Procedural controls refer to the procedures performed by individuals. They are often detailed in written documents that an organization uses for security. Procedural controls are directives from senior management on how to address security within the organization. Previous versions of NIST SP 800-53 referred to these controls as administrative controls.
The following sections provide examples of some of the common procedural controls in these categories:
Policies and procedures are written documents that provide guidelines and rules for an organization. An organization will typically have several policies and procedures. A policy is a high-level document that provides overall direction without details. A procedure provides the detailed steps needed to implement a policy.
Policies have widespread application. They identify the direction management wants to take on a specific topic, meaning they document high-level management decisions. Personnel within the organization can then take steps to implement the policy. Policies also provide authority. This authority can be used to purchase resources in support of a policy. Without the policy in place, a purchase may be more difficult to justify.
Procedural controls must have support from senior management. If management doesn’t support the guidelines, their lack of support will soon become apparent to employees. The organization will have two sets of policies: one that is the written set of policies and the other that is the unwritten set of policies that everyone follows.
For example, a backup policy would identify what data needs to be backed up, based on its value. The data could include user data, databases, application data on servers, and more. The backup policy would also identify storage and retention requirements. It would specify that copies of backups be stored in a separate location, which provides protection against a disaster, such as a fire.
A backup policy would include a retention policy, which identifies how long backups are to be retained. For example, the retention policy might specify that some data be retained for three years and other data be retained for only 30 days. Again, the choices are dependent on management decisions, which are documented in the written policy.
With a backup policy in place, the department responsible for backing up the data can purchase resources to implement the policy. These resources include tape drives, tapes, and software. Backups can get expensive; without a backup policy in place, sometimes managers balk at the cost.
Procedures are narrower in scope and more task oriented than policies. They identify specific steps needed to implement a policy. Any policy could have multiple procedures.
For example, a backup policy would state that backups need to be performed but not how to perform them. Procedures, on the other hand, state how to perform the backups. Separate procedures could be created for backing up user data, databases, and other application data and transferring tapes to an off-site location.
Examples of policies might be:
Examples of procedures might be:
Organizations create separate security plans to address different scenarios. Many of the security plans are common to most organizations. This section covers the following security plans found in many organizations:
A business continuity plan (BCP) is a comprehensive plan that helps an organization prepare for different types of emergencies. It ensures that mission-critical functions continue to operate even after a disaster has struck.
A BCP often starts with a business impact analysis (BIA). The BIA identifies the critical functions and then documents how to keep those functions operating during a disaster.
A disaster recovery plan (DRP) provides the details for recovering one or more systems after a disaster. Sometimes, DRPs and BCPs are considered the same thing. However, they are different. The BCP keeps the critical functions running during a disaster, whereas the DRP has a narrower focus and identifies how to recover a system.
For example, a BCP might identify how an organization responds to a threatening hurricane, such as moving critical functions to an alternate location. After the hurricane has passed, the DRP identifies how the organization should recover its systems. For example, flooding may have destroyed several servers. The DRP identifies how these servers can be recovered. The BCP would also identify how the critical functions are returned to normal operation after the DRP has recovered them.
A backup plan, which is derived from a backup policy, is often included as part of a DRP. Data can’t be recovered after a disaster unless it previously has been backed up.
The backup policy identifies data valuable to the organization and specifies storage and retention requirements. The backup plan includes procedures identifying how this data can be backed up because not all data is backed up the same way.
User data is simple to back up if the data is stored centrally. Often, an organization will require users to store their data on a central server, and the backup plan documents this requirement. Administrators then back up the data on the server. Backing up data on each individual user system is almost impossible.
Databases hosted on database servers require dedicated software to back them up. The same software can’t be used to back up both user data and databases. Additionally, many other server applications, such as email servers, require dedicated backup software.
Backup plans also identify how to perform test restores, which verify that backed-up data can be restored. Many horror stories tell of how an organization regularly went through the motions to back up its data but, when the data needed to be restored, technicians discovered that none of the backups were usable. A test restore simply restores a backup tape to ensure the backup is valid.
An incident response plan documents how an organization should respond to a security incident. The organization could have multiple incident response plans, depending on the complexity of the organization.
A security incident is any incident that affects the confidentiality, integrity, or availability of systems or data. Security incidents occur when a threat exploits a vulnerability.
For example, a system is infected with malware. The organization’s plan could be to take the following steps in response to an infection:
A more complicated problem may occur from a denial of service (DoS) attack on a server, which would require a response from an administrator or security professional. Once the incident has been verified, the administrator could then take steps to isolate the incident and then protect any evidence about the attack.
A risk can be avoided, shared or transferred, mitigated, or accepted. In cases where the likelihood of damage is very low and the impact is very high, organizations often choose to share or transfer the risk. The primary way the risk is shared or transferred is by the organization’s purchasing of insurance.
Most insurance policies specify shared responsibilities between the insurance company and the customer. For example, fire insurance typically covers most but not all damage from fire. It also requires customers to take reasonable precautions to prevent fires. In some cases, the entire risk can be transferred with an insurance policy.
Many types of insurance can be purchased. The goal is to protect a company from a loss. If the risk occurs, the insurance helps pay for the loss, which keeps the risk from bankrupting the company.
Some types of insurance, such as fire and flood insurance, are obvious. Other types of insurance deserve an explanation.
Business interruption insurance can be purchased as an add-on to some policies. For example, a company may add business interruption insurance onto a fire insurance policy. If a fire occurs and the company can’t operate normally, the insurance pays for losses until the company opens up again. This insurance usually covers operational expenses, such as rental of equipment, and would also pay for profits that the company would have normally earned.
