The following are a selection of information security frameworks that you can use to inform your security control selection decisions:

• NIST CSF: https://www.nist.gov/cyberframework
• COBIT: http://www.isaca.org/cobit/pages/default.aspx
• ITIL: https://www.axelos.com/best-practice-solutions/itil
• NIST SP 800-53: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
• ISO 27002: https://www.iso.org/standard/54533.html

• COSO: https://www.coso.org/Pages/default.aspx
• NIST SP 800-171: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

Based on the analysis that you conducted as part of the information categorization step you will now be able to develop the baseline set of controls for your information system:

1. Apply the appropriate baseline set of controls based on the high watermark value derived from the information categorization step.
2. Tailor the controls that you have selected:
   • Common controls: You do always need to implement a security control in your environment. For example, if the network team has already implemented a specific control on your network you do not need to re-apply the control. You do however, need to ensure that the common control is in place and maintained as this common control ensures the security of your data.
   • Scoping considerations: Does a control baseline have a requirement for wireless networking? What if your information system does not implement wireless networking? This would be an example where you would scope out this requirement as it would not be applicable.
   • Compensating controls: You are not always able to implement a security control as intended. Sometimes implementing a security control will render the information system unusable. The implementation of compensating controls ensures that necessary security functionality is added to the information system that makes up for the loss of the security control that cannot be implemented.
   • Additional security controls: Your security control baseline may not be the only place that you are pulling security controls from. You may have additional compliance requirements depending on your organization's mission. You may have established controls that are specific to your organization. In this case, you add in these security controls now.
3. Develop a security control package for your information system that will be used to ensure the security controls are as follows:
   • Included as requirements, as part of information system planning
   • Architected as part of the system design
   • Integrated as part of system implementation
   • Tested as part of system acceptance
   • Monitored for the life of the system

NIST Special Publication 800-37 Revision 1, CHAPTER THREE, provides further guidance on the topic of security control selection at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf.