Which information security objective(s) could be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied? Explain how the objective(s) is put at risk by the mitigation(s).
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
The information security objectives that could be at risk by implementing the alternative safeguards recommended by FGDC guidelines includes all three objectives: confidentiality, integrity, and availability. Availability of geospatial data could be impacted if the public is not granted “timely and reliable access to and use of information” (FIPS 199, 2004). It may take a considerable amount of time and effort to properly redact sensitive information and obtain approval to disseminate it to the public, thus potentially risking timely access to geospatial data. The second security objective of integrity could also be at risk if the redacted documents distort the original geospatial data to the point where the information is ineffective for public use. I would also argue that confidentiality could be at risk if the safeguard is improperly executed by simple human error and inadvertently leaks sensitive information that could expose U.S. critical information to an adversarial entity such as a terrorist organization.
Standards for Security Categorization of Federal Information and Information Systems. (2004). Retrieved 27 August 2021, from https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
Hey Kelly,
I agree that applying the guidelines recommended by the FGDC could have an impact on all three information security objectives, and really like the examples that you gave detailing that!
I wonder how organizations approach the idea of safeguarding sensitive geospatial data. Assuming that the data is in a database, I guess they could just restrict access to the database (for example using an authorized API endpoint to view/modify data). The data should still be stripped of sensitive information (if someone gains unauthorized access), but I’m curious if there are other ways (I’m sure there are) to safeguard sensitive geospatial data.
Andrew,
You pose an interesting question. By the FGDC guidelines it really only offers two options of “changing the data” and “restricting the data”. However, would there ever really be a use case for applying both of these safeguards at the same time? I would think that in most cases that would be redundant. If the data is being restricted then there is no reason to change it, and vice versa. I think applying both would be resource and time consuming for a company and they would be best suited with selecting the safeguard that they feel will work most effectively.
This is an easily agreeable viewpoint, Ryan; in all likelihood in practice an organization would only devote a certain amount of resources to accomplish either altering or restricting the data, probably not both as it does seem quite redundant. Redundancy may be useful in ensuring availability, but not in this scenario. It seems like the FGDC decision tree steers the organization in question to try to change the data first, provided authorization is in place, rather than restricting it, potentially because it is likely cheaper to change the data.
Hi Kelly,
I like how you brought up that confidentiality could be a risk factor in addition to availability and integrity. I went with the obvious of how availability and integrity could be at risk, but I overlooked how human error could play into the confidentiality argument. Sensitive data is known to get leaked regardless of the intention and can lead to larger problems as you stated.
Information Security Objective that could be at risk by implementing the alternative safeguards recommended by FGDC guidelines includes all three objectives that is Confidentiality, Integrity and availability. FGDC guideline provides security but IS objectives prone to security risk. Such as Information Security element Availability of geospatial data impacted if public is not granted the data on timely and reliable to and use information as per Federal Information Processing Standards Publication Series 199, 2004. That can be taken a considerable amount of time and effort to properly redact sensitive information and obtain approval to disseminate it to the public, thus potentially risking timely access to geospatial data or information.
The Information Security objective Integrity could be in risk if the rework the original data to the point where the information is ineffective for the public use. It could be put integrity IS objective at risk.
Also third Information Security objective Confidentiality could be a risk if the safeguard is not handle properly, because it may be break due human susceptible behavior or human mistakes that condition sensitive information can be expose and leaks information to unauthorized persons or third party malicious users, so this way information security objectives is put at risk by the mitigation techniques. Information security objective put at risk all FGDC safeguards guidelines including confidentiality, integrity and availability.
FGDC: “Guidelines for Providing Appropriate Access to Geospatial Data in
Response to Security Concerns”.
“Standards for Security Categorization of Federal Information and
Information Systems”
Hi Mohammed,
I was a little shocked to read you copied my post word for word “a considerable amount of time and effort to properly redact sensitive information and obtain approval to disseminate it to the public, thus potentially risking timely access to geospatial data or information.” Kindly refrain from plagiarizing in future posts as this hurts us both.
Kelly
Hey Kelly, I am shocked as well that we have the same sentence. Believe me when I say that it is a pure coincidence. It would be foolish of me to plagiarize or copy as it would jeopardize my education at Temple University. If I had thoughts of plagiarizing, I wouldn’t have posted right after you. I didn’t even know what you posted until you reached out. All the information posted was derived from the guidelines. Please read NIST.FIP199 pdf, page 6 where all the information is available.
