The two controls I chose to explore are CP-9 Information System Backup and MP-4 Media Storage. The CP-9 control manages user and system-level information backups, as well as backups for information system documentation. CP-9 also covers how to effectively perform backups while protecting the CIA (confidentiality, integrity, and availability) of the data as well as where the information is stored. The second control, MP-4, which is related to CP-9, covers how to physically secure and store media and media systems until they are appropriately destroyed or sanitized (NIST, n.d.).
A carefully created and thorough data backup and recovery plan is crucial for anyone who wishes to secure their data in the event a problem arises; this is even more necessary if your company handles a large amount of sensitive data such as credit card information, transactions, and the personal information of your employees and customers. A backup plan is essentially an insurance plan for your data. As hardware and software are anything but perfect, situations arise where the information that is stored can be corrupted or even lost. If mission-critical or sensitive data is rendered useless, there needs to be a plan in place to be able to restore this information in a timely and cost-effective manner.
A real-world example of CP-9 would be the procedure we utilize at the company which I work at. All of our data is stored both on and off-premise, in the form of a NAT (network access storage) and in the Cloud. To ensure the CIA of our data, we perform regular audits of the status of the stored information, as well as to conduct routine emergency recovery tests. A real-world example of MP-4 would be an organization using a RAID data storage in one of its many available configurations to store media. A potential method of securely storing data until it is time to delete it would be, for example, setting a specific length of time to automatically delete a customer’s personal information from the RAID storage, thus ensuring that the disks are routinely cleaned and able to store more mission-critical material.
I believe my two examples of the security controls I chose are adequate to ensure the protection of stored data due to the use of redundancy and focus on disaster recovery protocols. In my opinion, I believe the two controls I have selected are mainly intended to contribute to a DRP and BCP plan, as they ensure that in the event of a disaster or incident, the data to both recover any lost uptime as well as continue business operations can be quickly accessed.
NIST. (n.d.). NIST Special Publication 800-53 (Rev. 4). Retrieved February 10, 2020, from https://nvd.nist.gov/800-53/Rev4/control/CP-9
NIST. (n.d.). NIST Special Publication 800-53 (Rev. 4). Retrieved February 10, 2020, from https://nvd.nist.gov/800-53/Rev4/control/MP-4
Whitman, M. E., & Mattord, H. J. (2018). Management of information security (6th ed.). Boston, MA: Cengage.