1 1 00:00:00,090 --> 00:00:00,990 In this lesson, 2 2 00:00:00,990 --> 00:00:03,870 we're going to talk about Step 3 in the real world. 3 3 00:00:03,870 --> 00:00:05,260 Step 3 is the Select step 4 4 00:00:05,260 --> 00:00:07,680 inside of the risk management framework 5 5 00:00:07,680 --> 00:00:10,860 and the purpose of the Select step is to select, tailor, 6 6 00:00:10,860 --> 00:00:12,533 and document the controls necessary 7 7 00:00:12,533 --> 00:00:15,060 to protect the system and the organization 8 8 00:00:15,060 --> 00:00:16,860 commensurate with the risk. 9 9 00:00:16,860 --> 00:00:18,810 Now, as we work through our Select step, 10 10 00:00:18,810 --> 00:00:21,300 we are trying to get five main outcomes. 11 11 00:00:21,300 --> 00:00:22,590 First, we need to ensure 12 12 00:00:22,590 --> 00:00:25,530 that we have control baseline selected and tailored. 13 13 00:00:25,530 --> 00:00:28,260 Second, we need to ensure the controls are designated 14 14 00:00:28,260 --> 00:00:31,530 as system specific, hybrid or common. 15 15 00:00:31,530 --> 00:00:33,307 Third, controls have to be allocated 16 16 00:00:33,307 --> 00:00:35,730 to specific system components. 17 17 00:00:35,730 --> 00:00:38,430 Fourth, system level continuous monitoring strategies 18 18 00:00:38,430 --> 00:00:39,630 need to be developed. 19 19 00:00:39,630 --> 00:00:41,475 And fifth, the security and privacy plans 20 20 00:00:41,475 --> 00:00:43,500 that reflect the control selection, 21 21 00:00:43,500 --> 00:00:47,082 designation and allocation have been reviewed and approved. 22 22 00:00:47,082 --> 00:00:50,160 So, when it comes to step three, the Select step, 23 23 00:00:50,160 --> 00:00:51,120 we're going to move forward 24 24 00:00:51,120 --> 00:00:53,899 and take all the categorization we did back in step two 25 25 00:00:53,899 --> 00:00:56,340 and now we're going to select all the different controls 26 26 00:00:56,340 --> 00:00:59,130 to be able to meet that level of categorization. 27 27 00:00:59,130 --> 00:01:01,440 Now remember, when we did our categorization, 28 28 00:01:01,440 --> 00:01:03,480 we were looking at three main columns, 29 29 00:01:03,480 --> 00:01:05,280 such as C, I and A 30 30 00:01:05,280 --> 00:01:08,010 for confidentiality, integrity and availability. 31 31 00:01:08,010 --> 00:01:10,410 So, for any type of data we had, 32 32 00:01:10,410 --> 00:01:14,790 we may classify that as a low-low-low, or a high-low-low, 33 33 00:01:14,790 --> 00:01:16,200 or something like that. 34 34 00:01:16,200 --> 00:01:19,740 For example, if I said the system was a medium-low-low, 35 35 00:01:19,740 --> 00:01:22,140 that means it is a medium confidentiality, 36 36 00:01:22,140 --> 00:01:24,780 low integrity and low availability system. 37 37 00:01:24,780 --> 00:01:26,100 And that would be totally fine, 38 38 00:01:26,100 --> 00:01:26,933 and that would give us guidance 39 39 00:01:26,933 --> 00:01:29,340 as to what type of controls we're going to select 40 40 00:01:29,340 --> 00:01:31,080 to be able to provide that level of assurance 41 41 00:01:31,080 --> 00:01:32,579 for that given system. 