In part 2 of this series, we investigate implementing the Risk Management Framework’s Select step, using a data-driven approach. The main objective of the Select step is to, “select, tailor, and document the controls necessary to protect the information system and organization commensurate with risk to organizational operations and assets, individuals, other organizations, and the Nation.” To achieve this, you firstly analyze the security and privacy objectives that have been defined in the Categorize step. Secondly, you determine what controls can be applied to implement those objectives using predefined baseline sets of controls and/or a more granular tailoring approach.
The Data-driven answer to “Select”
From a data-driven perspective, when you apply security controls you need to also enrich the supporting data set with additional entities that model the security domains of those controls. These additional entities and their associated attributes and events are linked with the risk management subjects that were identified in Step One – Categorize so that you can capture the data required to assess if those controls are correctly implemented and operating effectively. In Q-Compliance, we support this with a high performance analytics data model that complements the foundational data model that represents the risk management subjects, as shown in Figure 1.
Figure 1: Complementary data models for risk management subjects and control analytics
In Q-Compliance when you select and apply controls to your systems, you are not doing that to just fill out the Minimum Required Controls section of your System Security Plan or to list them in the spreadsheet of your Security Controls Traceability Matrix. When you apply controls to your system in Q-Compliance, you are also applying the purpose-built analytics based on the control analytics data model that will help you continuously monitor and assess the effectiveness of those controls. Q-Compliance includes hundreds of out-of-the-box analytics that cover the controls from the world’s most comprehensive security controls catalog — NIST 800-53, as shown in Figure 2.
Figure 2: Out-of-the-box control analytics in Q-Compliance
Q-Compliance makes it easy to select and apply controls to your information systems. You can select a single high-water mark impact level for your systems or specify individual impact levels for the confidentiality, integrity and availability objectives and Q-Compliance will automatically apply the required controls based on the NIST 800-53 and CNSSI 1253 standards. You can also create and apply custom overlays with predefined sets of controls. For fine-grained tailoring, you can also apply or remove individual controls and control enhancements, inherit from common control providers, and add specialized control guidance and extensions. With our Dynamic Control Architecture, you can even select and apply custom controls. When applying controls to your systems using any of these methods you are also automatically applying the corresponding analytics that will help you assess and monitor these controls in steps four and six of the RMF.
The benefits of using Q-Compliance’s data-driven approach to implement Step Two – Select include:
- Quick and flexible mechanisms to select and apply controls to your information systems
- High performance control analytics data model to help you collect the data needed to assess and monitor the controls
- Automatic application of hundreds of out-of-the-box analytics that will help you assess and monitor the controls
- Dynamic Control Architecture that lets you apply multiple control libraries and analytics besides NIST 800-53, even custom control