I believe all of them could put at risk as they are all essential for the information security system. Did the organization made efforts to have a well secured plan for their data? Did they properly trained people to avoid misconfiguration of a system that can put them at risk? Do they a lot of databases that are protected just in case there is physical damage? All these questions are what every organization must ask themselves to lower the risk. For example, confidential breaches happen when people make some errors in misconfiguring either network or systems. This can be put at risk as it gives the hackers easily access to sensitive information that can be used to destroy the system and structure.
Integrity is another objective that can be put at risk if let’s say the government discloses information that are only authorized to be seen by certain people and did not put any multi factor authentication or other things to protect the data then they are causing a risk in a way people could go and modify policies and procedures causing the destruction of information.
Availability could be put at risk if people cannot access information at the same time. For example, organization have plenty of software they need to analyze, evaluate, and see if it will be beneficial for the operation of their system. If when they launch their research and no information are made available to them then it creates a disruption in their access.
Hey Ornella,
I agree that applying the guidelines recommended by the FGDC could have impacts on all three security objectives, and like the examples that you gave detailing this. I would also like to add on that integrity could also be compromised if the data was changed so much to the point that it loses value / becomes unusable, or destroyed completely.
There are two safeguards recommended by the FGDC guidelines that, if applied, can put the information security objectives at risk. The first safeguard would be to change the data. This safeguard puts the security objective of integrity at risk. A loss of integrity is “the unauthorized modification or destruction of information” (FIPS 199). If a company is changing the data that they are presenting to safeguard against information security risk, they need to ensure they are taking the appropriate steps to maintain the integrity of the data. Therefore, before making the determination to apply this safeguard, it needs to be established that the integrity of the data would not be affected by the potential modifications. Also, if the changing of the data is not correctly applied the confidentiality of the data would also be put at risk. Given that the data will still be presented after it is modified, it is crucial that the remaining data that is presented does not have any sensitive information that would expose any PII, proprietary information, or otherwise.
The second safeguard outlined by the FGDC guidelines would be to restrict the data. The security objective that is put at risk when implementing this safeguard would be the availability of data. Individuals are ensured “timely and reliable access to and use of information” (FIPS 199). When applying this safeguard, one must be careful not to be too restrictive of the data that is withheld. If the presented data is not enough for individuals to make use of, then the company has opened themselves to the risk of a loss of availability.
The information security objectives that could be put at risk if alternatives safeguards recommended by FGDC guidelines should embrace the concept of integrity, confidentiality, and availability in order to ensure effective and efficient protection of assets within the confines of an organization. This is so because a loss of confidentiality, integrity and availability could be expected of having limited adverse repercussions on organizational operations, organizational assets ( FIPS,199, 2004). A limited adverse impact for an instance the loss of confidentiality, integrity or availability might result a degradation in a mission capability to an extent and duration that organization is able to perform its main functions but the effectiveness of the function is obviously reduced and that might reduce in a minor damage to organizational assets , and also minor financial loss to the organization,( FIPS,199 2004).
However, if the impact is moderate and high within an organization would certainly cause the loss of integrity, confidentiality and availability to have a serious and severe adverse impact on organizational operations, organizational assets. A serious and severe adverse impact means that the loss of confidentiality, integrity and availability might caused a severe or serious degradation or loss of mission capability to an extent and duration that organization could not perform one or more of its main functions, also result in severe damage in an organization assets and finally result in substantial financial loss to the organization.
FGDC guidelines propose “Changing the data” or “Restricting the data” to help safeguard data sets and reduce risk. This raises concerns with the security objectives of Integrity and Availability. This is interesting to consider from a role based access control and a business value perspective.
Restricting the sensitive data aligns with role based access controls, i.e. accessing just enough information to be effective in your role. That said, this may cause administrative issues at scale when managing user access. This may not align with the availability requirements of the data.
Redacting information can help reduce risk when distributing sensitive data and reduce the administrative overhead with restricting access, i.e if the sensitive data is removed, it’s less risky to have more users with access. The key here is balancing redaction with value. In other words, making sure there’s enough information remaining to be meaningful and true to the original intent of the data.
I argue that two of the three information security objectives (Integrity and Availability) could be at risk if the alternative safeguards are recommended. The FGDC states in section 3 that two options that are available if the data needs to be safeguarded are changing the data and restricting the data. These respectively go against the objectives of integrity and availability. Changing the data includes, and I quote from the FGDC document “ To remove or modify the sensitive information and then make the changed data available without further safeguards.” This could ultimately result in the data becoming futile as it may serve no purpose to the intended stakeholders, not to mention making adjustments to data reduces its accuracy and reliability which goes against the definition of integrity with respect to the CIA triad.