42 42 00:01:32,579 --> 00:01:35,820 Now, as we go through the selection of our controls, 43 43 00:01:35,820 --> 00:01:37,470 we need to go through and figure out 44 44 00:01:37,470 --> 00:01:40,439 exactly what we want to do to achieve the goals set forth 45 45 00:01:40,439 --> 00:01:43,290 in the information categorization matrix 46 46 00:01:43,290 --> 00:01:45,660 that we created back in step two. 47 47 00:01:45,660 --> 00:01:47,880 To do this, we're going to select different controls 48 48 00:01:47,880 --> 00:01:50,010 and control families that will then apply 49 49 00:01:50,010 --> 00:01:51,210 to those different areas, 50 50 00:01:51,210 --> 00:01:53,370 such as confidentiality, integrity, 51 51 00:01:53,370 --> 00:01:55,350 availability, authentication, 52 52 00:01:55,350 --> 00:01:57,660 authorization and things like that. 53 53 00:01:57,660 --> 00:01:59,070 Now, that's the starting place 54 54 00:01:59,070 --> 00:02:01,260 but it doesn't mean we have to stop there. 55 55 00:02:01,260 --> 00:02:04,290 Instead, we can actually tailor the RMF process 56 56 00:02:04,290 --> 00:02:06,300 to be more or less stringent. 57 57 00:02:06,300 --> 00:02:07,133 In some cases, 58 58 00:02:07,133 --> 00:02:09,379 we'll want to be able to tailor those controls a lot 59 59 00:02:09,379 --> 00:02:13,170 and give us additional security and lower the risk. 60 60 00:02:13,170 --> 00:02:14,490 To do that, we're going to go ahead 61 61 00:02:14,490 --> 00:02:15,541 and add some additional controls 62 62 00:02:15,541 --> 00:02:18,420 and we call these control enhancements. 63 63 00:02:18,420 --> 00:02:20,550 Now, when I look at a control enhancement, 64 64 00:02:20,550 --> 00:02:22,920 this allows me to tune that control a little bit 65 65 00:02:22,920 --> 00:02:24,600 in order to better manage the risk 66 66 00:02:24,600 --> 00:02:27,600 that's associated with that given piece of information. 67 67 00:02:27,600 --> 00:02:28,770 Now, when we look at that, 68 68 00:02:28,770 --> 00:02:30,780 we have to consider the big picture. 69 69 00:02:30,780 --> 00:02:31,890 What is our objective? 70 70 00:02:31,890 --> 00:02:33,877 What is the control, and how am I doing it now, 71 71 00:02:33,877 --> 00:02:36,390 and how can I do it in a better way? 72 72 00:02:36,390 --> 00:02:38,880 Sometimes that's going to require more engineering 73 73 00:02:38,880 --> 00:02:39,713 or more architecture 74 74 00:02:39,713 --> 00:02:42,990 and sometimes it's just going to be a policy or a procedure. 75 75 00:02:42,990 --> 00:02:45,960 That all comes down to the details of that control. 76 76 00:02:45,960 --> 00:02:48,360 So, when you're looking at a control enhancement, 77 77 00:02:48,360 --> 00:02:50,040 for example, let's say I was considering 78 78 00:02:50,040 --> 00:02:52,770 doing full disc encryption for a system. 79 79 00:02:52,770 --> 00:02:54,690 Now, normally I might be able to implement that 80 80 00:02:54,690 --> 00:02:57,600 by using something like BitLocker or FileVault 81 81 00:02:57,600 --> 00:02:58,890 or something like that 82 82 00:02:58,890 --> 00:03:01,200 but maybe I want to enhance that control 83 83 00:03:01,200 --> 00:03:03,240 by saying that that full disc encryption 84 84 00:03:03,240 --> 00:03:06,227 has to occur within three minutes of booting up that system. 