How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
To determine how to apply the FIPS 199 security categorizations on geospatial data to assess whether FGDC security risk mitigations are required, one would need to apply an offensive approach to the information under analysis. In other words, how could the geospatial data be used in an unauthorized manner that could pose a risk to national security? We can establish appropriate security categories using this approach based upon the “potential impact for each security objective associated with the particular information type” (FIPS 199, 2004).
For example, does the data include United States critical infrastructure information about nuclear or water plant development. Would an adversary be able to use this information to disrupt and damage these systems based upon the information released to the public? If the answer is “yes,” this information would be categorized as having a HIGH impact on confidentiality and would require safeguarding. “Safeguarding is justified only for data that contain sensitive information, that are the unique source of the sensitive information, and for which the security risk outweighs the societal benefit of dissemination.” (FGDC, 2005).
SC geospatial critical infrastructure data = {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)}
However, by applying the same methodology, we can determine that municipal boundaries or terrain geospatial data does not pose a risk to national security. This data would be less likely to require safeguarding because the benefits out weigh any security concern. Additionally, the CIA impact on said information may also result in lower ratings.
SC geospatial municipal boundary data = {(confidentiality, N/A), (integrity, LOW), (availability, LOW)}
Guidelines for Providing Appropriate Access to Geospatial Data in Response to Security Concerns. (2005). Retrieved 28 August 2021, from https://fas.org/sgp/othergov/fgdc0605.pdf.
Standards for Security Categorization of Federal Information and Information Systems. (2004). Retrieved 27 August 2021, from https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
Hi Kelly,
you perhaps inadvertently raise an interesting point regarding the fact that FGDC defines the safeguarding criteria exclusively as the intersection between unique and sensitive data that poses a security risk if released. The guideline decision tree, Figure 1, illustrates that the three criteria to be met must be successively evaluated, beginning with posed security risk, followed by uniqueness of data, and lastly the security cost versus the societal benefit of spreading the information. One might think that the first two criteria could be considered enough to merit safeguarding alone, and that the final criteria may simply further the negative impact.
Kelly,
I enjoyed reading this comment very much as it gave me better insights. I also liked how you used nuclear/water plant development as an example to set the other security categorizations; and the resulting disclosure of geospatial information about the plant would place confidentiality as HIGH. I would also assume if integrity is also HIGH; and availability is MODERATE this would lead to additional safeguards being explored since impacts would result in high-moderate losses in all categories.
The security categories are based on the potential impact on an organization if events that jeopardize information and information systems needed by the organization to accomplish its task occur.
FGDC Guidelines that are needed are:
Confidentiality:
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is an unauthorized disclosure of information.
Integrity:
Guarding against improper information, modification or destruction, which includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information
Availability:
Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.
https://community.mis.temple.edu/mis5206sec001fall2021/files/2020/08/NIST-FIPS199.pdf
Geospatial data is any data information that have geographic location on Earth. These data include objects, events and phenomena and are made it publicly to people for their own use. Although these information are diverse, any suspicious activities can happen that is why it is important to set some laws and policies on how those information can be accessible to everybody but at the same time restricted to them.
The FIPS Publication 199 helps us better understand the standards to categorize information systems. Confidentiality could be an example of safeguarding geospatial data. For example, we’ve seen that the military or air force have now started to use the geospatial information such as GPS to locate their people in case they are in danger and need a backup or manage their infrastructure assets like roads, water, power distribution etc.. Having all these sensitive data available to everybody can have a big impact on the development of a country and we’ve seen that happen on Sept 11th. For some reasons, there was failure in the security system causing address detection, people name, geolocation. I believe those terrorists had time to analyze the data, innovate software and then attack. If a data contains sensitive information that can affect a country in a bad way, then those data are to be stored in a database with access restrictions and only be seen by people who are authorized to do so. The FGDC very well outlines the three factors that originate an data to be safeguarded such “ risk to security, uniqueness of information and net benefit of disseminating data.
https://community.mis.temple.edu/mis5206sec001fall2021/files/2020/08/FGDC-Reading1_GeospatialData_Access-Guidelines.pdf
https://community.mis.temple.edu/mis5206sec001fall2021/files/2020/08/NIST-FIPS199.pdf
“If a data contains sensitive information that can affect a country in a bad way, then those data are to be stored in a database with access restrictions and only be seen by people who are authorized to do so.”
Regarding the point above, I am curious if most data sets are benign until someone figures out a way to use them maliciously. Aside from military, critical infrastructure, and datasets with PII, which are sensitive, I wonder how we’d police other sources where the risk is less clear. I guess this is where threat intelligence would play an important roll and allow for access to be rolled back as intelligence is collected.
To apply the FIPS 199 security categorizations to Geospatial data, you would start with the Security Categorization (SC) formula used to measure the potential impact on organizations and individuals (SC = ((confidentiality, impact), (integrity, impact), (availability, impact)). Each unique type of Geospatial data would have to be analyzed using this very format, as the impact variables for each information type can vary. Once the security categorization is determined, it would be best to evaluate during Section II of the decision procedure outlined by the FGDC guideline. Accessing this information during Section II of the decision process would assist a company determining if the potential impact would be severe enough, in addition to answering the other various questions that are posed during these steps of the FGDC guideline. Doing so would give the company enough information to make an informed decision if either of the safeguards are needed.
Hello Ryan, I am very much in support of your position and adequately believe that once data has been adequately categorized using the security categorization formula to determine criticality and severity and ascertain the potential impact of such data on the users. Then the FGDC guidelines should be relied on to gather data and answer questions for informed and secure business decisions.
Section 2 of the FGDC document states the three factors of why safeguards may need to be applied. The three factors are Risk to security, uniqueness of information, and net benefit of disseminating data. Risk security These factors summarize to say, are the contents of the data specific enough to entice an attack? If so is this information unique enough where it can’t be found elsewhere? Do the security cost outweigh the societal benefits if the data were to be released.
FIPS is based on the CIA triad (Confidentiality, Integrity, Availability) and deals with the potential of impact. The potentials of impact range from low to moderate to high. Low meaning there will be minimal chance of a negative impact on the organization and its assets, whereas with moderate there would be serious impacts to the organization as well as its assets, and with high, they would be catastrophic.
We can combine the FGDC safeguards and FIPS by applying the impacts of confidentiality, integrity, and availability to the FGDC decision process. For example, if the contents of the geospatial or really any government data is not sensitive or unique and the benefits of disseminating the data outweigh the cost, you could argue that the confidentiality is not applicable or low, the integrity is low and the availability is low.
The FGDC document states that safeguarding is only warranted when the data is sensitive, unique and the security risk outweighs the societal benefits of dissemination, so you really wouldn’t need to apply safeguarding to the previous example. If the data meets the safeguarding criteria then confidentiality would be high/moderate, integrity would be high/moderate and availability would be high/moderate. I say high or moderate because it would depend on how sensitive the data is.
Source: Federal Geographic Data Committee. Homeland Security Working Group. “Guidelines for Providing Appropriate Access to Geospatial Data in Response to Security Concerns”. Washington: June 2005, 16 p. Available through Federal Geographic Data Committee website at http://www.fgdc.gov/fgdc/homeland/index.html.
Source: National Institute of Standards and Technology, Standards for Security categorization of Federal information and information systems FIPS PUB 199 (2004). Gaithersburg, MD.
Hello Dhavel, great job explaining the factors that should be safeguarded by asking critical questions. In addition to having factors that applies to be safeguarded, it is really important to look for risk impacts as you said. I really like the idea where you joint FGDC guideline safeguards with the impact levels could be referenced by FIPS.
The security classifications are primarily premised on the potential impact on an organization if certain events happen that are meant to jeopardize the information and information required by the organization to achieve its assigned missions, protects assets, meet its legal responsibilities, and also meet day-to-day operations, and also protect individual in an organization. Security classifications are to be used in tandem with vulnerability and threat information in determining the risk to an organization. FIPS Publication 199 defines three parameters of potential impact on an organization or individual should there be a breach of security that is a loss of confidentiality ,integrity or availability. And the application of these categorizations must certainly take place in the purview of each organization and the overall scope of National interest.
