nist 800-53 interview questions

The NIST Cybersecurity Framework summary

Why Is NIST 800-53 So Important?

NIST 800-53 is important because it was designed to keep information safe and secure for governmental agencies. Everything from global viruses to increasingly sophisticated hacking plots have made it necessary to create and implement extensive security measures. NIST 800-53 focuses on the central idea of building information systems correctly and then providing continuous monitoring. If these two basic steps are taken, risks to information systems are significantly lowered. There are several specific reasons why following the guidelines is important.

  • Complying with NIST 800-53 will also help an organization meet other compliance obligations such as FISMA.
  • Complying with NIST 800-53 advances technology and increases our overall economic security.
  • Complying with NIST 800-53 will provide exceptional security for all data and information systems within an organization.
  • How Do You Implement NIST 800-53?

    Before knowing the requirements and how to implement them, it’s important to understand how NIST 800-53 is categorized. First, there are three different security control levels. These include the following impact levels: High Impact Baseline, Medium Impact Baseline, and Low Impact Baseline. There are also three types, and this includes the following:

  • Common – These are controls that are used throughout the company.
  • Custom – These are customized to a particular device or application.
  • Hybrid – This is a control that a company customizes for their specific organization.
  • The following are the specific steps that need to be taken when implementing NIST 800-53.

  • Categorize Information – What data and information needs to be secured and how should this information be organized? This is the first question an organization should ask.
  • Select Controls – This phase includes selecting different types of security for each category. The goal at this stage is to select controls that minimize risk and are as easy as possible for employees to understand and follow.
  • Implement Controls – A detailed plan should be created specifying how, when, who, etc., to put the controls into practice. This will likely be a detailed plan that everyone in management will need to be on board with.
  • Assess Controls – This step involves assessing the performance of all security controls and making any necessary changes. This step will need the advice and guidance of IT professionals.
  • Authorize Systems – Authorize assets and personnel involved in the security system. It’s important to know who in an organization should have access to each level of security and the information included at that level.
  • Monitoring – Ongoing monitoring is the last step in the process. This is not a one-time solution. Different types of monitoring will need to be put in place and then it should be determined how often each type of monitoring should occur. An accurate record-keeping and reporting system is crucial for successful monitoring.
  • The requirements for NIST 800-53 in these guidelines cover over 200 controls in 18 specific areas. Each of these areas is known as “control families.” Each of the 18 areas has acronyms such as AC for Access Control and CP for Contingency Planning. According to the NIST websites, the following are each of the 18 areas and some of the control requirements in each category.