85 85 00:03:06,227 --> 00:03:07,702 Now, that may or may not be possible 86 86 00:03:07,702 --> 00:03:09,630 with the particular tool we chose, 87 87 00:03:09,630 --> 00:03:11,970 such as BitLocker or File Vault 88 88 00:03:11,970 --> 00:03:14,130 but we could replace our hard disc drive 89 89 00:03:14,130 --> 00:03:15,720 with a self-encrypting drive 90 90 00:03:15,720 --> 00:03:17,160 and that self-encrypting drive 91 91 00:03:17,160 --> 00:03:19,368 will automatically be encrypted all of the time 92 92 00:03:19,368 --> 00:03:22,380 as soon as that computer is turned on or turned off 93 93 00:03:22,380 --> 00:03:23,850 based on the way you configure it. 94 94 00:03:23,850 --> 00:03:25,230 And so, that would be a way 95 95 00:03:25,230 --> 00:03:26,758 to enhance that control requirement 96 96 00:03:26,758 --> 00:03:29,010 by adding an additional layer of control 97 97 00:03:29,010 --> 00:03:31,830 that is more stringent than what you may already expect 98 98 00:03:31,830 --> 00:03:34,170 based upon the categorization that we initially did 99 99 00:03:34,170 --> 00:03:35,640 back in step two. 100 100 00:03:35,640 --> 00:03:37,680 Now just like I said back in step two, 101 101 00:03:37,680 --> 00:03:39,000 this is going to be one of those areas 102 102 00:03:39,000 --> 00:03:40,740 where negotiation may occur. 103 103 00:03:40,740 --> 00:03:43,020 So, I recommend that you work with other people 104 104 00:03:43,020 --> 00:03:44,400 throughout the RMF process 105 105 00:03:44,400 --> 00:03:45,300 to figure out what controls 106 106 00:03:45,300 --> 00:03:47,790 are doing what level of protection for you 107 107 00:03:47,790 --> 00:03:50,010 and how those controls could be enhanced 108 108 00:03:50,010 --> 00:03:51,480 to be able to mitigate your risk down 109 109 00:03:51,480 --> 00:03:53,640 even further if necessary. 110 110 00:03:53,640 --> 00:03:55,973 Now, if you're working in RMF as a policy person 111 111 00:03:55,973 --> 00:03:57,385 and you're really good with policy 112 112 00:03:57,385 --> 00:04:00,420 but you're not so good on the system administration side, 113 113 00:04:00,420 --> 00:04:02,831 I recommend you work closely with a system administrator 114 114 00:04:02,831 --> 00:04:04,243 who has a strong technical background 115 115 00:04:04,243 --> 00:04:06,540 to be able to help you tailor these controls 116 116 00:04:06,540 --> 00:04:08,130 and get the most out of them. 117 117 00:04:08,130 --> 00:04:11,430 For example, there is a term known as the ISSE, 118 118 00:04:11,430 --> 00:04:14,370 which is the information system security engineer. 119 119 00:04:14,370 --> 00:04:16,740 The people who fill these roles are very specialized 120 120 00:04:16,740 --> 00:04:19,080 and have a high level of technical capability, 121 121 00:04:19,080 --> 00:04:22,080 so you could work with somebody who is an ISSE 122 122 00:04:22,080 --> 00:04:24,390 or information system security engineer 123 123 00:04:24,390 --> 00:04:26,400 to be able to define different implementations 124 124 00:04:26,400 --> 00:04:28,950 for those controls to give you more mitigation 125 125 00:04:28,950 --> 00:04:30,810 and lowers your overall risk. 126 126 00:04:30,810 --> 00:04:32,610 These folks are going to be the smart people 127 127 00:04:32,610 --> 00:04:34,500 that can help bridge the divide for you, 128 128 00:04:34,500 --> 00:04:36,106 especially if you're more of a manager 129 129 00:04:36,106 --> 00:04:39,450 or more of a policy person and less of a technician. 130 130 00:04:39,450 --> 00:04:41,834 So remember, it's great to bring those people in 131 131 00:04:41,834 --> 00:04:43,109 and bring them in early 132 132 00:04:43,109 --> 00:04:45,600 as you start talking about these different controls, 133 133 00:04:45,600 --> 00:04:47,070 so they can help you pick the controls 134 134 00:04:47,070 --> 00:04:49,254 for the baseline of your categorization level 135 135 00:04:49,254 --> 00:04:50,940 as well as doing some tailoring 136 136 00:04:50,940 --> 00:04:52,649 to minimize the risk involved with that system 137 137 00:04:52,649 --> 00:04:56,100 or to lower the overall cost of implementing those controls. 