Security Engineering (SE) Workbench

Return to the SE-Workbench Project Page

Security Control Explorer Tool

The Security Control Explorer (SCE) is a software tool that aids Security Engineers involved in selecting and/or assessing security controls related to Enterprise Risk Management or Information technology (IT) Risk Management programs.

To perform these Security Assessments Security Engineers will consult any of a number of authoritative reference documents concerned with Security Controls. The base documents for this type of assessment typically include: NIST Special Publication 800-53R5, ISO/IEC 27001, or similar. The information in these documents may reference other authoritative documents, to include the NIST Cybersecurity Framework, Common Criteria, and more.

The SCE tool provides a convenient way for the Security Engineer to explore the information in this grouping of reference information.

Security Control Analysis Process Review

Security Control Analysis, also referred to as Security Risk Analysis is a Security Engineering activity that is used to: (1) establish a baseline assertion of business and/or technical risk for an organization or computer information system, (2) establish a baseline set of security controls to address business and/or technical risk for an organization or computer information system, (3) assess current organizational and information technology controls and practices against a previously established baseline, or (4) document a plan for improvement of organizational and information technology controls and practices, in consideration of identified gaps, or as a result of security incident(s).

In Table #1, the left side provides a general flow of work, where Security Engineers analyze or assess risk in Information Systems, Information Services and/or Assets per practices outlined in the Cybersecurity Workforce Framework or other reference. The Security Engineers advise on, and/or provision, updated security controls that will reduce risk in Information Systems and Assets.

Security Engineers routinely refer to authoritative reference information for Security Controls, to include: NIST SP800-53R5, ISO/IEC 27001 and other sources.

Table #1. Security Control Analysis

Security Control Analysis Process
Security Control Analysis Process

Security Control Analysis Reference Information
Security Control Analysis Reference Information

Authoritative Information Sources

  1. NIST SP800-53R5
  2. ISO/IEC 27002:2013
  3. Common Criteria for Information Security Evaluation.
  4. Mitre Attack
  5. Mitre Common Attack Patterns (CAPEC)
  1. Mitre Common Weakness Enumeration (CWE)
  2. Mitre Common Vulnerability Enumeration (CVE)
  3. NIST SP800-30 Guide for Risk Assessment
  4. NIST Cybersecurity Framework
  5. NIST SP 1800-5 Asset Management
  6. Cybersecurity workforce framework

SCE Tool Overview

Table #2 below provides an overview of the SCE Tool. The user interface for the tool is a web browser. The display can be divided into sections: the upper section is the header portion and the lower portion is the data portion.

Table #2 - SCE Tool Layout

SCE Tool User Interface Web Browser
Tool Layout

The upper section of the browser window, or Header, contains information about the tool, including release specific information, notes and acknowledgements. The lower section of the browser window, or Body, is the work area of the tool. The top of the Body contains pull down menus, search field and a set of column headers on for each of the major fields in the output. Middle portion of the Body is a data table providing a tabular view of the CWE entries. The content and ordering of the data table will vary depending which if any of the operators in the Header or Footer have been activated. The bottom portion of the Body displays the number of rows available to display in each browser page, the total number of CWE entries in the current display based on active filters in the Header, as well as a way to index each page in the current output set.

Each portion of the display is described in more detail below.

The primary document for the SCE tool is NIST SP800-53R5. Each entry in NIST SP800-53R5 represents a security control. Each security control contains detailed information about the control, along with direct and indirect information to other (secondary) references in the document map. Each secondary reference contains detailed information, as well as references to other secondary documents or the primary document.

SCE Tool Detail

Security Control Explorer - Upper Section

The upper section of the browser window, shown in Table #3 below, contains three areas of interest:
  1. Banner Area: Identifes the tool
  2. Information Page Toggle: provides a means to show/hide the Tool Information Table
  3. Tool Information Table: Identifies key information about the tool, to include: tool version, revision date, contact information, general description of the tool, general usage tips, source documents, terms of use, and disclaimers.

Table #3 - SCE Browser Window - Upper Section

SCE Header

The title of the tool is at the top. Information about the ownership, version and contact information is found in the left column. The left hand column also contains a basic document map associated with the tool. Basic usage instructions are located in the center column. Notes, Notices and Disclaimers about the tools, as well as terms and conditions from the owners of the information sources are located in the right column.

Security Control Explorer - Lower Section

The Data Table (identifed as item 8 in Table #4) is the focus of the tool. On initialization, the Data Table contains one row for each entry in the main reference document along with related direct and indirect references. For the Security Vulnerability Explorer, the main reference document is the version of Mitre Common Weakness Enumeration listed in the Tool Information Table. The data cells are constructed with information from the primary and secondary information sources, as well as derived data. The data cells may contain single data elements, grouped data elements or composite data. Derived data elements may include links to external referencces, data that is aggregated from one or more information sources, and/or knowledge insights. The size,content and order of the data table at any time is dependent on the user-driven operation.

