What's the Meaning of Sc in the Control Family

NIST 800-53 Family Reports

past Cody Dumont
November 13, 2015

The National Institute of Standards and Technology (NIST) develops many standards that are available to all industries.  A common set up of standards is the NIST 800-53.  For each of the 18 NIST families, a dissever written report provides the particular discovered during compliance scans.  The eighteen families are described in NIST Special Publication 800-53 Revision four.  Each family contains security controls related to the general security topic.  Each security control was designed to help organizations, both private and public, to select the controls all-time suited to protect mission disquisitional services.  Implementing these controls properly tin help in the defense against a diverse fix of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.

The NIST families and controls is non a checklist-type of compliance standard like HIPAA, PCI, or CSF; rather, it is a catalog of controls that are used in achieving compliance with the same standards.  Using this report tin assist the organization in understanding how they currently run across various standards.  The kickoff chapter is a serial of indicator matrices showing management the controls that have been audited.  Following the Executive Summary is a chapter for each family that contains bar charts with network summaries and tables providing lists of identified hosts.

These reports comprehend xviii NIST families currently supported by Tenable audit files, which provide the results of an inspect check every bit one of three severity levels.  The advisory severity level is considered a pass.  The pass is achieved when the configuration setting matches the expected result of the audit check.  The lucifer tin can exist a defined value or a range of values.  The "Nessus Compliance Checks" document, available in the Tenable Support Portal, contains details on how to edit the inspect files.  When an audit check fails, the severity is set to high, indicating that the collected issue and the expected result do not match.  A mismatch may non mean a failure.  Each failure should exist reviewed and verified to ensure the expected result is correct.  If the expected result is not correct, then the audit file should be modified and the browse should be run over again.  Results assigned a medium severity must be evaluated by an annotator to determine whether or not the results are accurate.

The elements in this report use audit files released after 1 July 2013 that contain the reference tag that maps many audit checks to a respective standard.  In the case of this report, the inspect files must comprise a string similar to '800-53|IA-v' on the reference line of the applicable audit bank check.

For example 'reference: CCE|CCE-8912-8,800-53|IA-five,PCI|8.5.12,800-53|CM-6'

Please note that if y'all are creating you own filters and reports, the '800-53: IA-five' shown in the case is actually '800-53|IA-5' in the data query.

This report is available in the Tenable.sc Feed, a comprehensive drove of dashboards, reports, Balls Report Cards, and assets. The report can be easily located in the Tenable.sc Feed nether the category Compliance & Configuration Assessment. The report requirements are:

• SecurityCenter iv.8.2 or SecurityCenter five.one
• Nessus eight.4.0
• Inspect files containing NIST references

Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance.  Tenable.sc Continuous View (CV) measures compliance in real-time without man intervention. Allowing the organization to place gaps and lapses are detected and prioritized immediately. With more supported technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure, Tenable.sc CV provides the best solution for managing compliance with regulations. Tenable provides peace of mind to customers, because Tenable.sc CV detects security and compliance bug earlier our competitors.

A Report for the post-obit NIST Families is available.

