Security and Privacy Controls and Requirements

Security and Privacy Controls and Requirements: A Comprehensive Guide for CGRC Exam Preparation

Introduction to Security and Privacy Controls and Requirements

Security and Privacy Controls and Requirements form the backbone of any organization's governance, risk, and compliance (GRC) strategy. Understanding this topic is critical not only for real-world cybersecurity practice but also for passing the CGRC (Certified in Governance, Risk and Compliance) exam. This guide provides a thorough breakdown of what security and privacy controls and requirements are, why they matter, how they work, and how to approach exam questions on this topic.

Why Security and Privacy Controls and Requirements Are Important

Security and privacy controls and requirements are important for several key reasons:

1. Protection of Sensitive Data: Organizations handle vast amounts of sensitive information, including personally identifiable information (PII), protected health information (PHI), financial data, and intellectual property. Controls ensure this data is safeguarded against unauthorized access, modification, or destruction.

2. Regulatory and Legal Compliance: Laws and regulations such as FISMA, HIPAA, GDPR, PCI DSS, and others mandate specific security and privacy requirements. Failure to comply can result in significant fines, legal action, and reputational damage.

3. Risk Management: Controls are the primary mechanism through which organizations mitigate identified risks. Without properly selected and implemented controls, risk management becomes theoretical rather than practical.

4. Trust and Assurance: Stakeholders, customers, partners, and regulators need assurance that an organization can protect information. Demonstrable controls provide that assurance.

5. Business Continuity: Properly implemented security controls help ensure that systems remain operational and resilient against threats, supporting the organization's mission and business objectives.

6. Accountability and Governance: Controls and requirements establish clear expectations and accountability across the organization, ensuring everyone understands their role in protecting information assets.

What Are Security and Privacy Controls and Requirements?

Security Controls are safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability (CIA) of information and the system itself. They can be technical, operational, or managerial in nature.

Privacy Controls are administrative, technical, and physical safeguards employed within an organization to ensure compliance with applicable privacy requirements and to manage privacy risks. They specifically address the collection, use, retention, disclosure, and disposal of personally identifiable information (PII).

Requirements refer to the specific obligations imposed by laws, regulations, standards, policies, contracts, or organizational directives that dictate what controls must be in place and how they must perform.

Key Frameworks and Standards

Several frameworks define security and privacy controls and requirements:

• NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations): This is the most comprehensive catalog of security and privacy controls used primarily by U.S. federal agencies but widely adopted across private industry. It organizes controls into 20 families, such as Access Control (AC), Audit and Accountability (AU), Identification and Authentication (IA), System and Communications Protection (SC), and Personally Identifiable Information Processing and Transparency (PT).

• NIST Risk Management Framework (RMF) — SP 800-37: This framework provides the structured process for selecting, implementing, assessing, and monitoring security and privacy controls. The RMF steps are: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

• FIPS 199 and FIPS 200: FIPS 199 establishes standards for categorizing information and information systems by security impact levels (low, moderate, high). FIPS 200 specifies minimum security requirements for federal information systems based on those categorizations.

• NIST SP 800-53B: Provides control baselines (low, moderate, high) that serve as the starting point for control selection based on the system's categorization.

• ISO/IEC 27001 and 27002: International standards that provide requirements for an Information Security Management System (ISMS) and a code of practice for information security controls, respectively.

• NIST Privacy Framework: Complements the Cybersecurity Framework and focuses on managing privacy risk.

How Security and Privacy Controls and Requirements Work

The lifecycle of security and privacy controls follows a structured process, most commonly described through the NIST RMF:

Step 1: Prepare
The organization establishes the context and priorities for managing security and privacy risk. This includes identifying key stakeholders, defining organizational risk tolerance, establishing a risk management strategy, and developing organization-wide tailoring guidance for control baselines.

Step 2: Categorize
Information and information systems are categorized based on the potential impact of a security breach on confidentiality, integrity, and availability. This is done using FIPS 199 guidance. The categorization determines the security impact level, which directly influences which control baseline applies.

The categorization formula is:
SC (information system) = {(confidentiality, impact), (integrity, impact), (availability, impact)}
The highest impact value among the three becomes the system's overall categorization (high-water mark approach).

Step 3: Select Controls
Based on the categorization, an initial set of controls (baseline) is selected from NIST SP 800-53B. This baseline is then tailored through:
• Common controls: Controls provided by the organization that are inherited by multiple systems.
• System-specific controls: Controls specific to a particular system.
• Hybrid controls: Controls that are partially inherited and partially system-specific.
• Tailoring: Adjusting the baseline by scoping, compensating, or supplementing controls based on specific risk factors, organizational policies, and environmental considerations.
• Overlays: Specialized sets of controls for particular technologies, environments, or communities of interest.

