Select Page

Scoping and Tailoring

CISSP

Scoping and Tailoring are essential processes in developing and implementing effective security controls and baselines for IT systems. These processes help ensure that security measures are appropriate for the specific context and requirements of the organization.

Scoping

Definition: Scoping involves reviewing and selecting only those baseline security controls that are relevant to the specific IT system or environment being protected.

  • Purpose: To focus the security efforts on the controls that are most applicable to the system, avoiding unnecessary complexity and ensuring that relevant risks are addressed.
  • Steps:
    • Identify the System: Define the boundaries and characteristics of the IT system or environment.
    • Review Baseline Controls: Examine the baseline security controls that apply generally.
    • Select Relevant Controls: Choose controls from the baseline that are pertinent to the specific system or environment.

Example: For a web server, scoping might involve selecting controls related to web application security, access control, and data protection, while excluding controls that are irrelevant to web servers, such as those specific to physical hardware security.

Tailoring

Definition: Tailoring involves modifying the list of security controls within a baseline to align with the specific mission, objectives, and risk profile of the organization.

  • Purpose: To adapt the baseline security controls to better fit the organization’s unique needs, threats, and operational context.
  • Steps:
    • Understand Organizational Needs: Assess the organization’s mission, objectives, and specific security requirements.
    • Modify Controls: Adjust or modify the baseline controls to ensure they address the specific risks and support the organizational goals.
    • Document Tailoring: Clearly document the changes made to the baseline controls and the reasons for those modifications.

Example: An organization with a mission-critical application might tailor its baseline controls to include additional measures for high availability and disaster recovery, which might not be emphasized in a standard baseline.

Supplementation

Definition: Supplementation involves adding additional assessment procedures or details to the existing controls to ensure they meet the specific risk management needs of the organization.

  • Purpose: To enhance the effectiveness of the baseline controls and ensure comprehensive risk management.
  • Steps:
    • Identify Gaps: Determine if there are any gaps or additional requirements that are not fully addressed by the current controls.
    • Add Procedures: Introduce supplementary assessment procedures or details to fill those gaps.
    • Ensure Alignment: Ensure that the added procedures align with the organization’s risk management strategies.

Example: If a baseline control addresses general network security, supplementation might include additional procedures for monitoring and responding to specific threats identified in the organization’s threat model.

Summary

  • Scoping: Focuses on selecting relevant baseline controls for the specific IT system or environment being protected.
  • Tailoring: Adapts the baseline controls to align with the organization’s mission, objectives, and risk profile.
  • Supplementation: Adds additional procedures or details to the baseline controls to meet specific risk management needs.

By effectively scoping, tailoring, and supplementing security controls, organizations can ensure that their security measures are both effective and aligned with their unique requirements and risk profiles.

Latest Post:

Pin It on Pinterest