Hi Kofi thanks for sharing! I really like the point you made when you wrote, “Security classifications are to be used in tandem with vulnerability and threat information in determining the risk to an organization”. If organizations don’t adequately monitor for new and existing vulnerabilities then they won’t be able to appropriately categorize their data, and the threats to it, in terms of confidentiality, integrity, and availability.
For this example, a data set containing detailed maps of military bases will be considered. This is modeled after the law enforcement example in FIPS 199.
First, we must consider the GIS data value from a Risk to Security (FGDC) and Confidentiality (FIPS 199) perspective. Such a data set would warrant a label of Confidentiality High, as its public exposure would present a significant security risk. This information could be used to plan an attack on the military bases detailed in the data set.
Next, we must look at the data’s “Uniqueness of Information” (FGDC) and Integrity (FIPS 199). The source of this data is limited to approved government agencies and would not be available outside of these audiences. For this reason, loss of Integrity would be labeled moderate as access to this data is limited; however, it could be replaceable with remapping efforts.
Finally, we must look at the “Net benefit of disseminating data” (FGDC) and Availability (FIPS 199). This data set would not be disseminated broadly and would be limited to approved government audiences only. Given the concerns with confidentiality there is not a use case for wider distribution. There would be concerns should this information become unavailable for the intended audiences. For this reason a label of moderate should be applied.
Matt,
This is an interesting example you have proposed. I think you have established clearly by applying the FIPS 199 security categories that one of the safeguards should be implemented (SC = ((confidentiality, High), (integrity, Moderate), (availability, Moderate))). I would argue that the more appropriate safeguard to use in this instance would be to restrict the data. You correctly mention that the risk of confidentiality would be high as military base locations could be used to plan a possible attack. Restricting the data and only allowing individuals approved to know the locations of these places would be the best course of action. It would be too risky to release this highly sensitive data even if the data is changed, because the risk of not altering it enough is present. It is better to just completely restrict this specific data due to the high risk of loss of confidentiality.
FGDC explains that although geospatial data is public and visible information, it can pose risks. This data type, which might contain sensitive information and security risks, must first go through an analysis about its value in the organization. Then, whether the information can create security risk, its uniqueness and the benefit it gives depending on the risk of this information should be evaluated.
In this assessment process, we need to take a look at FIPS PUB 199 on standards for classifying risks. First of all, as we said, this evaluation should be started with the organization’s interaction with geospatial data specifically. If this data is used and published by the organization, it should be decided which threats are generated and how they are classified.
For example, when this data is published on news, it may attract the attention of the readers, but if you locate objects or people whose confidentiality must be protected at the same time, you will make a mistake in sharing sensitive information and this creates a threat. It should be noted that this type of data is used for capturing, storing and analysis while performing risk assessment.
FIPS is a great resource to classify the risks based on FGDC process steps. FIPS used three levels of risk such as low, moderate and high to categorize risk based on the information’s confidentiality, integrity and availability. For example if we would mean to decide on its confidentiality, we could apply risk level based on whether data targets specific location/object or if it’s unique and sensitive. Also, if any data shared or published creates public safety concerns it should be probably considered as moderate.
There are many ways to apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations described in the FGDC is needed.
Using geospatial data as an example, we can determine the potential impact for each security objective (Confidentiality, Integrity, Availability).
For example:
Confidentiality – What if this information was made available to the public?
Integrity – If the geospatial data has been tampered with, what are the potential consequences?
Availability – What is the impact of not having access to this information and potentially losing it altogether?
An organization can assign Low, Medium, or High values for each security objective to help them to determine whether or not a security risk mitigation is needed.
For example, an organization may determine that the potential impact of loss of confidentiality would be low, since the geospatial data is intended to be publicly available anyway. In this case, no security risk mitigations are needed (although an organization may decide to have security risk mitigations anyway if they so choose).
However, let’s say that the geospatial data is important enough that the potential loss of Integrity would be considered high. In this case, an organization should implement safeguards described in the FGDC guidelines to mitigate this risk (ex. safeguarding the information or restricting who can modify the data).
Each organization will have to make their own decisions in terms of the risk level relating to the security objectives (CIA) to determine the security categorization for their information.