Step 4: Implement Controls
The selected controls are implemented in the information system and its environment of operation. Implementation details are documented in the System Security Plan (SSP) and the Privacy Plan. The SSP describes how each control is implemented, who is responsible, and how the control addresses identified risks.

Step 5: Assess Controls
An independent assessor evaluates the controls to determine whether they are implemented correctly, operating as intended, and producing the desired outcome. Assessment methods include:
• Examine: Reviewing documentation, policies, procedures, and configurations.
• Interview: Speaking with personnel responsible for implementing or managing controls.
• Test: Exercising controls to verify they function as expected.

The results are documented in the Security Assessment Report (SAR), which identifies findings and recommendations.

Step 6: Authorize
The authorizing official (AO) reviews the security and privacy posture of the system, including the SSP, SAR, and Plan of Action and Milestones (POA&M), and makes a risk-based decision to authorize the system to operate, deny authorization, or grant an interim authorization. This decision is documented in the Authorization to Operate (ATO) package.

Step 7: Monitor Controls
After authorization, controls are continuously monitored to ensure ongoing effectiveness. This includes:
• Ongoing assessments of selected controls
• Analysis of security and privacy-related events and alerts
• Configuration management and change control
• Updating the SSP, SAR, and POA&M as needed
• Reporting the security and privacy posture to the AO and other stakeholders

Types of Controls

Controls can be classified in several ways:

By Nature:
• Technical Controls: Implemented through technology (e.g., firewalls, encryption, access control lists, intrusion detection systems, multi-factor authentication).
• Operational Controls: Implemented through people and processes (e.g., security awareness training, incident response procedures, physical security measures, media protection).
• Management Controls: Focused on managing risk and the security program (e.g., risk assessments, security planning, system authorization, program management).

By Function:
• Preventive: Stop incidents before they occur (e.g., access controls, encryption).
• Detective: Identify incidents when they occur (e.g., audit logs, intrusion detection).
• Corrective: Remediate after an incident (e.g., patch management, incident response).
• Deterrent: Discourage potential threat actors (e.g., warning banners, security cameras).
• Compensating: Provide alternative protection when primary controls cannot be implemented.

By Implementation:
• Common Controls: Inherited from the organization or shared infrastructure.
• System-Specific Controls: Unique to a particular system.
• Hybrid Controls: Shared responsibility between the organization and the system.

Privacy-Specific Considerations

Privacy controls address requirements that go beyond traditional security controls:

• Authority and Purpose (AP): Ensuring there is legal authority to collect PII and that the purpose is clearly defined.
• Accountability, Audit, and Risk Management (AR): Establishing accountability for privacy compliance and conducting privacy impact assessments (PIAs).
• Data Quality and Integrity (DI): Ensuring PII is accurate, relevant, and up to date.
• Data Minimization and Retention (DM): Collecting only the PII necessary and retaining it only as long as needed.
• Individual Participation and Redress (IP): Allowing individuals to access, correct, and request deletion of their PII.
• Security (SE): Protecting PII through appropriate security safeguards.
• Transparency (TR): Providing clear and accessible privacy notices.
• Use Limitation (UL): Ensuring PII is used only for authorized purposes.

In the latest version of NIST SP 800-53 (Rev. 5), privacy controls have been fully integrated alongside security controls, reflecting the recognition that security and privacy are closely interrelated but distinct disciplines.

Key Documents in the Control Lifecycle

• System Security Plan (SSP): Documents the controls selected and how they are implemented.
• Security Assessment Report (SAR): Documents the findings from control assessments.
• Plan of Action and Milestones (POA&M): Tracks identified weaknesses and the planned remediation activities.
• Authorization Package: The collection of documents (SSP, SAR, POA&M) submitted to the authorizing official for the authorization decision.
• Privacy Impact Assessment (PIA): Analyzes how PII is collected, stored, shared, and protected.
• Continuous Monitoring Strategy: Describes the approach for ongoing control assessment and risk monitoring.

Common Control Families in NIST SP 800-53 Rev. 5

The 20 control families include:
AC – Access Control
AT – Awareness and Training
AU – Audit and Accountability
CA – Assessment, Authorization, and Monitoring
CM – Configuration Management
CP – Contingency Planning
IA – Identification and Authentication
IR – Incident Response
MA – Maintenance
MP – Media Protection
PE – Physical and Environmental Protection
PL – Planning
PM – Program Management
PS – Personnel Security
PT – PII Processing and Transparency
RA – Risk Assessment
SA – System and Services Acquisition
SC – System and Communications Protection
SI – System and Information Integrity
SR – Supply Chain Risk Management

Control Baselines and Tailoring

Control baselines represent the starting point for control selection:
• Low Baseline: For systems where the loss of confidentiality, integrity, or availability would have a limited adverse effect.
• Moderate Baseline: For systems where the loss would have a serious adverse effect.
• High Baseline: For systems where the loss would have a severe or catastrophic adverse effect.