138 138 00:04:56,100 --> 00:04:58,050 Because sometimes there's different ways 139 139 00:04:58,050 --> 00:05:00,750 to achieve the same outcome and one of those things 140 140 00:05:00,750 --> 00:05:02,880 may cost hundreds of thousands of dollars, 141 141 00:05:02,880 --> 00:05:03,713 and the other one 142 142 00:05:03,713 --> 00:05:05,295 may be a couple of lines of registry changes 143 143 00:05:05,295 --> 00:05:07,890 that you can do for less than a few hundred dollars 144 144 00:05:07,890 --> 00:05:09,660 by using your existing staff. 145 145 00:05:09,660 --> 00:05:11,880 So, these are all things that you need to keep in mind 146 146 00:05:11,880 --> 00:05:13,980 as you're working on selecting those controls 147 147 00:05:13,980 --> 00:05:16,170 to achieve the outcomes that you want. 148 148 00:05:16,170 --> 00:05:18,368 For example, I was working on a naval system 149 149 00:05:18,368 --> 00:05:21,060 and trying to get it through the RMF process. 150 150 00:05:21,060 --> 00:05:23,220 Now, this system was going to be specifically used 151 151 00:05:23,220 --> 00:05:26,910 by our watchstanders who operate on a 24/7 basis. 152 152 00:05:26,910 --> 00:05:28,350 So, every day of the year 153 153 00:05:28,350 --> 00:05:30,450 there is somebody sitting behind that computer 154 154 00:05:30,450 --> 00:05:34,823 24 hours a day, seven days a week, 365 days a year. 155 155 00:05:34,823 --> 00:05:36,720 Now, to be able to do that, 156 156 00:05:36,720 --> 00:05:38,250 we would have five different people 157 157 00:05:38,250 --> 00:05:40,830 standing that watch on a rotational basis. 158 158 00:05:40,830 --> 00:05:43,620 So, maybe person one came in from 8:00 AM 159 159 00:05:43,620 --> 00:05:45,210 and they were there till 4:00 PM; 160 160 00:05:45,210 --> 00:05:47,070 the next person came in from 4:00 PM 161 161 00:05:47,070 --> 00:05:48,390 and stayed till midnight; 162 162 00:05:48,390 --> 00:05:50,010 the third person came in from midnight 163 163 00:05:50,010 --> 00:05:51,240 and stayed till 8:00 AM; 164 164 00:05:51,240 --> 00:05:53,737 and we continued doing that for about three to four days 165 165 00:05:53,737 --> 00:05:55,281 and then we would switch to another person 166 166 00:05:55,281 --> 00:05:56,910 and give some people time off. 167 167 00:05:56,910 --> 00:05:57,900 And as we did that, 168 168 00:05:57,900 --> 00:06:00,240 it went through a five section watch rotation. 169 169 00:06:00,240 --> 00:06:01,799 Now, the reason I'm giving you this background 170 170 00:06:01,799 --> 00:06:04,740 is because one of the controls we had in the system, 171 171 00:06:04,740 --> 00:06:07,530 it said that we had to make sure each person 172 172 00:06:07,530 --> 00:06:11,220 individually logged into the computer using a smart card. 173 173 00:06:11,220 --> 00:06:13,620 Now this means they were using two factor authentication, 174 174 00:06:13,620 --> 00:06:15,330 something they have, the smart card, 175 175 00:06:15,330 --> 00:06:18,270 and something they know, their individual PIN number. 176 176 00:06:18,270 --> 00:06:19,230 The problem with that 177 177 00:06:19,230 --> 00:06:20,711 is to be able to log in using a smart card, 178 178 00:06:20,711 --> 00:06:22,980 you have to log out the other person. 