Last week you defined your IT system as ABC University Admin Office and the information processed or stored on it that requires protection
Risk Management Framework(RMF) Step 2: Select
Our Organization for this project: ABC University Admin Office
Last week you defined your IT system as ABC University Admin Office and the information processed or stored on it that requires protection. This week we start to define how you will protect it.
Please refer the other attached PDF for Step 1: RMF_STEP_1_Categorize.pdf for last week categorization which you completed. That document has purpose of the office, list of roles, and information types.
Your text describes controls and safeguards as “mechanisms, policies, or procedures that can successfully counter attack, reduce risk, resolve, vulnerabilities, and otherwise improve security within an organization.” It had a great discussion on controls last week (pp. 158-159), dividing them into three categories, managerial, operational, and technical.
NIST includes these categories, but divides their controls into 18 families:
1. AC – Access Control
2. AU – Audit and Accountability
3. AT – Awareness and Training
4. CM – Configuration Management
5. CP – Contingency Planning
6. IA – Identification and Authentication
7. IR – Incident Response
8. MA – Maintenance
9. MP – Media Protection
10. PS – Personnel Security
11. PE – Physical and Environmental Protection
12. PL – Planning
13. RA – Risk Assessment
14. CA – Security Assessment and Authorization
15. SC – System and Communications Protection
16. SI – System and Information Integrity
17. SA – System and Services Acquisition
Assignment Requirements:
Review the below Low Impact Controls baseline. Select one control from each of the 17 families
Low Impact Controls baseline: https://nvd.nist.gov/800-53/Rev4/impact/low
Create a report in which you explain how your ABC University Admin Office will apply each control. In your report:
1. Identify each control you selected for 17 families
2. Explain in at least a paragraph for each control, how you apply each control and whether you are compliant or not. Be specific.
For example,
CA-8, Penetration Testing, requires the organization conduct penetration testing within a defined frequency on a defined system.
ABC University Admin Office has a contract with UCanTrustUs.ru for monthly penetration testing of all assets within our system, to include the workstations and fileservers. This is redhat testing, so no IP, hostname or other system information is provided to facilitate testing. Representative Goober gets the results emailed within in 10 days of the testing, and sometimes sooner, via WikiLeaks. We are compliant with this control.