How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
You could apply the FIPS 199 security categorizations to decide which of the safeguards in the FGDC guidelines are needed by identifying the potential impacts for each security objective. Once the potential impacts for each security objective is identified you can use it as an aid with the decision tree, for example, in the FGDC guidelines. This can help to understand if a safeguard is justified or not. Then, you can also use the security categorizations to identify the potential impacts if a certain safeguard was put in place. For example, what would be the impact to confidentiality, integrity, and availability, if the data would be changed or restricted? You can then decide which safeguard should be implemented and to what extent based of the potential impacts of implementing that safeguard.
Hello Nicholas, determining if the safeguard for the data would be justified or not can help companies be more selective on which data to put safeguards on. The decision tree would be beneficial to companies in this way. I can understand how useful it could be to safeguard information and not so much of other information.
To determine if each of the information security risk mitigation safeguards described in the Federal Geographic Data Committee (FGDC) guidelines is needed, you can apply the Federal Information Processing Standards (FIPS) Publication 199 security categorization process. Firstly, the potential impact of each security objective needed to be identified. Once the potential impacts for each security objective is identified . with the decision tree in FGDC guideline ,we can deduced if a safeguard is justified or not.Use the FIPS 199 to categorize the system or data based on the potential impact of a security breach. Assess the potential impact in terms of confidentiality, integrity, and availability. Choose the risk mitigation safeguards from the FGDC guidelines that align with the security categorization you assigned to the system or data. Ensure that the selected safeguards are relevant to the specific risks and potential consequences associated with the system or information.
First, decide who are the guidelines for and what kind of data is going to be measured. Determine how high confidentiality, integrity, and availability are with the information. Then I would go through the FGDC decision procedure to determine how I would handle the data. I would then use the FGDC guidelines and apply them to the information so it gets the right amount of security. It is best to align the data, confidentiality, integrity, and availability to the FGDC guidelines which will then determine the outcome of the data.
First identify the potential impact of the three aspects of the target, confidentiality, integrity and availability. These potential impacts are then matched against the corresponding protective measures in the FGDC guidelines. Finally determine whether the results of the data are valid.
I would categorize the security levels of data using FIPS 199 to how we rate the value of items, in our homes. Just like everyday clothes require security low impact data wouldn’t need protection. On the hand important work files, categorized as impact data would need reasonable safeguards. When it comes to client information classified as high impact data it’s crucial to implement the highest level of security measures. To ensure protection I would align these categories with FGDC guidelines which act as a reference for securing our belongings. It’s all about selecting the security measures based on each level of importance; like choosing between a simple lock or a state-of-the-art security system depending on what needs safeguarding
The first objective is to assess the target using the FIPS security categorizations in order to see which safeguards must be applied. This is done by looking for the potential impacts of each security objective and comparing them to the FGDC guidelines in order to decide if the safeguard chosen was justified or not. Furthermore, other potential safeguards can be analyzed in order to assess the security impacts if a different option was chosen.
For applying FIPS 199 security categorizations to determine the need for information security risk mitigations described in the FGDC guideline, the approach should be;
Information Type Identification
Determine Potential Impact
Determine Overall Security Category
Cross-Reference with FGDC Mitigations
Review and Update
The FIPS199 security categorization of LOW, MODERATE and HIGH tags information, information types and information systems according to the level of impact a breach of security (confidentiality, integrity and availability) has on the organisation.
The FGDC and the recommended information security risk mitigation safeguards are addressed in 3 sections. In the first section, the question of data ownership/responsibility is presented which gives context and answer to the question in the second question on the value of data by answering if the data is needed to be safeguarded and in the third section, it speaks to the type of controls/measures that will address the safeguards based on the value of the data.
The application of the FIPS199 will be applicable in sections II and III to qualify and quantify the severity of the data based on the value from the data owner/sponsor or data analyst who requests for the safeguarding of the data. Assigning the categorization of LOW, MODERATE or HIGH to the geospatial data will inform the decisions made in the safeguard measures applied to the data.
To apply the FIPS 199 Security Categorizations to decide if a guideline is needed requires multiple steps. First, information needs to be observed to see where it would be categorized. Every type of information has a specific category it would belong to for locating the control. Next step would be to identify and find the need for safeguards. Based on the FIPS 199, every piece of information will have a safeguard that matches to what the security categorization has. After finding out what level of impact the systems are, which determines the level of safeguards needed, these will have to be added and monitored, which helps ensure that it’s working properly, and lastly, check for compliance. Which is important for following guidelines.