  • Access Control (AC) – There are 25 specific controls in this category. A few include providing security for information sharing, security for access control for mobile devices, security for wireless and remote access, and security for information flow enforcement.
  • Audit and Accountability (AU) – There are 16 controls in the Audit and Accountability family. These include making sure audit review, analysis, and reporting are all secure. It also includes items such as audit record retention, audit generation, and response to audit processing failures.
  • Awareness and Training (AT) – The awareness and training category has 5 controls. Privacy and security controls must be implemented for awareness training, role-based training, training records, contacts with security groups, and awareness and training policies and procedures.
  • Configuration Management (CM) – This area has 11 controls. Providing security for configuration settings, security impact analysis, user-installed software, and software usage restrictions are a few in this category.
  • Contingency Planning (CP) – Contingency planning has 13 controls that need to be secured. A few include the contingency plan, contingency training, an alternate storage site, telecommunications services, and alternate communications protocol.
  • Identification and Authentication (IA) – This control family includes 11 specific areas involving items such as identifier and authentication management, authenticator feedback, and device identification and authentication.
  • Incident Response (IR) – There are 10 privacy and security controls for this section. Security and privacy must be met for incident response training, testing, handling, monitoring, and reporting.
  • Maintenance (MA) – There are 6 maintenance controls that must be secured. These include policies and procedures, controlled maintenance, maintenance tools, nonlocal maintenance, maintenance personnel, and timely maintenance.
  • Media Protection (MP) – Security and privacy for media protection list 8 controls. A few include media access, storage, sanitization, media use, and media downgrading.
  • Personnel Security (PS) – There are 8 controls in this section. These include security processes involved in screening, designation, transfer, and termination of employees. It also includes access agreements, third-party personnel, and personnel sanctions.
  • Physical and Environmental Protection (PE) – There are 20 control obligations that fall under this section. A few include security plans surrounding the potential need for emergency power and lighting, water damage and fire protection, visitor controls, and all visitor access records.
  • Planning (PL) – Planning has 9 controls. An organization needs to provide security and privacy controls for sections such as systems security plans, rules of behavior, privacy assessments, and central management.
  • Program Management (PM) – The program management family lists 16 controls that need securing. A few of these include information security resources, critical infrastructure plan, risk management strategy, and threat awareness program.
  • Risk Assessment (RA) – This section has 6 controls. A few include risk assessment, security categorization, risk assessment update, and vulnerability scanning.
  • Security Assessment and Authorization (CA) – There are 9 controls in this family. This would include creating and implementing security assessments, determining the effectiveness of security controls, and assigning roles in the process.
  • System and Communications Protection (SC) – There are 44 security and privacy controls for this section. A few of the specific areas that are covered include cryptographic protection, application partitioning, and information in shared resources.
  • System and Information Integrity (SI) – This section has 17 controls. Flaw remediation, malicious code protection, spam protection, error handling, and information output filtering are a few that need privacy and security controls provided.
  • System and Services Acquisition (SA) – This family of controls has 22 specific control areas. Security and privacy controls need to be in place for areas such as developer provided training, customized development of critical components, security engineering principals, and user-installed software.
  • Josue Ledesma is a writer, filmmaker, and content marketer living in New York City. He covers information security, tech and finance, consumer privacy, and B2B digital marketing. You can see his writing portfolio on https://josueledesma.com/Writing-Portfolio

    Weve been keeping the worlds most valuable data out of enemy hands since 2005 with our market-leading data security platform.

    How much does an AWS Cloud Architect make in Boston, Massachusetts?

    As of Sep 8, 2022, the average annual pay for an AWS Cloud Architect in Boston is $147,784 a year. Just in case you need a simple salary calculator, that works out to be approximately $71.05 an hour. This is the equivalent of $2,842/week or $12,315/month.

    While this web is seeing salaries as high as $234,097 and as low as $21,477, the majority of AWS Cloud Architect salaries currently range between $147,116 (25th percentile) to $178,794 (75th percentile) with top earners (90th percentile) making $208,862 annually in Boston.

    The average pay range for an AWS Cloud Architect varies greatly (as much as $31,678), which suggests there may be many opportunities for advancement and increased pay based on skill level, location and years of experience.

    Based on recent job postings on this web, the AWS Cloud Architect job market in both Boston, MA and the surrounding area is very active.

    To estimate the most accurate annual salary range for AWS Cloud Architect jobs, this web continuously scans its database of millions of active jobs published locally throughout America.

    Find your next high paying job as an AWS Cloud Architect on this web today.

    FAQ

    What is the difference between NIST 800-53 and 800?

    The NIST 800-53 is a cybersecurity standard and compliance framework developed by the National Institute of Standards in Technology. It’s a continuously updated framework that tries to flexibly define standards, controls, and assessments based on risk, cost-effectiveness, and capabilities.

    What is the difference between NIST 800-53 and CSF?

    The main difference between the two is that NIST 800-171 relates to non-federal systems and organizations, while NIST 800-53 is for federal organizations.

    What are the NIST 800 standards?

    NIST CSF provides a flexible framework that any organization can use for creating and maintaining an information security program. NIST 800-53 and NIST 800-171 provide security controls for implementing NIST CSF. NIST 800-53 aids federal agencies and entities doing business with them to comply as required with FISMA.

    Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *