIO Council, the privacy subcommittee, we found that privacy goes well beyond just the protection of PII with regard to confidentiality. There are many other privacy-related issues that are very important. With this major revision of 800-53, Rev. 4, we took the opportunity to work with the privacy committee on the CIO Council, and the new privacy families and the privacy controls are patterned directly from the Fair Information Practice Principles. This is an international standard. It's well-recognized. We still have the Privacy Act of 1974 and all the OMB policy. The integration of the privacy controls into Appendix J of the new publication really brings back to the forefront and sits side-by-side with security now so the security and privacy teams can work together. They have a lot of overlap in what they do, but privacy goes well beyond what the traditional security aspects are.

Privacy Controls

CHABROW: Give us an example or two of the types of privacy controls in the revised guidance.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Facebook Denies Hackers Caused Outage

Facebook dismisses reports that a brief Jan. 26 outage was triggered by either U.S. blizzard...

Latest Tweets and Mentions

ARTICLE Facebook Denies Hackers Caused Outage

Facebook dismisses reports that a brief Jan. 26 outage was triggered by either U.S. blizzard...

The ISMG Network