Selecting Security and Privacy Controls: Choosing the Right Approach
Recently, NIST published a significant update to its flagship security and privacy controls catalog, Special Publication 800-53, Revision 5. This update created a set of next generation controls to help protect organizations, assets, and the privacy of individuals—and equally important—manage cybersecurity and privacy risks. So now that the publication is here, how should you use this extensive catalog of controls that covers everything from multifactor authentication to incident response? How do you select the right controls for your organization and the associated security and privacy programs that support the organization? How do you know when you have an adequate level of protection? How do you effectively manage security and privacy risks?
To answer those questions, it always helps to select your controls with the help of a risk management framework or a life cycle-based systems engineering process. Both provide disciplined and structured approaches for defining security and privacy requirements in the context of organizational missions and business functions and for achieving risk-based solutions that satisfy those requirements. In this article, we will be focusing on the NIST Risk Management Framework (RMF) and the different approaches organizations can use to effectively select their security and privacy controls from the control catalog.
|