Errors and omissions insurance, also known as professional liability insurance, is valuable if a company supplies services to other companies. For example, imagine a company performs maintenance on a customer’s servers. In the process of performing the maintenance, the technician accidentally plugs in a power supply the wrong way and ruins the server. The customer may take the company to court. This insurance will provide protection.
Similarly, a company may provide consultants to customers. A consultant may help a customer create a backup plan but forget to include off-site storage. Because the consultant is the expert, this is a glaring omission. If the customer suffers a fire and loses all the backups for the organization, the company may sue. Again, the errors and omissions insurance provides protection.
Bonding is a type of insurance that covers against losses by theft, fraud, or dishonesty. A person covered by bonding insurance is referred to as being bonded. Organizations purchase bonding insurance when required by law and to provide a level of security to their customers.
For example, a company provides IT support to customers at their homes. Bonding insurance could be purchased to cover the technicians. If a technician in the company steals from a customer while performing the service, the bonding company would pay for the loss. Bonding insurance is often very narrow. For example, the insurance may not pay unless the employee has been tried and convicted of the theft. Instead of pursuing a conviction against the employee, the customer may just sue the company.
Many organizations perform background and financial checks on prospective employees, which are completed before the employee is hired.
Background checks commonly include police and FBI checks, which will identify any criminal behavior on the part of a prospective employee. Past mistakes won’t automatically stop someone from being hired. However, there are times when past convictions are relevant.
A truck driver is unlikely to be hired if he has a reckless driving conviction on his record. Similarly, an administrator is unlikely to be hired if she’s recently been convicted of theft. A shoplifting conviction is enough to prevent a company from hiring an employee in a position of trust.
Most companies also complete financial checks for prospective employees. A person with a poor credit rating may be viewed suspiciously. Employers wonder whether the poor credit rating is a reflection of responsibility and accountability. If a person ignores his or her debts, does that imply irresponsibility on the job?
Today, Internet resources are commonly included in background investigations, which include simple Google or Facebook searches. A person who has fanatically ranted on a topic may be viewed as problematic. More than anything, companies want employees who can work well with others. Someone who has a Facebook page filled with attacks on others may be bypassed for someone who has never had a Facebook page.
A data loss prevention program helps a company prevent data loss. Data loss can be viewed in one of two ways:
An organization can protect against loss of confidentiality using two methods. One method is using access controls. Authentication methods identify and verify users. Permissions then grant authorization to access resources. The principle of least privilege ensures that users have access to only the resources they need and no more.
The other method of protection against loss of confidentiality is encryption. Data can be encrypted while it’s at rest or being transferred. At-rest data is any data that is stored on media, such as a hard drive or USB flash drive. Data can also be encrypted when it’s transferred over a network.
The actual methods used to protect against loss of data are technical controls. However, the program that identifies which data to protect is a procedural control.
A data loss prevention program identifies the data that is valuable to an organization. Data can be classified as public, private, or proprietary. The data loss prevention program would then specify the importance of data in each of these categories and would also specify whether the organization wants to protect against loss of confidentiality, loss due to corruption, or both.
An organization can have the best documented security controls on the planet. However, if the employees don’t know what they are or how to implement them, the controls simply aren’t effective. Education, training, and awareness controls ensure that employees know why having security controls in place is important and how to implement security controls, and are aware of the organization’s security standards.
Awareness programs are generic and apply to all personnel. They use different techniques to inform and remind people about security, and they try to have users personalize security. In other words, instead of security being someone else’s responsibility, users recognize that security is everyone’s responsibility, including theirs. Some examples of how awareness can be raised include:
Training is provided for different audiences. Some training is generic and for all personnel. For example, all users should be educated on social engineering tactics. Other training is specialized and targeted at specific groups. For example, training on how to maintain a specific firewall is provided to the administrators who will maintain it. Specific security professionals are trained on how to run and interpret vulnerability scans.
Education generally focuses on the risk of not protecting the organization. It applies to organizational executives and attempts to do a cost-benefit analysis of security controls, standards, and practices.
Rules of behavior let users know what they can and cannot do with systems. Users read this document before being granted access to a system and are often required to sign a document indicating that they have read and understand the rules of behavior.
The Office of Management and Budget (OMB) mandates the use of rules of behavior for agencies under OMB jurisdiction. These rules are documented in OMB Circular A-130, Appendix III, which also references the rules of behavior control documented in SP 800-53.
Some common elements in a rules of behavior document are:
NIST published SP 800-50, Building an Information Technology Security Awareness and Training Program, in 2003. It provides details on how to design, develop, and implement an awareness and security training program.
Rules of behavior are called an acceptable use policy (AUP) in some organizations. Most private organizations use an AUP. The purpose of rules of behavior and an AUP is the same.
This list isn’t all inclusive. An organization will include the information necessary to ensure that users understand what is expected of them. Some organizations limit this information to a single page, and other organizations make this list longer.
An organization that develops software should take the time to test it, and it should have a policy that mandates software testing. The primary reason to test the software is to reduce the number of undiscovered bugs in the software.
A 2017 study from Tricentis reported annual losses from software failures to be in the $1.7 trillion range. The Consortium for IT Software Quality (CISQ) put its 2018 estimate at roughly $1.1 trillion. These numbers reflect the growing need for and importance of software quality checks through testing.
The types of software testing performed are technical controls. For example, data range and reasonableness checks could be performed. However, creating a policy requiring software testing is the place to start.
52.14.85.76