Similarly, restricting the data includes and I quote from the FGDC document “Establish restrictions, commensurate with the assessed risk, on access to, use of, or redistribution of the data.” If this safeguard is applied the organization is at risk of disrupting the access to or the use of information (FIPS PUB 199). As with changing the data, an organization must not apply too many restrictions, as it too can become futile and serve little to no purpose to the intended stakeholder.
Source: Federal Geographic Data Committee. Homeland Security Working Group. “Guidelines for Providing Appropriate Access to Geospatial Data in Response to Security Concerns”. Washington: June 2005, 16 p. Available through Federal Geographic Data Committee website at http://www.fgdc.gov/fgdc/homeland/index.html.
Source: National Institute of Standards and Technology, Standards for Security categorization of Federal information and information systems FIPS PUB 199 (2004). Gaithersburg, MD.
Hey Dhaval,
I agree that Integrity and Availability have the potential to be compromised when applying the guidelines recommended by the FGDC, and like the examples that you gave showing this!
I would also like to add on that there is the potential for Confidentiality to be compromised as well. For example, if an organization decides to implement a role-based access control system to determine who can/cannot access the data and the system is applied incorrectly (for example someone who shouldn’t have access to the data ends up getting access by some human error), this could compromise confidentiality.
I also only had Integrity and Availability as the 2 information security objectives effected initially, but after giving it some more thought I decided that Confidentiality could also be included, this was a tricky one for me
As FGDC explains, even geospatial data mostly appropriate for public release, it might cross the line and require safeguarding once it identifies sensitive information content or create safety concern. Again, if organization interacts with this type of data, it should be evaluated further where you question whether it risks the security, contains unique – sensitive information or benefiting dissemination.
There are two different safeguard options published on FGDC recommendation. First, it suggests to change the data to remove or modify the sensitive information. For this method, I first question the need of the sensitive data attached to geospatial data. When you also give access to your organization to modify the sensitive data, you create vulnerability by allowing interaction with sensitive information and human being. It might cause confidentiality issue where it’s a thread to personal privacy or proprietary information. Also, working on data whether you remove or modify the sensitive part might affect integrity and cause destruction of the information. Last, any modifications that effect the use of the information might be problem for availability of the assets.
Second, the restriction of the data might be protective for sensitive information where you decrease the confidentiality based on risk and lower the integrity issues but definitely increase availability issues.
If the alternative safeguards recommended by the FGDC guidelines (safeguarding data or changing it) were applied, there is a potential impact to the information security objectives of Confidentiality, Integrity, and Availability (CIA).
When safeguarding data, there is a risk of the following:
Availability will be compromised if the RBAC control system (or any system to determine who should have access to the data being safeguarded) is not implemented correctly, for example granting access to change and modify the data to someone who should not have access, or vice versa (restricting access to an individual who should actually have access to the data). Confidentiality and Integrity could also be compromised because of this, detailed below.
When changing the data, there is a risk of the following :
Inadvertently adding sensitive information to it, compromising confidentiality.
Making changes to the data such that the data becomes inaccurate, compromising integrity.
The reading offers two kinds of safeguards that can be applied. The first related to changing the data – the article notes, “Change the data to remove or modify the sensitive information and then make the changed data available without further safeguards. Organizations are advised to review the changed data to ensure that the change(s) dealt effectively with the security concern”. I believe this safeguard would have an impact on integrity as it could potentially update who can modify the data. The article notes restricting the data is the second variation of a safeguard, which calls for the establishment of restrictions, commensuration with the assessed risk, on access to, use of, or redistribution of the data. I believe this safeguard would have an impact on the availability objective as it could change who can actually access or view the data.
In thinking about this more, I wonder what qualitative and quantitative metrics could be assigned to measure the restriction of data compared to integrity. At what point does integrity collapse due to redaction? Perhaps a fidelity metric could be assigned to the data, and past a certain point it becomes unusable. A comparable example would be minimum screen resolution requirements for applications.
Hi Matthew,
I agree integrity is at risk if the geospatial data is altered to the point where its applicabiltiy for public use is greatly diminished. Your solution of implementing a threshold metric for data fidelity is an excellent suggestion for raster data.
