CSIA 413 Week 6: Discussion: Selecting & Implementing Security Controls

Selecting & Implementing Security Controls

Introduction

The purpose of this draft briefing paper is to introduce the Security Control Classes and Security Control Families related to Red Clay risks. The IT Governance Board and the Red Clay Board of Directors are familiar with financial controls but have not yet been introduced to the use of controls in the context of IT security (Feng,2017). This paper aims to leverage their knowledge and provide a comprehensive understanding of the security measures required to protect the company’s information, information systems, and information infrastructure.

Description of Control Classes and IT Infrastructure Protection

The three control classes in the context of IT security are managerial, operational, and technical. Managerial controls involve the planning, risk assessment, and program management of the IT infrastructure. Operational controls deal with the awareness and training, contingency planning, and incident response of the IT infrastructure. Technical controls involve access controls, identification and authentication, and system and communication protection. Together, these control classes will work to provide a comprehensive and robust security framework for the Wilmington, DE Offices (Headquarters) of Red Clay Renovations.

Table Family Control Descriptions

From the management control class, we have chosen the Planning family control. The Planning family control ensures that the security requirements of the IT infrastructure are defined, documented, and integrated into the organization’s overall plans and processes. From the technical control class, we have chosen the Access Controls family control. The Access Controls family control manages the access to the IT infrastructure and its resources based on a set of predefined security rules. From the operational control class, we have chosen the Awareness and Training family control. The Awareness and Training family control provides the necessary training to the employees to help them understand the security risks and how to address them.

Family Control Protection and Red Clay’s IT infrastructure

The Planning family control will work to protect the Red Clay infrastructure by ensuring that the security requirements are clearly defined and integrated into the overall plans and processes (Parker,2019). This control will also help in identifying potential risks and developing a comprehensive risk management plan to mitigate those risks. The Access Controls family control will work to protect the IT infrastructure by ensuring that only authorized users have access to sensitive information and resources. This control will also ensure that access to the infrastructure is monitored and recorded for auditing purposes. The Awareness and Training of family control will work to protect the IT infrastructure by educating the employees on the security risks and how to address them. This control will also help in ensuring that the employees follow the defined security policies and procedures.

Sub-Family Control Examples

From the Planning family control, we have chosen the AC1 and AC6 sub-family controls. The AC1 sub-family control will ensure that the security requirements of the IT infrastructure are defined and documented. The AC6 sub-family control will ensure that the security risks associated with the IT infrastructure are identified and managed. From the Access Controls family control, we have chosen the AC1 and AC6 sub-family controls (Knapp,2018). The AC1 sub-family control will ensure that access to the IT infrastructure and its resources is controlled based on predefined security rules. The AC6 sub-family control will ensure that access to the IT infrastructure and its resources is monitored and recorded for auditing purposes. From the Awareness and Training in family control, we have chosen the AT1 and AT6 sub-family controls. The AT1 sub-family control will ensure that the employees receive the necessary training to understand the security risks and how to address them. The AT6 sub-family control will ensure that the employees are trained on the defined security policies and procedures.

Conclusion

In conclusion, the Security Control Classes and Security Control Families are critical components of the IT security framework for Red.

References

Knapp, E. D., & Samani, R. (2018). Applied cyber security and the smart grid: implementing security controls into the modern power infrastructure. Newnes.

Parker, D. B. (2019). A guide to selecting and implementing security controls. Information Systems Security, 3(2), 75-86.

Niu, Z., Zhou, K., Feng, D., Jiang, H., Wang, F., Chai, H., … & Li, C. (2017, September). Implementing and evaluating security controls for an object-based storage system. In 24th IEEE Conference on Mass Storage Systems and Technologies (MSST 2007) (pp. 87-99). IEEE.