Your very last sentence is a good point, I think sometimes we forget each organization is different and security categorizations can have different impacts potentially. What may be a high risk level for one company, could very well be moderate/low for another.
The FIPS security categorization formula can help organizations identify the risks that can have a negative impact on them from a confidentiality, integrity, and availability perspective. It really depends on the data that is being analyzed to determine the nature of risks that are most prevalent to an organization. If risk is significant, the article notes that safeguarding is justified only for data that contain sensitive information, that are the unique source of the sensitive information, and for which the security risk outweighs the societal benefit of dissemination. For example, we could ask ourselves, “Does any of the data/information on public wordpress website that I developed contain any sensitive information about myself (i.e. address, phone number, etc.)? If we answer that question with, “No.” then we can apply the following formula:
SC Sensitive Data (WordPress website) = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}.
Hello Bryan,
I do agree that “formula can help organizations identify the risks that can have a negative impact on them from a confidentiality, integrity, and availability perspective”. As the organization need to identify the type of the data, they hold so they can appropriately apply the safeguards to protect them. I would also recommend for the organization to know the IT infrastructure as well to identify what types of vulnerabilities the systems have that will store those data so they can remediate those vulnerabilities before storing the sensitive data.
The FIPS security categorization formula can help organizations identify the risks that can have a negative impact on them from a confidentiality, integrity, and availability perspective. It really depends on the data that is being analyzed to determine the nature of risks that are most prevalent to an organization. If risk is significant, the article notes that safeguarding is justified only for data that contain sensitive information, that are the unique source of the sensitive information, and for which the security risk outweighs the societal benefit of dissemination. For example, we could ask ourselves, “Does any of the data/information on public wordpress website that I developed contain any sensitive information about myself (i.e. address, phone number, etc.)? If we answer that question with, “No.” then we can note confidentiality as low. We could also ask ourselves, “Can the data/contents on the website be easily replaced? If we answer that question with, “Yes.” then we can note integrity as low. Finally, we should ask ourselves “Would it be a disaster if the website was down?” If we answer that question with, “No.” then we could mark availability as low. The fromula would be as follows:
SC Public Website Data = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}
Geospatial data is defined as “time-based data that is related to a specific location on the Earth surface that can provide insights into relationships between variables and reveal patterns and trends”.
The FIPS 199 security categorizations approach to data could be readily applied to determine the necessity of FGDC guidelines safeguards based on the potential risk impact derived from such data. Implementing the existing Security categorization formula will determine the risk impact inherent in such data to individuals and organizations from a confidentiality, Integrity, and availability perspective.
A proper and in-depth analysis of such data would firstly establish the data categorization which is then evaluated in line with existing FGDC guidelines to answer questions on severity and criticality synonymous to impact analysis. The impact approach allows accurate decision making on the necessity of security risk mitigations.
NIST has a series of guideline documents. One of which is Federal Information Processing Standard; also known as FIPS. It is essentially all about risk assessment and risk management. Federal agencies are responsible for conducting these assessments due to the FISMA Act of 2002. FIPS 199 defines the security categories for information and information systems. Those categories are based on the CIA triad, which are the security objectives; confidentiality, integrity and availability.
FIPS 199 makes it a requirement that the severity of the level of impact is assessed. The levels of impact range from low, moderate, and high. Moreover, FIPS determines the classification of a system.
Hi Joshua,
I think you did a great job breaking down the details of the FIPS 199 security details. After assessing the situation into one of the three categories being confidentiality, integrity, and availability, along with determining the level of impact the situation could have, these decisions are what I ultimately believe determine whether or not a safeguard is needed.
The FIPS formula can help categorize the security objectives which are defined as the following:
Confidentiality: Unauthorized disclosure of information
Integrity: Unauthorized modification or destruction of information
Availability: Disruption of access to or use of information or an information system.