179 179 00:06:22,980 --> 00:06:26,400 So, if I was sitting on this mission critical watch station 180 180 00:06:26,400 --> 00:06:28,350 and we need to have that up 24 hours a day, 181 181 00:06:28,350 --> 00:06:29,310 seven days a week 182 182 00:06:29,310 --> 00:06:31,410 but every time we're going to have a changeover 183 183 00:06:31,410 --> 00:06:33,452 at 4 o'clock in the afternoon, midnight, 184 184 00:06:33,452 --> 00:06:34,884 or 8:00 AM in the morning, 185 185 00:06:34,884 --> 00:06:38,001 we're going to have somebody log out and then log back in, 186 186 00:06:38,001 --> 00:06:41,100 that might take one, two or three minutes to complete. 187 187 00:06:41,100 --> 00:06:41,933 And during that time, 188 188 00:06:41,933 --> 00:06:44,247 the watchstander is losing their visibility 189 189 00:06:44,247 --> 00:06:46,290 on what is going on in the world. 190 190 00:06:46,290 --> 00:06:47,550 Now, we couldn't have this 191 191 00:06:47,550 --> 00:06:49,560 and so we had to actually tailor this control 192 192 00:06:49,560 --> 00:06:51,406 to make it something that would work for us. 193 193 00:06:51,406 --> 00:06:53,250 Now inside the standard controls, 194 194 00:06:53,250 --> 00:06:55,736 it says that every person needs to log in individually 195 195 00:06:55,736 --> 00:06:58,740 with their own smart card and using their own PIN, 196 196 00:06:58,740 --> 00:07:01,020 so that way we can have multifactor authentication 197 197 00:07:01,020 --> 00:07:02,880 and that gives us good security 198 198 00:07:02,880 --> 00:07:05,640 but that is something that was not going to be possible 199 199 00:07:05,640 --> 00:07:07,003 on this system without us having 200 200 00:07:07,003 --> 00:07:10,092 between one and three minutes of downtime three times a day. 201 201 00:07:10,092 --> 00:07:12,060 So, we had to create an exception 202 202 00:07:12,060 --> 00:07:14,310 based on this category control 203 203 00:07:14,310 --> 00:07:17,246 that said you must have multifactor user identification 204 204 00:07:17,246 --> 00:07:19,950 using PKI certificates and smart cards. 205 205 00:07:19,950 --> 00:07:22,140 Now, by putting in an exception to this control, 206 206 00:07:22,140 --> 00:07:24,750 we were asking permission to have a lower level control. 207 207 00:07:24,750 --> 00:07:26,421 And in our case, the solution we came up with 208 208 00:07:26,421 --> 00:07:28,170 was having a log book. 209 209 00:07:28,170 --> 00:07:29,664 So, the whole reason 210 210 00:07:29,664 --> 00:07:31,589 that we have this multifactor authentication 211 211 00:07:31,589 --> 00:07:34,171 in the first place is so that somebody cannot say 212 212 00:07:34,171 --> 00:07:36,801 they were not the person who was logged into the computer 213 213 00:07:36,801 --> 00:07:39,270 doing that thing at that time. 214 214 00:07:39,270 --> 00:07:41,572 Now, this means that if you were logged in with your card 215 215 00:07:41,572 --> 00:07:43,170 and your PIN number, 216 216 00:07:43,170 --> 00:07:45,840 any action you took on the system would go back to you. 217 217 00:07:45,840 --> 00:07:48,240 But if we were all logged in using the same account, 218 218 00:07:48,240 --> 00:07:49,950 such as the watchstander account, 219 219 00:07:49,950 --> 00:07:52,770 we wouldn't be able to tell who was doing that thing. 