Security Engineering (SE) Workbench
Return to the SE-Workbench Project Page
Security Control Explorer Tool
The Security Control Explorer (SCE) is a software tool that aids Security Engineers involved in selecting and/or assessing security controls related to Enterprise Risk Management or Information technology (IT) Risk Management programs.
To perform these Security Assessments Security Engineers will consult any of a number of authoritative reference documents concerned with Security Controls. The base documents for this type of assessment typically include: NIST Special Publication 800-53R5, ISO/IEC 27001, or similar. The information in these documents may reference other authoritative documents, to include the NIST Cybersecurity Framework, Common Criteria, and more.
The SCE tool provides a convenient way for the Security Engineer to explore the information in this grouping of reference information.
Security Control Analysis Process Review
Security Control Analysis, also referred to as Security Risk Analysis is a Security Engineering activity that is used to: (1) establish a baseline assertion of business and/or technical risk for an organization or computer information system, (2) establish a baseline set of security controls to address business and/or technical risk for an organization or computer information system, (3) assess current organizational and information technology controls and practices against a previously established baseline, or (4) document a plan for improvement of organizational and information technology controls and practices, in consideration of identified gaps, or as a result of security incident(s).
In Table #1, the left side provides a general flow of work, where Security Engineers analyze or assess risk in Information Systems, Information Services and/or Assets per practices outlined in the Cybersecurity Workforce Framework or other reference. The Security Engineers advise on, and/or provision, updated security controls that will reduce risk in Information Systems and Assets.
Security Engineers routinely refer to authoritative reference information for Security Controls, to include: NIST SP800-53R5, ISO/IEC 27001 and other sources.
Table #1. Security Control Analysis
SCE Tool Overview
Table #2 below provides an overview of the SCE Tool. The user interface for the tool is a web browser. The display can be divided into sections: the upper section is the header portion and the lower portion is the data portion.
Table #2 - SCE Tool Layout
The upper section of the browser window, or Header, contains information about the tool, including release specific information, notes and acknowledgements. The lower section of the browser window, or Body, is the work area of the tool. The top of the Body contains pull down menus, search field and a set of column headers on for each of the major fields in the output. Middle portion of the Body is a data table providing a tabular view of the CWE entries. The content and ordering of the data table will vary depending which if any of the operators in the Header or Footer have been activated. The bottom portion of the Body displays the number of rows available to display in each browser page, the total number of CWE entries in the current display based on active filters in the Header, as well as a way to index each page in the current output set.
Each portion of the display is described in more detail below.
The primary document for the SCE tool is NIST SP800-53R5. Each entry in NIST SP800-53R5 represents a security control. Each security control contains detailed information about the control, along with direct and indirect information to other (secondary) references in the document map. Each secondary reference contains detailed information, as well as references to other secondary documents or the primary document.
SCE Tool Detail
Security Control Explorer - Upper SectionThe upper section of the browser window, shown in Table #3 below, contains three areas of interest:
Table #3 - SCE Browser Window - Upper Section
The title of the tool is at the top. Information about the ownership, version and contact information is found in the left column. The left hand column also contains a basic document map associated with the tool. Basic usage instructions are located in the center column. Notes, Notices and Disclaimers about the tools, as well as terms and conditions from the owners of the information sources are located in the right column.
Security Control Explorer - Lower Section
The Data Table (identifed as item 8 in Table #4) is the focus of the tool. On initialization, the Data Table contains one row for each entry in the main reference document along with related direct and indirect references. For the Security Vulnerability Explorer, the main reference document is the version of Mitre Common Weakness Enumeration listed in the Tool Information Table. The data cells are constructed with information from the primary and secondary information sources, as well as derived data. The data cells may contain single data elements, grouped data elements or composite data. Derived data elements may include links to external referencces, data that is aggregated from one or more information sources, and/or knowledge insights. The size,content and order of the data table at any time is dependent on the user-driven operation.
The Lower Section of the browser window, shown in Table #4, contains 8 areas of interest:
Table #4 - SCE Browser Window - Lower Section
The headings and buttons at the top of the Data Table are used to manipulate the information in the Data Table.
When the tool is invoked, the Data Area contains the default view or the entire security information base. The user may perform operations in any order:
SCE Export Data Function
The Export function is used to create and store a copy of some or all the data in the tool in PDF, CSV or Print formats. The export function operates on data that has been selected. There are two ways to select data: (1) clicking on the checkbox of one or more rows of data, or (2) use the filter or text search features of the tool to narrow the focus of the visible data and then use the Select Data function to either Select All Data or Select Filtered Data.
Table #5 below provides a visualization of the use of the Export function, where the user can select to "Copy Selected to Clipboard", generate a "PDF" diocument, generate a spreadsheet file in the "CSV" (Comma Separated Value) format, or create a "Print" file for local or network printing. The "Copy to Clipboard" function requires the operator to select a destination application, such as Notepad, Word Processing Document or other. The PDF, CSV or Print options will automatically open a window to the corresponding application, assuming that the users computer system has a compatible application.
Table #5 below provides a visualization of the options for Exporting SCE data to PDF, CSV and Print.
Table #5 - SCE Export Data Function
Sample ExercisesRefer to the SCE Exercise link from the Project homepage for examples.
top of the page
LAST UPDATE: 30 March 2022