How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Jill Brummer says
I would apply the FIPS 199 security categorizations to decide if each safeguard described in the FGDC guidelines is needed by starting with the FGDC guidelines and using the decision tree to ensure the appropriate action is taken. If the first question “did your organization originate these data?” and the answer is No, then it is not the company’s decision to apply safeguards to the data. If the answer is yes, then keep going through the decision tree to determine if the safeguards are authorized and justified by the company. After the determination, I would then go through each safeguard and categorize the potential impact (i.e., low, moderate, or high).
Kenneth Saltisky says
Hi Jill,
I agree that going through the decision tree initially is a good way of ensuring that appropriate action is taken prior to designating categorizations. I would also include that ensuring proper authentication is required prior to designating data as you might not have the proper access or authentication from the data owner to enforce safeguards.
Jill Brummer says
The security objectives that could be put at risk if the alternative safeguards recommended by the FGDC guidelines are applied are availability and integrity.
In the FGDC guidelines, it’s stated that if the security costs of disseminating the data outweigh the societal benefits, this could pose a risk to availability if the cost benefit is justified. The data could then be disseminated because it cost more to secure it, a risk the company would be will and able to take.
The other security objective that could be put at risk is integrity. According to the FGDC guidelines, if data to be disseminated includes sensitive information, the data can be modified to restrict or change the sensitive data. Any time data is modified, integrity at risk. Additionally, if the data is changed, best practice is to follow the internal control for change management; however, there is a risk that the company modifying the data doesn’t follow their internal control or doesn’t have an internal control change policy if not a mature company.
Nicholas Foster says
Hey Jill,
I came to the same conclusion in that both availability and integrity of the data come into question based on the nature of the data. I believe there are “better” ways to maintain the CIA triad while adhering to the FGDC guidelines. For example, redacting data ensures that sensitive information remains confidential but does at least let the reader know it is purposefully withheld rather than all together removing piece of data or editing it entirely without letting the reader know.
David Vanaman says
The FIPS standard has us look at the risk specifically in the areas of confidentiality, availability, and integrity for a given system and rank it using the standards in the matrix on pg 6 of the document. The FGDC document is primarily concerned with ensuring the confidentiality of geospatial data. The first part of the analysis is determining if the data needs to be safeguarded (kept confidential), with the second looking at how to do that. The analysis of the need to be safeguarded tries to arrive at a similar result as the FIPS classifications: does the data in question have enough value to justify the cost of the protection? Then if so, what level of protection to apply.
Interestingly, the recommendations for safeguarding are to alter the integrity of the data (change the data) or the availability of the data (restrict the data) which dgoes to highlight the interconnected nature of the CIA triad.
Kenneth Saltisky says
Hey David,
It’s interesting to note that since we are changing the data or availability of the data we are affecting the integrity and availability directly. You would need to be careful when considering categorizations and safeguards so as to not cause more issues than the safeguards would fix.
Christa Giordano says
The FIPS 199 Security Categories apply to both information types and information systems. The document discusses the importance of considering the impact (high, medium, or low) to the security objectives of confidentiality, integrity and availability of the information/information system as well as the associated risk amplifiers when assessing the overall risk. The FGDC document brings the consideration of risk acceptance and the cost benefit analysis involved. When considering risk, all of these factors must be considered and the final decision, rational should always be documented. The impact to the organization if an event were to occur and the likelihood the the event occurring is part of the equation as well as the cost associated with the controls required to mitigate the risk. The FGDC document recognizes the critical component of who is the originator or the data and/or the data owner. As the document is primarily focused on safeguarding the confidentiality of this sensitive data, that is a critical factor. As all of these factors are weighed and considered, the underlying questions to consider are what information needs to be kept confidential, how is that to be accomplished (obfuscated/masked, or removed entirely) and at what cost? In addition, this involves editing the data which could be a change in data integrity and depending on what data elements are removed, also impacts the availability of certain data. Once last consideration is that if the organization is not the data owner or originator, what data sharing agreements are in place and what is the permitted usage of the data. This will also impact the overall decisions made.
