In implementing recommended controls to mitigate risk, an organization should consider technical, management, and operational security controls, or a combination of such controls, to maximize the effectiveness of controls for their IT systems and organization. Security controls, when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s mission. The control recommendation process will involve choosing among a combination of technical, management, and operational controls for improving the organization’s security posture. The trade-offs that an organization will have to consider are illustrated by viewing the decisions involved in enforcing use of complex user passwords to minimize password guessing and cracking. In this case, a technical control requiring add-on security software may be more complex and expensive than a procedural control, but the technical control is likely to be more effective because the enforcement is automated by the system. On the other hand, a procedural control might be implemented simply by means of a memorandum to all concerned individuals and an amendment to the security guidelines for the organization, but ensuring that users consistently follow the memorandum and guideline will be difficult and will require security awareness training and user acceptance. This section provides a high-level overview of some of the control categories. More detailed guidance about implementing and planning for IT controls can be found in NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems, and NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook. Sections 4.4.1 through 4.4.3 provide an overview of technical, management, and operational controls, respectively. 4.4.1 Technical Security Controls
Technical security controls for risk mitigation can be configured to protect against given types of threats. These controls may range from simple to complex measures and usually involve system architectures; engineering disciplines; and security packages with a mix of hardware, software, and firmware. All of these measures should work together to secure critical and sensitive data, information, and IT system functions. Technical controls can be grouped into the following major categories, according to primary purpose:
• Support (Section 188.8.131.52). Supporting controls are generic and underlie most IT security capabilities. These controls must be in place in order to implement other controls.
• Prevent (Section 184.108.40.206). Preventive controls focus on preventing security breaches from occurring in the first place.
• Detect and Recover (Section 220.127.116.11). These controls focus on detecting and recovering from a security breach.
Figure 4-3 depicts the primary technical controls and the relationships between them.
SP 800-30 Page 33
System Protections (least privilege, object reuse, process separation, etc.)
Cryptographic Key Management
Protected Communications (safe from disclosure, substitution, modification, & replay)
Access Control Enforcement
Proof of Wholeness
Intrusion Detection and Containment
Figure 4-3. Technical Security Controls 18.104.22.168 Supporting Technical Controls Supporting controls are, by their very nature, pervasive and interrelated with many other controls. The supporting controls are as follows:
• Identification. This control provides the ability to uniquely identify users, processes, and information resources. To implement other security controls (e.g., discretionary access control [DAC], mandatory access control [MAC], accountability), it is essential that both subjects and objects be identifiable.
• Cryptographic Key Management. Cryptographic keys must be securely managed when cryptographic functions are implemented in various other controls. Cryptographic key management includes key generation, distribution, storage, and maintenance.
• Security Administration. The security features of an IT system must be configured (e.g., enabled or disabled) to meet the needs of a specific installation and to account for changes in the operational environment. System security can be built into operating system security or the application. Commercial off-the-shelf add-on security products are available.
SP 800-30 Page 34
• System Protections. Underlying a system’s various security functional capabilities is a base of confidence in the technical implementation. This represents the quality of the implementation from the perspective both of the design processes used and of the manner in which the implementation was accomplished. Some examples of system protections are residual information protection (also known as object reuse), least privilege (or “need to know”), process separation, modularity, layering, and minimization of what needs to be trusted.
22.214.171.124 Preventive Technical Controls These controls, which can inhibit attempts to violate security policy, include the following:
• Authentication. The authentication control provides the means of verifying the identity of a subject to ensure that a claimed identity is valid. Authentication mechanisms include passwords, personal identification numbers, or PINs, and emerging authentication technology that provides strong authentication (e.g., token, smart card, digital certificate, Kerberos).
• Authorization. The authorization control enables specification and subsequent management of the allowed actions for a given system (e.g., the information owner or the database administrator determines who can update a shared file accessed by a group of online users).
• Access Control Enforcement. Data integrity and confidentiality are enforced by access controls. When the subject requesting access has been authorized to access particular processes, it is necessary to enforce the defined security policy (e.g., MAC or DAC). These policy-based controls are enforced via access control mechanisms distributed throughout the system (e.g., MAC sensitivity labels; DAC file permission sets, access control lists, roles, user profiles). The effectiveness and the strength of access control depend on the correctness of the access control decisions (e.g., how the security rules are configured) and the strength of access control enforcement (e.g., the design of software or hardware security).
• Nonrepudiation. System accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Nonrepudiation spans both prevention and detection. It has been placed in the prevention category in this guide because the mechanisms implemented prevent the successful repudiation of an action (e.g., the digital certificate that contains the owner’s private key is known only to the owner). As a result, this control is typically applied at the point of transmission or reception.
• Protected Communications. In a distributed system, the ability to accomplish security objectives is highly dependent on trustworthy communications. The protected communications control ensures the integrity, availability, and confidentiality of sensitive and critical information while it is in transit. Protected communications use data encryption methods (e.g., virtual private network, Internet Protocol Security [IPSEC] Protocol), and deployment of cryptographic technologies (e.g., Data Encryption Standard [DES], Triple DES, RAS, MD4, MD5, secure hash standard, and escrowed encryption algorithms such as Clipper) to minimize network threats such as replay, interception, packet sniffing, wiretapping, or eavesdropping.
SP 800-30 Page 35