City Crime data is altered slightly before being disseminated to the public but the data is still usable https://www.phillypolice.com/crime-maps-stats/
Thanks for sharing your thoughts!
Kelly
Matthew – that’s actually a really good point there does seem to be a correlation between the two. Some other things to consider are who is responsible for establishing these data use thresholds? Who is responsible for updating thresholds as trends fluctuate? These too would have on the integrity and availability of the data.
Kelly – I did not realize that city crime data is slightly modified prior to publication. How are they modifying the data? Honestly, I’m a bit surprised the data is modified due to it’s relation to public safety. Thanks for sharing!
The FGDC guidelines make mention of safeguarding/restricting data and changing data as alternative safeguards. To address this question adequately would be to rightly say that these mitigations adversely impact the objectives of confidentiality, Integrity, and availability.
In summary, when data is changed, modified, deleted, or distorted from its original form without it being a corrective measure, integrity which is one of the pillars of security is breached. The safeguard recommendation which is the introduction of extraneous measures to restrict content creates unavailability of necessary data when required. Controls always become an issue when they create a disruption instead of process enablement.
When the objectives of availability and particularly integrity are impacted, it is very likely that confidentiality has already been breached because integrity falls when confidentiality fails. Implementation of the alternative safeguards recommended by the FGDC guidelines will adversely impact the objectives of confidentiality, integrity, and availability.
I agree with you Olayinka. I completely agree with you in terms of integrity, as safeguarding alternates negate the true authenticity of data. I never saw availability at risk, but your analysis pointed out some great points to me. The process of information reduction itself can cause service disruption for sure. Great thoughts!
Potentially the entire CIA triad which is also the security objectives can be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied. The idea of restricting data compromises the ability for 100% availability to the organization’s resources.
Moreover, the integrity of the data has the potential to be compromised due to; “The idea of changing geospatial data includes redaction or removal of sensitive information and/or reducing the sensitivity of information by simplification, classification, aggregation, statistical summarization, or other information reduction methods.”
(Guidelines for Providing Appropriate Access to Geospatial Data in Response to Security Concerns)
I believe that all CIA levels could be impacted depending on the safeguards that are identified and implemented. If the geospatial data was identified as HIGH confidentiality; then implementing safeguards to protect confidentiality could affect availability or integrity. The FGDC guideline uses a good example with modifying personnel that belongs to a facility for hazardous material storage. By doing so; the organization implementing the safeguard has protected confidentiality; but now risks integrity as personnel are not identifiable which could pose risks such as accountability/legality issues. You are also compromising the availability to that data as now the dissemination of information belongs to only certain roles within the organization.
Though; it does depend on what safeguards are utilized that could affect certain CIA levels.
I believe that all 3 information security objectives could be put at risk if the alternate safeguards recommended by the FGDC are implemented.
If data is restricted (one of the two alternate safeguards), I think that both availability and confidentiality could be put at risk. Availability is put at risk because if workplace data is restricted so that it can only be accessed while physically at work, it wouldn’t be available to even some higher level employees after work hours or on the weekends, which could be necessary on occasion. Confidentiality would be affected because when data is restricted, confidentiality usually increases and less people are allowed to view the information and there are more boundaries/rules.
If data is changed (the other alternate safeguard), integrity could surely be affected. for example, if statistical numbers or the names of subjects (e.g. people or countries) are incorrectly changed, the integrity of the information is taken away. This could also affect availability because if a certified backup of the original information is not created, the only version of it would be incorrectly altered and may be deleted altogether as not to spread incorrect information or cause panic.
Hi Michael,
I agree with your opinion about that it will affect confidentiality and availability.change data and limit data put the integrity and availability of FIPS 199 at risk. Minimize the probability of geospatial data being tampered with. Changing the data destroys the integrity of the data. At the same time, restricting data causes the staff to be unable to obtain effective information. The security goal at risk when implementing this protection measure is the availability of data, and the inability of the information to be available to the public undermines the availability.
Hello Micheal, I also agree with you that all 3 information security objectives will be put at risk if the Alterna safeguards recommended are implemented. My position is based on the premise that data availability and integrity will definitely be impacted by what we see here. The truth of the matter is that when integrity is not in place, it is believed that confidentiality has been or will be compromised. Secondly, when integrity is compromised, availability has definitely been impacted because the real data is not available to the authorized owner. The impact creates a domino effect that touches all 3 infosec. objecrtives.