Assuming that our organization is the origin point for data; we would then start determining if it is necessary to apply safeguards via section II. Using geospatial data towards military stationed control systems we can initiate section II of the FGDC guidelines. If data is useful for planning or executing an attack then confidentiality would be classified as HIGH for the system according to the FIPS 199 categorization as it would risk disrupting military operation. Depending on the type of control system being utilized if exfiltration of data is classified as secret or higher the severity could increase based on the impact. If the availability of the system was compromised from the an enemy adversary resulting in system degradation and cease of operations the impact could result in HIGH. However; it should be noted that different CIA levels can be categorized for the system which could result in SC = Confidentiality (HIGH) Integrity (HIGH) Availability (Moderate). After the risks are categorized; necessary safeguards can be identified thereafter in section III.
I think that you make a convincing argument, Michael. The gradations of severity are acknowledged well; the severity of the impact on confidentiality, integrity, and availability as a whole for military stationed control systems are not entirely linear overall as always high impact, as some things may vary between the type of control systems in place. Some available data may not be made available intentionally, but might not have much impact as it may not be useful enough to create an attack vector. The data could be information that is slightly relevant for an attacker’s purposes, but not so clear and informative that it enables them to be able to utilize it as a definitive target.
I would apply the FIPS 199 security categorizations by answering the following questions:
For confidentiality: Could there be negative repercussions if this information fell into the hands of the public or an unauthorized person? If so, how negative could the repercussions be? If they could be very high, risk mitigation safeguards would be needed.
For integrity: Is this information 1 of 1, or are there other places it could be found? What would the consequences be if the information was altered? What could happen if this information was classified and got into hands of the general public and they knew it was true? If the information is 1 of 1 and supposed to be classified, and/or is at risk of being altered, then risk mitigation safeguards are surely needed.
For availability: Does this information/content need to be able to be accessed at any given time? Are there negative repercussions if the required individuals can’t access this information on-demand? How negative could the consequences be? If the consequences could be large, risk mitigation safeguard are definitely needed.
I think your point analysis is a very clear way of analysis. I think your point analysis is a very clear way of analysis. For confidentiality, we need to make sure that the information is not disclosed to ensure the privacy and security of the information. Regarding integrity, I think that the need for risk mitigation protection measures is a very correct idea, because if they are not protected, they will cause risks. People can modify policies and procedures to cause information destruction. In terms of availability, if it is unavailable, the required personnel cannot access this information as needed, and the information is useless.
I support your analysis, Michael. It is important to also consider the nature of geospatial data in terms of context. Context (ie public GPS coordinates to a supermarket versus mission critical law enforcement data) can lower or increase the impact of each security objective.
The FIPS 199 security classification is used to determine each information security risk mitigation measure described in the FGDC guidelines. The FIPS 199 security classification standard is an integral part of the risk assessment. FIPS 199 requires federal agencies to evaluate their information systems in each category of confidentiality, integrity, and availability, rating each system as low, medium, or high impact for each category. The most severe rating in any category becomes the overall security category of the information system. First of all, we need to make sure that the information is not disclosed to ensure the privacy and security of the information. Second, minimize the probability of tampering with geospatial data. Finally, we need to consider whether we might lose it completely when we cannot access this information. When the data meets the most severe rating and becomes the highest risk factor in the information system, it depends on the type of control system used, and the severity may increase according to the impact. This can greatly reduce the difficulty of defense and maintenance when encountering risks.
If FGDC guidelines determine that safeguarding is necessary for an entity storing geospatial data, it is critical to dissect the FIPS 199 security categorization calculation in context:
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
Take the example that a law enforcement agency such as the FBI is storing extremely sensitive geospatial data relating to the location of undercover agents. The FGDC guidelines determined safeguards and restrictions were necessary by concluding that this information is unique, given permission to restrict by the data owner, and cannot be changed in order to serve the public. Based on the nature of the information, there is a high potential impact of confidentiality (i.e. the names and locations of undercover individuals), a moderate potential impact of integrity (i.e. the risk of a hacker modifying/destroying locations or names) and a high potential impact of availability (i.e. the loss of data, causing the FBI to be unable to give support to these individuals, if needed, in a timely manner). Due to the nature of this data, I would upgrade the potential impact of integrity to ‘high’ however, since this information is highly mission critical to the assets, operations, and individuals involved. This analysis leads to the following equation:
SC FBI undercover agent geolocation = {(confidentiality, high), (integrity, high), (availability, high)}
If FDGC guidelines determined no safeguards were necessary, the FIPS categorization calculation would have been at a much lower level—depicting how the two frameworks parallel.
