The DSRIP requirements are based upon the NIST Risk Management Framework (RMF). There are many NIST special publications (SP) that are referenced within RMF.
The first NIST SP to address is NIST 800-18. This SP illustrates how to breakdown an enterprise into logical boundaries.
Why is this the first SP to be addressed?
When you breakdown your enterprise into logical boundaries the boundaries provide a scope for what and how security controls are applied. The key point is that different boundaries require different control implementations.
Here’s an example: One system boundary is called the WAN infrastructure General Support System (GSS) that encompasses routers, switches, firewalls, network intrusion devices. Another system boundary is called the XYZ Major Application (MA). In the WAN GSS the devices in the boundary use Cisco ISE for Authentication, Authorization and Accounting. The Cisco ISE maintains a database that has user ID’s, passwords and role based access controls for device administrators that can make changes to devices within the boundary.
The XYZ Major Application (MA) is a web based application. The XYZ MA encompasses three web servers, three application servers, two database servers and a load balancer. These system use a multi-factor authentication product and active directory for authentication and role based access controls.
As you can see the implementation for access control is very different. Segmenting the Enterprise into logical boundaries narrows the scope for how controls are applied. The narrowed scope (boundary definition) helps PPS’s save time by focusing on the boundary where DSRIP data is processed, transmitted and stored. The boundary definition also saves PPS’s money by only applying controls where needed.
Aspiryon provides DSRIP assessments and consulting for PPS.