• Access Control: The Admission Command family unit is a serial of controls that determine the setting used for limiting access to systems and information stored on the systems.  Some of the controls provide guidance on account management and privilege assignments. The guidance provided helps to address the assignment of roles and define business functions.  Other settings covered include login time, screen saver requirements, and similar activity-based controls.  The guidance for users that require access to organization level resources or administrative rights is discussed in the controls.  Developers and programme managers tin use these controls to understand session timeout settings and recommendations of least privilege.
• Awareness and Preparation: The Awareness and Grooming control assists with measuring the control and effectiveness of security controls.  The metrics provide visibility into how well security controls protect systems and how well users understand the controls in employ.  As of 2015, in that location are just few audit checks that measure out this command and therefore this content may oft be blank.
• Inspect and Accountability: The Audit and Accountability family provides the mechanism to record policy violations and related activities.  The control provides guidance on log retention policies and configurations.  The family as well provides information on what data should be retained in each log.  Time synchronization is important when performing incident response.  Data collected using inspect and accountability methods should utilize a common NTP server, and other guidelines related to timestamps are covered in this family.
• Security Assessment and Authorization: The Security Assessment and Dominance family provides guidance for the effective implementation of security controls and enhancements. Guidance for corrective actions and related milestones are reported in this family. Other information with respect to penetration testing and other internal systems audits are described in this this family.
• Configuration Direction: The Configuration Management family unit focuses on baseline establishment and identifying the minimal software installations.  Many of the important details concerning modify command and configuration management are described in this family.
• Contingency Planning: The Contingency Planning family contains many of the auditable settings for fill-in and recovery of systems.  The settings include detecting the backup of sensitive data, scheduling backups, and other related settings.
• Identification and Hallmark: The Identification and Hallmark family primarily focuses on the configuration settings concerned with hallmark systems.  The controls provide detailed guidance on tracking users employed past the organization, as well equally for guests, contractors, shared accounts, and service accounts.  Some settings will also validate the configuration of RADIUS, TACACS, and two-cistron hallmark.
• Incident Response: The Incident Response family unit identifies auditable settings to support incident response efforts.  The controls most oftentimes related to this family pertain to log retention settings.  Windows computers are known for overwriting event logs, and therefore setting a maximum log size could exist beneficial for incident response.
• Maintenance: The Maintenance family provides guidance on how to perform, document, and audit records of maintenance and repairs on information systems.  The organization should track the maintenance activities of support personal regardless of the location of equipment and personnel.  Guidance that tracks impacted security controls is also discussed in this family.
• Media Protection: The Media Protection family unit provides information on how to maintain the security of digital media.  Past offering guidance on how to configure media controls, classification markings, storage policies, and usage, this family tin help an arrangement in using digital media more securely.
• Physical and Environmental Protection: The Physical and Environmental Protection family provides guidance on concrete security requirements.  Using logs from digital locks and other concrete controls connected to network, the Log Correlation Engine (LCE) can correlate the events, which analysts tin can monitor for anomalies.  Information leakage is also addressed in this family, providing guidance on how to address signal leakage and other electronic communication controls.
• Planning: The Planning family provides guidance on information security architecture and describes the overall philosophy, requirements, and approach organizations accept with regard to protecting the confidentiality, integrity, and availability of information. The focus of this family is to illustrate how the security controls and control enhancements see security requirements, but do not provide detailed technical descriptions of the specific pattern or implementation of the controls/enhancements. Past setting interfaces to a security context with the advisable controls, the organization can illustrate planning for the required security levels.
• Personnel Security: The Personnel Security family provides guidance on handing personnel-related bug such as termination, promotion, transfer, and other related tasks.  The audit checks look for common settings that tin can assist with these tasks.
• Programme Direction: The Plan Management family provides guidance on facilitating compliance with applicative federal laws, Executive Orders, directives, policies, regulations, and standards. Additionally, the audits in this family provide a vehicle for the system to document all of the security controls in a cardinal repository.
• Risk Assessment: The Risk Assessment family provides guidance on the requirements to perform risk assessments.  Risk assessments take into account threats, vulnerabilities, likelihood, and bear on to organizational operations and assets, individuals, other organizations, and the nation based on the operation and use of information systems.• System and Services Acquisition: The Arrangement and Services Acquisition family unit provides guidance on using service-based software such as Telnet, HTTP, and other services. Tenable audit files look for some services that are known to be unauthorized, such as Telnet. However, the arrangement should review content to ensure authorized services are detected. These settings should be reviewed and customized to run across the local polices for the system.
• System and Communications Protection: The Arrangement and Communications Protection family provides guidance on how to implement protected communications for a system.  1 aspect is the separation of duties, such equally making sure the administrative interface is not part of the regular user interface.  Other controls are limiting direct hardware access, memory accost space controls, intrusion detection, and other methods of monitoring system resources.
• System and Information Integrity: The System and Information Integrity family unit provides guidance on monitoring data systems affected by appear software vulnerabilities, email vulnerabilities (spam), error treatment, memory protection, output filtering, and many other areas of security. Many of these audit checks will need to be customized and should reviewed past the organization.

kinserappeare.blogspot.com

Source: https://www.tenable.com/sc-report-templates/nist-800-53-family-reports

Share this post