I agree that it is critical to assess the impacts of confidentiality, integrity, and availability on geospatial data especially. In your example of the undercover FBI agents and their respective geospatial data, that would have much more severe of an impact than a family sharing their locations on Find My Friends or the GPS coordinates of a public entity like a supermarket. I also like how your response emphasizes the parallel between the FDGC guidelines and the FIPS categorization calculation.
Within the FIPS 199 security categorizations, it describes how to assign a severity to a breach of one of the three security objectives.
If the severity level is moderate or high, a company would want to decide how to mitigate the risk. Part of these mitigation techniques could include applying the FGDC guidelines.
Before applying the guidelines, first assess if the data originated within the organization. If it did, a company can proceed with documenting its decision process on whether safeguarding is necessary.
If the data can significantly compromise an individual or be used in an attack, it may need to be safeguarded. Concerning data is typically very specific or time-sensitive, such as shift changes.
Next, it needs to be determined if the data is unique. For example, it cannot be publicly available or open-source. There is no point in protecting publicly available data, since your protection of the data would do very little to reduce the risk to an individual.
Finally, the next question you need to ask prior to determining if safeguarding is necessary is to weigh if the security costs outweigh the societal benefits of active dissemination of the data. For example, does the data increase the likelihood of an attack, or a decrease in the probability of a successful attack? While determining the answer, consider both business and personal productivity from continued use of the geospatial data. If it’s determined that the security costs do not outweigh the societal benefits, proceed with implementing safeguards.
How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
FIPS 199 explains to us how to categorize security for the CIA and uses three levels for Potential Impact. Low, Moderate or High
Here is an example of an FIPS Formula
The generalized format for expressing the security category of an information system is
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are LOW, MODERATE, or HIGH.
In reading through the FIPS 199 we were given plenty more examples/formulas that displayed how to properly categorize security and potential impact.
In order to see if each of the information security risk mitigations described in the FGDC guidelines is needed I would apply the FIPS 199 “Security Categorization Applied to Information Types” and also “Security Categorization Applied to Information Systems” formats
SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact
Geospatial data is any data which is related to geographical location, there is room for plenty potential risks, with that in mind it is crucial to be able to properly categorize the potential impact.
Jason – your final comment left me thinking about what I think is a key assumption in this scenario. That the creator of the data has enough knowledge or understanding of how the data might be used to be able to properly categorize the Geo-spatial data. The mechanics of the classification scheme are clear to me, the knowledge of how the data could potentially be used to threaten security are not – thank goodness I am not being asked to create the guidelines for how a Geo-spatial data-set should be used/treated….
FIPS 199 is used by all federal agencies to categorize their information and information system and provide them appropriate level of information security accordingly to the risk level. This standard has been applied to all of the information that federal government holds excepts the information classified within Executive Order 12958, Executive Order 13292, and Atomic Energy Act of 1954 to protect the information form unauthorized person. All of the federal agencies are required to use this FIPS 199 whenever they are categorization any new or existing information or information system. Security categorization of the information or information system is being determined based on the vulnerability and the threat that would possess and the risk it posses to the organization. The FISMA has also defined Confidentiality, Integrity, and Availability as a security objective within FIPS 199. The FIPS 199 has also identified the Low, Moderate, and High levels to identify the risk of the information and the information systems. FGDC has defined a three factor to identify if the data needs to be safe guarded: Risk to security, Uniqueness of information, and Net benefit of disseminating data.
How would you apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
The FIPS 199 security categorizations establish 3 levels of impact which are low, moderate, or high. Depending on level of impact that a situation is causing, this level is how a company would determine the type of risk mitigation they should perform. Once it is determined which situation is defined with the highest severity, that becomes the main priority of the information system. FIPS levels are also based on the 3 objectives: confidentiality, integrity, and availability. For confidentiality, deciding how negative the effects of a data breach would have on the company can be determined. For integrity, we can determine how impactful it would be if this data is at risk of being changed or falsified. For availability, we can decide how impactful the situation could be negatively if the information was unable to be accessed at a given time. For all three of these categories, if the situation is deemed a high enough level of severity, then I believe that a safeguard should be issued.