Kenneth Saltisky says
Hi Christa,
I like how you included documenting the final decision as a part of the process as well as all the factors to consider when applying safeguards. It’s important to document the process when considering applying safeguards so as to not run into future issues or waste time making considerations when documentations already outline decisions made.
Kenneth Saltisky says
The FGDC guidelines outline a step-by-step guide regarding how to apply safeguards to data. To this extent, applying the security categorizations should be done in a similar nature. The first question asks if your organization owns the data to safeguard. If that is not the case, you should not apply safeguards nor should you apply security categorizations as the data is not yours to designate. Otherwise, you move further in the document and document the process. Understand the type of data that you are safeguarding, if the data is unique, and if the costs outweigh the benefits. Also, understand if you have the permissions to authorize safeguards and designations to the data as well as the necessary authorizations and ability to change the data. Beyond this point, categorization should be based on the confidentiality, integrity, and availability of the data and the importance of these as outlined in the FIPS 199 document. The significance that each has on the data should be utilized in applying more specific safeguards to the data.
Shepherd Shenjere says
Hello Kenneth,
I also think its key to know whether the organization owns the data or not before making any decisions or implementations. Once you figure that out the rest is easy, because its either you are implementing the safeguard or not while assessing the level of impact.
Parmita Patel says
I would first ask the question based on different situations and how it could effect the firm or company in the future. I would start by determining whether the the risk is low, moderate or high. Start to break down what has been effected and go on from there. I would also ask if the data comes from within the company or is it an outside vendor. It would be best to follow the guidelines for FGDC if you are the data originates from the company. Knowing whether you are able to put safeguards in place is also key piece of information furthering into putting low, moderate and high in relation to availability, confidentiality and integrity.
Christa Giordano says
Hi Parmita,
I agree it is critical to understand where the data comes from (internal or an outside vendor), as this can call into question data ownership as well as permitted data usage. Even departments within organizations might have specific rules or guidelines that must be followed for data usage by other areas. In my organization, we have a number of data sharing agreements in place the specify data usage requirements between departments. Examples of considerations in the agreements include; who is allowed to access the data which could mean the number of people and/or the role of the person aka is access to this data necessary, level of access, what environments can the data be used in (production, testing, quality assurance, etc.), data retention requirements, and data destruction. Another consideration is who these controls, agreements, restrictions are executed, length of the agreement and the controls in place to ensure the agreement is adhered to.
Maxwell ODonnell says
Using the FIPS 199 security categorizations to decide whether to apply the safeguards outlined in the FGDC guidelines one would first need to look at the origin of the information. Data not originating from within your corporation does not fall under the jurisdiction of the company, however, data originating from within the company does need to be analyzed and safeguarded if the sensitivity is high. The FGDC guidelines look at the confidentiality of the data, and the risk/cost analysis associated with upholding the confidentiality. Whereas the FIPS 199 guidelines take integrity, confidentiality, and availability into consideration when addressing the risk factors of a given system. Applying safeguards to the data, you must take into consideration of the uniqueness and sensitivity of the data; do the costs outweigh the potential consequences of a data breach? Given the different threat levels associated with integrity, availability, and confidentially, it may be more beneficial to apply specific safeguards that protect your interests.
Samuel Omotosho says
I would personally take this approach – After implementing the offensive approach to geospatial data, the FIPS 199 security categorization can be applied. This type of security is responsible for an information system’s confidentiality, availability, and integrity. All information under analysis can utilize these security measures to mitigate them against any risk. This means that data can be accessed unlawfully, posing a threat to information security (Borky & Bradley, 2018). The confidentiality of a system reduces unauthorized access to information, the integrity of a system reduces irrelevant information, and availability means the reliability of a system that information can be accessed anytime without delay.
Abayomi Aiyedebinu says
Hi Samuel, i agree with you that confidentiality of a system reduces unauthorized access because only those that need or use that information would have access to it and would be able to modify it.
Abayomi Aiyedebinu says
I would apply the FIPS 199 security categorizations to decide if each safeguard described in the FGDC guidelines firstly by using the CIA triad and a risk control matrix to identify where my organization stands in terms of high, medium or low and then utilize the steps in the decision tree to formulate a risk impact analysis. if the impact is low there wouldn’t. be need for safeguard but if the impact is high there would be need for safeguard