The Lower Section of the browser window, shown in Table #4, contains 8 areas of interest:

  1. Page and Data Format Buttons: provide the ability to show and hide specific data columns, otions for selecting and deselecting data, and options for exporting data to the computer's clipboard, or external files in CSV, PDF or Print format.
  2. Data Filters: provide the ability to filter the data to be displayed based on a number of predefined parameters.
  3. Text Search Data Entry Field: provide the ability to filter the data to be displayed using operator entered text string.
  4. Column Headers: Identifies the content in each column, also provides the ability to sort selected columns in ascending or descending order.
  5. Tool Data Content: one or more rows of data that is grouped by column.
  6. Row Selectors: provide the ability to select undividual rows. May be use on combination with the Select Data button in #4 to select groupings of rows from filtered data
  7. Page Footer: describes the number of visible rows
  8. Page Navigator: provides the ability to select the page shown, if there are multiple pages of data in the active display

Table #4 - SCE Browser Window - Lower Section

SCE Data

The headings and buttons at the top of the Data Table are used to manipulate the information in the Data Table.

  • Data Filters (item 5 in Table #4) The Data Filters are a series of pull down menus, provide for selection and filtering of the data on the values that correspond to label on the menu.

    SCE Data Filters include:

    • NIST SP800-53R5 ID
    • NIST SP800-53R5 ID Control Family
    • NIST SP800-53R5 ID Control Title
    • NIST SP800-53R5 ID Control Type [Management, Operations, Technical]
    • NIST SP800-53R5 to ISO27001 Control Mapping
    • Related NIST SP800-53R5 Controls
    • Cybersecurity Capabilities
    • Reference Documents

  • Search Field (item 6 in Table #4) The search field provides for selection and filtering of the data using free form text.
  • Column Header Fields (item 7 in Table #4) The column headers identify the content in each column. Selected Column can be sorted in ascending or descending order.

    SCE Data Columns include:

    • Select Checkbox
    • NIST SP800-53R5 Control Information (Sortable, Default: Visible)
    • Cybersecurity Capabilities (Default: Visible)
    • Reference Documents (Default: Visible)
    • NIST SP800-53R5 to ISO27001 Control Mapping (Default: Not Visible)
    • Reference Documents

  • Row Selector Fields (item 9 in Table #4) The row selectors provide the ability to highlight and select rows of interest in the data portion of the display. The row selectors are used in combination with the Select Data and Export Data buttons to create custom output.
  • Page Footer Field (item 10 in Table #4) The footer displays the total number of rows to be displayed. The length of the display page can be adjusted by the "Show" pull down menu in the Column Header portion of the page. The options are "10", "25", "50", or "100".The right side of the footer provides navigation for the number of pages to be displayed.

User Operations

When the tool is invoked, the Data Area contains the default view or the entire security information base. The user may perform operations in any order:

  • Scrolling up/down to view the data elements
  • Setting/resetting the display page to from 10, 25, 50 or 100 entries
  • Sorting a column by clicking on the colum header. Nested sorting is achieved by sorting the desired columns from least significant to most significant
  • Filtering via Text Search
  • Filtering via drop down menu.
  • Opening URL to access extended information in the cell

SCE Export Data Function

The Export function is used to create and store a copy of some or all the data in the tool in PDF, CSV or Print formats. The export function operates on data that has been selected. There are two ways to select data: (1) clicking on the checkbox of one or more rows of data, or (2) use the filter or text search features of the tool to narrow the focus of the visible data and then use the Select Data function to either Select All Data or Select Filtered Data.

Table #5 below provides a visualization of the use of the Export function, where the user can select to "Copy Selected to Clipboard", generate a "PDF" diocument, generate a spreadsheet file in the "CSV" (Comma Separated Value) format, or create a "Print" file for local or network printing. The "Copy to Clipboard" function requires the operator to select a destination application, such as Notepad, Word Processing Document or other. The PDF, CSV or Print options will automatically open a window to the corresponding application, assuming that the users computer system has a compatible application.

Table #5 below provides a visualization of the options for Exporting SCE data to PDF, CSV and Print.

Table #5 - SCE Export Data Function

SCE Export

Sample Exercises

Refer to the SCE Exercise link from the Project homepage for examples.
top of the page

Copyright © 2021, 2022 Jim Whitmore.

LAST UPDATE: 30 March 2022