How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
FIPS 199 is a scheme for categorizing data on 3 dimensions – CIA (Confidentiality/Integrity/Availability) with a scale of low/med/high on each dimension.
I would follow the decision making flow inside the FGDC guidelines to determine if I needed to take action or not. E.g. – am I the data originator or not? Assuming I am the originator, then I would apply the criteria from FIPS 199 to categorize the data and it’s usefulness in undermining security.
Applying the levels of CIA (Confidentiality/Integrity/Availability) and the risk levels of low/med/high will give me a ranking. I would use a pessimistic scale and the highest level assigned will be the watermark that is applied across the entire data set.
This approach and simple tooling will allow me to define a data classification that will allow me to assign and justify rules for how the data set should be treated by all who consume it. Anything that was Medium or High on CIA would warrant some level of incremental protection as suggested in the FGDC guidelines.
FIPS 199 is the U.S. federal government standard that identifies security categories for information systems used by the federal government as an integral part of risk assessment.
FIPS 199 establishes security categories for both information and information systems. The security categories are based on the potential impact on an organization should certain events occur. The potential impacts could jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization. FIPS 199 establishes three potential levels of impact (low, moderate, and high) relevant to securing Federal information and information systems for each of the three stated security objectives
How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
Following categorizes the security risk mitigations to three areas which are low, moderate, and high followed by the security objective regarding the CIA triad which is confidentiality, integrity, and Accessibility. FDGC goes through a flow whether or not if any visible pubic data can pose a risk to and if so it needs to be safeguarded.. The applications of FIPS 199 would have to correlate with the security objective and or standards. Given the flow is made public then the confidentiality would be moderate to high depending on the type of data. As for integrity it would be also moderate to high given that the information could be changed. Lastly for accessibility it would be low to moderate given that the data can be restricted according to FDGC.
How would you apply the FIPS 199 security categorization to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
The FIPS 199 security categorization improves and identifies the risks that can have an impact on the organization from the CIA triad- confidentiality, integrity, and availability.
Confidentiality- a loss of confidentiality is unauthorized disclosure information
Integrity- a loss of integrity is unauthorized modification or destruction or information
Availability- A loss of availability is the disruption of access to or use of information or an information system
For example, FIPS 199 defines a potential impact that can be rated low, moderate, or high. A low impact can result in a minor financial impact or minor harm to individuals. A moderate rating can result in damage to an organization’s assets. A high impact can refer to a server or loss adverse effect that can be a loss of confidentiality, integrity, or availability.
Reference:
https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf
Establishing the security category of an information system demands slightly more analysis and must consider the security categories of all information types of residents on the information system. For an information system, the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (high water mark) from among those security categories that have been determined for each type of information resident on the information system. Information security has been defined as information security as that which “protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities” (ISO/IEC 17799, 2000). Since information is an asset, particularly in a national security and military environment, it must be protected. “Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post, or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected” (ISO/IEC 17799, 2000).
There are several ways to determine the FIPS 199 security categorizations to apply if each of the information security risk mitigations described in the FGDC is useful. Making Use of geospatial data as an example, we can find out the potential impact for each security objective such as Confidentiality, Integrity, Availability.
With regards to Confidentiality What would be the resultant repercussions should an information was being leaked out to the public domain?
Furthermore, integrity – If the geospatial data has been tinkered with, what are the potential effects?
Availability – What is the impact of not having access to this information and potentially losing it altogether? Based on the above clarification, an organization can categorize security risk as being Low, Medium, or High values for each security objective to help them to determine whether or not a security risk mitigation is needed.
For instance, an organization may determine that the potential impact of loss of confidentiality would be low, since the geospatial data is primarily meant to be in public domain. And this presupposes that no security risk mitigations and assessment are required
Finally, if the geospatial data is vitally important to the extent that the potential loss of Integrity would be deemed as being high then that organization should put in safeguards being explained in the FGDC guidelines to mitigate this risk thereby safeguarding the information or restricting who can modify the data.