220 220 00:07:52,770 --> 00:07:54,246 Now, that's the idea behind this control 221 221 00:07:54,246 --> 00:07:57,630 but the outcome we're trying to achieve is non-repudiation. 222 222 00:07:57,630 --> 00:07:59,918 We want to be able to say that the person standing the watch 223 223 00:07:59,918 --> 00:08:02,190 is the person who was using the computer. 224 224 00:08:02,190 --> 00:08:03,780 Now, how did we overcome this? 225 225 00:08:03,780 --> 00:08:05,175 Well, the exception we put in place 226 226 00:08:05,175 --> 00:08:08,430 was to say this is a 24/7 watchstander 227 227 00:08:08,430 --> 00:08:10,757 and because we need that system up and running all the time, 228 228 00:08:10,757 --> 00:08:13,620 we are going to issue a watchstander token 229 229 00:08:13,620 --> 00:08:14,490 that we're going to give 230 230 00:08:14,490 --> 00:08:16,440 and that's going to be passed from watch to watch. 231 231 00:08:16,440 --> 00:08:18,900 So, as I log in with the watchstander token, 232 232 00:08:18,900 --> 00:08:20,880 which is a smart card and a PIN number, 233 233 00:08:20,880 --> 00:08:22,800 all five watchstanders would know that 234 234 00:08:22,800 --> 00:08:25,530 but only one of them is on watch at any given time. 235 235 00:08:25,530 --> 00:08:27,150 When it was time for person one to go home 236 236 00:08:27,150 --> 00:08:28,680 and person two to take over, 237 237 00:08:28,680 --> 00:08:30,667 they would actually sign a document saying 238 238 00:08:30,667 --> 00:08:32,767 "I have transferred ownership of this token 239 239 00:08:32,767 --> 00:08:34,327 "from Jason to Kip, 240 240 00:08:34,327 --> 00:08:36,187 "and that means Kip is now responsible 241 241 00:08:36,187 --> 00:08:37,837 "because he is the second watchstander 242 242 00:08:37,837 --> 00:08:39,690 "and he has it for the next eight hours." 243 243 00:08:39,690 --> 00:08:40,821 So if something happened, 244 244 00:08:40,821 --> 00:08:42,697 we could check the logs and say, 245 245 00:08:42,697 --> 00:08:44,820 "Oh, this happened on the watchstander account." 246 246 00:08:44,820 --> 00:08:46,957 And then we can go back to this written log and say, 247 247 00:08:46,957 --> 00:08:48,607 "Okay, who was the watchstander 248 248 00:08:48,607 --> 00:08:52,710 "on February 1st, 2021 at 3:23 PM?" 249 249 00:08:52,710 --> 00:08:54,007 And we could check in the logs and go, 250 250 00:08:54,007 --> 00:08:56,317 "Oh that was was watch team number two, 251 251 00:08:56,317 --> 00:08:58,117 "watch team number two was led by Kip. 252 252 00:08:58,117 --> 00:08:59,857 "Kip is the person who was logged in at this time 253 253 00:08:59,857 --> 00:09:02,315 "and therefore Kip is the person who did that thing." 254 254 00:09:02,315 --> 00:09:04,856 As you can see, it's not a technical solution. 255 255 00:09:04,856 --> 00:09:07,590 It was a policy-based solution that we came up with 256 256 00:09:07,590 --> 00:09:10,440 but it was acceptable to our authorizing official. 257 257 00:09:10,440 --> 00:09:11,490 They signed off on it 258 258 00:09:11,490 --> 00:09:13,740 and we were able to get our RMF package through the process 259 259 00:09:13,740 --> 00:09:16,440 and get our authority to operate for that system. 260 260 00:09:16,440 --> 00:09:17,965 Now, that's the whole idea here 261 261 00:09:17,965 --> 00:09:20,790 by creating this exception to loosen that control 262 262 00:09:20,790 --> 00:09:23,850 and figure out who is using that computer at any given time. 263 263 00:09:23,850 --> 00:09:26,250 Now, I know I went really in depth into this idea 264 264 00:09:26,250 --> 00:09:28,260 of how you can modify these controls 265 265 00:09:28,260 --> 00:09:29,910 but this is an important thing to think about 266 266 00:09:29,910 --> 00:09:31,726 as you're selecting all of your controls. 