The FGDC guidelines recommend two protection measures, changing data and restricting data. But these two protection measures put the integrity and availability of FIPS 199 at risk. First of all, in FIPS 199, the probability of geospatial data being tampered with is reduced as much as possible. Changing the data destroys the integrity of the data, especially when the security and correctness of the changed data are unknown, it is easy to cause the data to be at risk. Second, restricting data needs to take into account that when this information cannot be accessed and when the staff cannot obtain effective information, the security goal at risk when implementing this protection measure is the availability of data, and the inability of information for public use undermines the availability.
The information security objective I would say is at most risk is integrity. One of the alternates to safeguarding, as listed in the FGDC guidelines, is modification of data into something more publicly accessible. Methods such as simplification, statistical summarization, and other data reduction methods would serve as examples for this. As defined in FIPS 199 Standards for Security Categorization of Federal Information and Information Systems, integrity is, “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…”. Although information modification, in this case, is not necessarily ‘improper’, information reduction is still occurring—therefore causing the data to be less authentic and accurate. The heart of integrity as a security objective is preservation of information precision, completely contradicting this information security safeguarding alternate.
Hello Lauren,
That’s a great point it does impact the integrity aspect of the information security. However, I think it equally affects the availability as well. As if the data is overly categorized then the data that wouldn’t be sensitive would also be marked as sensitive. That means if someone who should have access to that data might not be able to access it as it would not be available to that person.
Hello Viraj.
Well said, the improper categorization and modification of data as a control measure indicates data tampering, which touches on integrity. If data is not properly categorized, certainly, data subject access will also be erroneously assigned and the supposed authorized user restricted from access. This is indicative of a failure of confidentiality and further buttresses the point that the 3 objectives would be equally at risk and not just integrity, as stated by Lauren.
Availability and integrity could be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied.
By implementing confidentiality and other security techniques, by design this makes the information less accessible. Confidentiality and availability typically exert opposite forces on each other. The more secure a system is, the less available it becomes (e.g., implementing least access privilege limits who has access to the data).
By following the guidelines, integrity may also be affected. One of the recommendations is that if your organization has the authority to change the data (such as de- identifying, removing PII, or changing exact ages to an age range), you may proceed to do so and document these changes in the metadata.
Madalyn,
And as they exert opposite forces on each other the organization will start determining how much safeguards to the availability/integrity of the system before they become counter-intuitive. I believe some organizations struggle with this; specifically the IT department wanting to implement aggressive security measures which can sometimes drastically decrease availability in the effort to protect confidentiality & integrity. However; I’ve also seen the opposite happen where availability had to be ensured at all cost which usually results in strict policy to ensure no PII or information that could be deemed confidential makes it’s way into the system.
Which information security objective(s) could be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied? Explain how the objective(s) is put at risk by the mitigation(s).
All 3 Information Security Objectives, Confidentiality, Integrity and Availability could be at risk by implementing the alternative safeguards recommended by FGDC guidelines, however I would say mainly the Integrity and Availability would be effected the most.
The FGDC safe guards will involve changing and restricting the data, which in turn will impact the integrity of the data, “improper information modification” could be potentially taking place, and with restricting the data, it could potentially interrupt the “ensuring timely and reliable access to and use of information”(FIPS) This also has potential to impact the Confidentiality, ““Preserving authorized restrictions on information access and disclosure”(FIPS)
Jason,
I agree that all three information security objectives could be put at risk. I also like your specific point that changing and/or restricting the data will inherently affect the integrity of the data, especially if the information modification falls under the guidelines of being improper.
-Mike
It is possible for any of the three security objectives of confidentiality, integrity, and availability to be put at risk while implementing the two proposed security safeguards as defined by the FGDC guidelines. The only two solutions the guidelines recommend are changing the data in question as the first solution, or restricting access to it as the next solution. These two risk mitigating measures open a world of possibilities for things to backfire in terms of the CIA triad. For example, changing the data, if not done with thorough planning, could obviously negatively impact the integrity of the data as it is the opposite of ensuring data integrity. If relevant personnel are not aware of such a change, wrong (altered) data could be pushed along throughout an organization instead of the real data, and in that case an improper analysis may be used to support further plans for the organization. Even if eventually realized, this would prove to be a costly mistake.
Alternatively, confidentiality could be put at risk with different levels of severity during a data alteration if the changed data has an overlooked detail that should have been altered, which was then made available. Restricting the data will incur availability issues. Altering availability and incurring restrictions on data could potentially create difficulties for users that should have access as well as for users who should not be able to access such data.
