Risk Control Families & additional resources
NIST special publication 800-53 control families
Information security standards exist to bring structure to the design of IT security controls and discipline to how those organizations are managed. Specifically, the National Institute of Standards and Technology (NIST) develops frameworks to establish a common set of standards, objectives, and language for alignment across industries. This common framework is anchored by the Risk Control Families and the information gathered to support each.
Risk Control Families
Below please find all Risk Control Families as defined by NIST. As you open each family, you will find several questions that you could be expected to answer for this area. This is not an all-inclusive list, so please know that the actual risk assessment will take into consideration your specific use case and ask questions based on your needs.
Campus risk executives
Additional resources
Each of these resources can offer guidance and detail to assist in the formation of your security posture within your school/college/division.
|
UW–Madison’s approach to risk management is based on the National Institute of Standards and Technology Risk Management Framework.
- Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.
- Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.
- Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.
- Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.
- Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
Below are examples of significant changes that may require an additional risk review. While these may suggest campus-wide significant changes, departments may also define significant change differently, and we encourage you to seek assistance for these cases.
- Changes to privileged personnel
- Movements of servers
- Changes in data classification
- Permission changes
- Enabling components or features
- Changes in data flow