Security Control Mastery Road Map
Mastering the implementation of the implementation of NIST 800-53 based security controls is easily a multi-year effort. There are approximately 1,200 total security controls in the catalogue spanning 20 different security control families. Most systems, after categorization, will have approximately 300 to 450 security controls allocated of those 1,200 security controls. This training will focus on the most common baseline security controls that we will find ourselves needing to implement for our clients. In this training I will share many real world scenarios and how these security controls are implemented as they are more similar than not from client/agency to the next. In my years of training on the implementation of security controls and working in the industry, I have picked up many different perspectives from a lot of smart people on how they implement these same security controls. We will decompose every security control by sub-control and thoroughly review the "discussion" points of each control until we are all comfortable with that information and how you will implement the security control in your operational environment. We need to be realistic on the number of security controls that we will learn as no one training session can cover them all. This training series will be organized in the best way possible to cover as many critical security controls as possible. More detailed information is as follows:
Mastering Security Controls One at a Time
Instructor Intro
I am Ernest Smith and would consider myself an elder statesman in RMF and Security Control Assessing. I have a master's in cybersecurity; bachelor's in information security. I used to have a lot of certs but only choose to keep up CISSP and Project Management Professional (PMP) nowadays (I am very heavy into project management and process improvement). I have been active in the world of RMF for more than 12 years. I am still very active in the world of RMF as well working projects of all kinds for all sectors. I have assessed, on behalf of authorizing officials everything from small aircrafts all the way up to top secret worldwide networks as a lead assessor and member of assessment teams. I actively do ISSO/ISSM work as well. Last, I actively advise, at the agency level, AOs, SCAs, ISSOs, ISSMs, Project Managers, and any other position where RMF clarity and understanding is needed. I have a large network of other SCAs and RMF POCs that will help us all overall. To all of the other elder statesmen and experienced assessors out there, it is our job to put our arms around the up and comers to improve the SCA profession. Everyone please join and create an assessor community where we are all actively sharing and getting better.
Course Information
$1,299
4 Sundays, 2 to 3 hours per session
Training Certificate of Completion, 12 hours of training
Course Outline
Session 1
• Formal introduction to NIST SP 800-53, Rev 5
• Defining the different types of information systems
• Errata Review
• Understand the relationship between requirements and security controls
• Control Structure and Organization (Anatomy)
• Establishing policy and procedures for all security control families (Dash Ones, etc.)
• Implementation Approaches, Common, Hybrid, and System Specific Controls
• Security Controls vs Privacy Controls
• Initial Intro to Trustworthiness and Assurance Cases
• Time permitting, topics of discussion chosen by student(s)
Session 2
• Access Control Family Purpose
• Access Control Policy and Procedures (AC-1)
• Account Management (and select enhancements) (AC-2)
• Access Enforcement (and select enhancements) (AC-3)
• Information Flow Enforcement (and select enhancements) (AC-4)
• Separation of Duties (AC-5)
• Time permitting, security controls/topics of discussion chosen by student(s)
Session 3
• Least Privilege (and select enhancements) (AC-6)
• Unsuccessful Login Attempts (AC-7)
• System Use Notification (AC-8)
• Concurrent Session Control (AC-10)
• Device Lock (and select enhancements) (AC-11)
• Session Termination (and select enhancements) (AC-12)
• Time permitting, security controls/topics of discussion chosen by student(s)
Session 4
• Permitted Actions Without Identification or Authentication (AC-14)
• Security and Privacy Attributes (AC-16)
• System Use Notification (AC-8)
• Remote Access (AC-17)
• Wireless Access (AC-18)
• Access Control for Remote Devices (AC-19)
• Use of External Systems (AC-20)
• Information Sharing (AC-21)
• Publicly Accessible Content (AC-22)
• Data Mining Protection (AC-23)
• Time permitting, security controls/topics of discussion chosen by student(s)