Reading your post made me realize just how impactful ‘altering the data’ could be on downstream processes and decision-making. I think that ‘altering’ the data should be avoided at all costs – I would rather not get access to data than to be fed ‘altered data’!!
Accordingly, to the FGDC guideline, the data that are only sensitive needs to be safeguarded. If the data needs to be safeguarded, then FGDC has defined 2 options: Change the data or Restrict the data. Change the data has mention to modify the sensitive information and have the data available to everyone without having any safeguarded to that data. Restriction to the data has defined to restrict the data from any redistribution. The confidentiality of the information security objectives could be put at a risk if the safeguard recommended by the FGDC guideline are being applied. FGDC also mention if the organization doesn’t have a authority to safeguard the data then the decision maker can decide the level of safeguard it require for the data.
Hi Vraj,
Going along with your point, I believe that information security objectives of integrity and availability are also at risk of these alternative safeguards. Changing the data means that the data will be falsified and lose its integrity. Restricting the data limits the use of information for the user meaning that the data is becoming less available and negatively impacting the availability objective as well.
Which information security objective(s) could be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied? Explain how the objective(s) is put at risk by the mitigation(s).
If the alternative safeguards that are being recommended by the FGDC are ultimately applied, I believe that the information security objectives of Integrity and Availability are at risk. The FGDC is stating to change or restrict data in the case that the data needs to be safeguarded, and this goes entirely against the objectives of integrity and availability. If the data is to be changed, the integrity of the data is now tarnished because the data will no longer be consistent and honest. Along with this, if the data were to be restricted, this would put the objective of availability at risk. Restricting the data could interrupt the use of the information and changing the data can eventually lead to the data having no purpose or use.
The core objectives of disseminating Govt Geo-spatial information to serve the public interest would be put at risk if the information was deemed too Confidential and therefore the Availability of the data set was impacted through Restricting access (as suggested in FGDC as a safeguard action to protect data deemed too sensitive to share). The other FIPS 199 measure of Integrity of the data would be impacted if the data were masked or changed (as suggested in FGDC as the other mitigating safeguard action to protect data deemed sensitive).
Confidentiality-Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.
Integrity-Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.
Availability-Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.
Which information security objective(s) could be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied? Explain how the objective(s) is put at risk by the mitigation(s).
It can risk all three security objectives regarding confidentiality, integrity and accessibility. This is due to the fact that the data can be changed which can risk the original integrity of the data. Another risk is the confidentiality given that it can be made public in FDGC it really doesn’t make the data private and is accessible. Lastly, accessibility can be changed and safeguarded to restricted in the FDGC guideline.
Which information security objective(s) could be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied? Explain how the objective(s) is put at risk by the mitigation(s).
All information security objectives could be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied such as: confidentiality, integrity, and availability.
Confidentiality could be put at risk by a human error exposing an organization’s confidential information.
Confidentiality- a loss of confidentiality is unauthorized disclosure information
Integrity- a loss of integrity is unauthorized modification or destruction or information
Availability- A loss of availability is the disruption of access to or use of information or an information system
Reference:
https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf
The organization security policies in the context of requirements for information security and the circumstances in which those requirements must be met, examines common principles of management control, and reviews typical system vulnerabilities, to motivate consideration of the specific sorts of security mechanisms that can be built into computer systems—to complement nontechnical management controls and thus implement policy—and to stress the significance of establishing GSSP. A
Organizations and people that use computers can describe their needs for information security and trust in systems in terms of three major requirements:
• Confidentiality: controlling who gets to read information.
• Integrity: assuring that information and programs are changed only in a specified and authorized manner; and
• Availability: assuring that authorized users have continued access to information and resources.
These three requirements may be emphasized differently in various applications. For a national defense system, the chief concern may be ensuring the confidentiality of classified information, whereas a funds transfer system may require strong integrity controls. The requirements for applications that are connected to external systems will differ from those for applications without such interconnection. Thus, the specific requirements and controls for information security can vary. The framework within which an organization strives to meet its needs for information security is codified as security policy. A security policy is a concise statement, by those responsible for a system (e.g., senior management), of information values, protection responsibilities, and organizational commitment. One can implement that policy by taking specific actions guided by management control principles and utilizing specific security standards, procedures, and mechanisms. Conversely, the selection of standards, procedures, and mechanisms should be guided by policy to be most effective