Tailoring activities include:
• Identifying and designating common controls
• Applying scoping considerations to remove controls that are not applicable
• Selecting compensating controls when a baseline control cannot be implemented
• Assigning organization-defined parameters to controls (e.g., specifying the frequency of audits)
• Supplementing baselines with additional controls based on risk assessment results

Exam Tips: Answering Questions on Security and Privacy Controls and Requirements

1. Know the NIST RMF Steps Cold: Many questions will test your understanding of the seven RMF steps (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor). Understand what happens at each step, who is responsible, and what documents are produced.

2. Understand the Relationship Between Categorization and Control Selection: The system's categorization (FIPS 199) directly determines the control baseline (FIPS 200 and SP 800-53B). Questions often test whether you understand that higher impact levels require more rigorous controls.

3. Know the Difference Between Common, System-Specific, and Hybrid Controls: Exam questions frequently test your ability to distinguish between these control implementation types. Remember that common controls are inherited and managed at the organizational level, while system-specific controls are managed by the system owner.

4. Understand Tailoring vs. Overlays: Tailoring adjusts the baseline for a specific system based on organizational factors. Overlays provide specialized adjustments for communities of interest, technologies, or environments. Know when each is appropriate.

5. Focus on Roles and Responsibilities: Key roles include the Authorizing Official (AO), System Owner, Information System Security Officer (ISSO), Common Control Provider, Security Control Assessor, and Senior Agency Official for Privacy (SAOP). Know who does what in each RMF step.

6. Distinguish Between Security and Privacy Controls: While they overlap, privacy controls address specific concerns like data minimization, purpose limitation, consent, and individual rights. Questions may test whether a scenario requires a security control, a privacy control, or both.

7. Remember the Assessment Methods: Examine, Interview, and Test are the three assessment methods defined in NIST SP 800-53A. Know when each is appropriate and what each involves.

8. Understand Continuous Monitoring: This is not just about automated tools. It includes ongoing assessments, configuration management, status reporting, and active risk management. Questions may test your understanding of what continuous monitoring entails beyond technology.

9. Pay Attention to Keywords in Questions: Words like "first," "best," "most important," and "primary" signal that multiple answers may seem correct, but you need to choose the one that is most aligned with the framework's guidance. For control-related questions, always think in terms of the risk-based approach.

10. Know Key Documents: Be able to identify the purpose of the SSP, SAR, POA&M, authorization package, and PIA. Questions often present scenarios where you need to identify which document addresses a particular need.

11. Understand Compensating Controls: When a required control cannot be implemented, a compensating control provides an equivalent level of protection. Know that compensating controls must be documented and approved, and they must address the same risk the original control was intended to mitigate.

12. Think Risk-Based: The CGRC exam emphasizes risk-based decision-making. When in doubt about a question, choose the answer that reflects a risk-based approach rather than a checklist or compliance-only mentality. Controls should be proportional to the risk they address.

13. Use Process of Elimination: If a question asks about control selection and one answer refers to activities that happen during implementation or assessment, eliminate it. Map each answer to the correct RMF phase.

14. Remember the High-Water Mark: For system categorization, the overall impact level is determined by the highest impact among confidentiality, integrity, and availability. This is a frequently tested concept.

15. Practice Scenario-Based Questions: The CGRC exam often presents real-world scenarios. Practice identifying which RMF step a scenario describes, what the appropriate control selection approach is, and who should be involved in the decision.

16. Don't Confuse Authorization with Accreditation: The modern terminology uses "authorization" (per NIST RMF). Older frameworks used "accreditation" (C&A). The CGRC exam uses current NIST terminology, so always think in terms of authorization.

17. Understand Inheritance: Many systems inherit controls from common control providers (e.g., the data center provides physical security controls). Know how inherited controls are documented and how responsibility is shared.

18. Link Controls to Organizational Mission: The ultimate purpose of controls is to support the organization's mission while managing risk to an acceptable level. Exam questions may test whether you understand this strategic perspective rather than viewing controls as purely technical measures.

Summary

Security and Privacy Controls and Requirements are the practical mechanisms through which organizations manage information security and privacy risk. Governed by frameworks like NIST SP 800-53 and the NIST RMF, these controls are selected based on system categorization, tailored to the organization's environment, implemented, assessed, authorized, and continuously monitored. For the CGRC exam, success depends on understanding the complete lifecycle of controls, the roles involved, the distinction between security and privacy controls, and the risk-based philosophy that underpins modern governance, risk, and compliance practices. Always approach questions from a risk management perspective, know the key frameworks and documents, and be prepared to apply your knowledge to realistic scenarios.