267 267 00:09:31,726 --> 00:09:34,590 Remember, there are lots of different controls you can use. 268 268 00:09:34,590 --> 00:09:37,530 They don't have to just be logical or technical controls. 269 269 00:09:37,530 --> 00:09:40,290 You can also use administrative or management controls, 270 270 00:09:40,290 --> 00:09:42,300 such as using policies and procedures 271 271 00:09:42,300 --> 00:09:44,070 like we did here by having a written log 272 272 00:09:44,070 --> 00:09:46,890 of who was logged into the computer at any given time. 273 273 00:09:46,890 --> 00:09:47,820 In addition to this, 274 274 00:09:47,820 --> 00:09:49,740 you can have controls that are detective controls, 275 275 00:09:49,740 --> 00:09:51,600 corrective controls and other things. 276 276 00:09:51,600 --> 00:09:53,751 And as you're figuring out which controls you want to use, 277 277 00:09:53,751 --> 00:09:54,742 you're always focused on 278 278 00:09:54,742 --> 00:09:57,330 what is the outcome that I'm trying to achieve? 279 279 00:09:57,330 --> 00:09:58,920 In this example, I need to know 280 280 00:09:58,920 --> 00:10:01,350 who was logged into that computer at any given time. 281 281 00:10:01,350 --> 00:10:02,340 So if something happened, 282 282 00:10:02,340 --> 00:10:04,860 we knew who to go back to and ask the questions of. 283 283 00:10:04,860 --> 00:10:05,693 And you can do that 284 284 00:10:05,693 --> 00:10:07,470 by having each person log in individually 285 285 00:10:07,470 --> 00:10:09,240 with their own smart card and PIN number 286 286 00:10:09,240 --> 00:10:11,767 or by simply writing down and signing, 287 287 00:10:11,767 --> 00:10:13,218 "I am the person on this computer", 288 288 00:10:13,218 --> 00:10:15,270 and the date and time that you took over 289 289 00:10:15,270 --> 00:10:16,140 and then when you leave for the day, 290 290 00:10:16,140 --> 00:10:18,180 the date and time that you left. 291 291 00:10:18,180 --> 00:10:20,310 Either way is an acceptable way to achieve this. 292 292 00:10:20,310 --> 00:10:21,478 One is a technical solution 293 293 00:10:21,478 --> 00:10:23,900 and one is a managerial or administrative solution 294 294 00:10:23,900 --> 00:10:26,212 but they both achieve the exact same outcome 295 295 00:10:26,212 --> 00:10:28,020 that we are trying to get. 296 296 00:10:28,020 --> 00:10:30,003 So remember, when it comes to the Select step, 297 297 00:10:30,003 --> 00:10:32,910 which is step three of the risk management framework, 298 298 00:10:32,910 --> 00:10:35,010 your job here is to select, tailor, 299 299 00:10:35,010 --> 00:10:37,230 and document the controls that are necessary 300 300 00:10:37,230 --> 00:10:39,540 to protect the system and the organization 301 301 00:10:39,540 --> 00:10:41,310 commensurate with the risk. 302 302 00:10:41,310 --> 00:10:43,700 Because of this, you can use all sorts of different controls 303 303 00:10:43,700 --> 00:10:46,492 and you can tailor those controls to your individual system 304 304 00:10:46,492 --> 00:10:49,350 and your mission requirements based on where that system 305 305 00:10:49,350 --> 00:10:51,550 and how that system is going to be operated.