How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Andrew Young says
To determine if the FGDC guidelines should be applied, we can use the FIPS Security Categorizations (Confidentiality, Integrity, and Availability) in the following ways after verifying that we are authorized to apply the guidelines we can specifically focus in on “Section II: Does the data need to be safeguarded?”
If we are applying the FIPS chart, we should evaluate the confidentiality of the data, that is to say, does the data contain confidential information about our organization that could allow an attacker to target specific areas or weaknesses?
For Integrity, is the retention and static quality of the data necessary to the continued operation of our organization and to what degree? Assuming this data is modified or altered critically, how would it impact us?
And finally, for availability, how often is the data accessed, as in, were it not accessible tomorrow, how would our organization be impacted, not only on a user basis but an automated server-based standard?
We can use these categories to effectively evaluate the data through the FGDC guidelines and properly evaluate how and which guidelines should be applied. We can determine and weigh the impacts of editing, redacting, restricting or otherwise modifying the data based on an evaluation through the FIPS process and determining its possible impact.
Marc Greenberg says
The FIPS formula can help categorize the security objectives which are defined as the following:
Confidentiality: Unauthorized disclosure of information
Integrity: Unauthorized modification or destruction of information
Availability: Disruption of access to or use of information or an information system.
Geospatial data is defined as “time-based data that is related to a specific location on the Earth surface that can provide insights into relationships between variables and reveal patterns and trends”.
With the assumption our organization is the origin point of the data we would determine what safeguards are needed based on the guidelines. We first think of geospatial data being related to military installations and similar government facilities. As we know attacks can happen multiple ways and not just in the physical location. In one example in the reading, it gave an example of chemical and where it was located, what if they move the chemical? It also indicates that certain infrastructure is common, and anyone can go there and understand the data.
Basically, you need to understand what has the biggest risk to your organization and even the world depending on what is being done.
Erskine Payton says
Marc,
Users believe they are secure so there are relaxed guideline placed on the data, hence the cyber criminals are allowed to do their worse. Tools like FIPS formula accompanied the CIA triad have helped to put a grip on those once lazy security protocols. It brings accountability to the data security and which it has not always been that way.
Unnati Singla says
FGDC guidelines provide standard procedure for determining what information is considered sensitive that could pose a security risk and reviewing decisions for safe gaurding this sensitive information.
The FIPS 199 categorization provides a simple formula that helps assign the security category value by deciding impact of breach on confidentiality, integrity and availability of the information.
In order to apply the FIPS199 to each categorization of FGDC guidelines, we will focus on each section.
for Section 1 – Where did the geospatial data originate? Was this data internally generated? is this information available publically?
for Section 2 – Does this data need to be safegaurded? We would need to identify if the data can be used for specific targets, and what potential risks are at bay if this information is breached?
for Section 3 – We would look at if we have the authority or need to change and safegaurd this data.
After answering all our questions based on the guideline, we will be able to determine if the potential impact for each security objective (CIA) is low, moderate or high.
Marc Greenberg says
Good synopsis of how the guidelines are put together. I would suggest indicating how the guidelines work with the geospatial data under question. I would suggest an example would help keep it clear.
Unnati Singla says
Thank you Marc! I agree, I could have used an example of data pertaining to say a normal user like me vs data pertaining to a company or even a military organization.
Akiyah says
The FIPS 199 framework is used to gauge how much of an impact (low, moderate, or high) a possible data breach might have based on the confidentiality, integrity, and availability of the information/information system.
To categorize the geospatial information or information system, I would first utilize the FIPS 199 security categorizations as a reference. I would then take each security category and proceed through the FDGC guidelines decision tree for each information/information system to determine whether the data will need to be changed, restricted, and/or safeguarded, along with the knowledge gained in the preceding step and any risk assessments.
Jennifer Garcia says
The federal information processing defines 3 security objectives for information systems, confidentially, integrity, and availability. If there is a potential impact, these three objectives are in loss danger and can be impacted on three different levels: low, moderate, and high. Once the level of risk has been determined, the recommended controls and guidelines by the Federal Geographic Data Committee (FGDC) are implemented.
A particular example could be if a manufacturer business has a situation where Important machinery is stolen. The potential impact from a loss of confidentiality is high, as a high potential impact from a loss of integrity, and a moderate potential impact from a loss of availability.
Akiyah says
Jennifer,
You gave an example of important machinery being stolen from a manufacturer business. What would happen if the drones used to gather geospatial data were stolen? If a network connection is formed, they could be used to stealthily recover sensitive data that has already been gathered and to gather more private and protected information. Depending on the information gathered, this could pose a privacy breach and security concern resulting in a high loss of confidentially.
Akintunde Akinmusire says
I agree with you that the three security objectives can be impacted by the levels of risk (low, moderate, and high). The example you gave is perfect because it explained how the levels of risk can affect the three objectives. With the business’s data being leaked, its confidentiality has been affected. Consumers won’t trust the organization with critical information. Also, the organization won’t be able to provide adequate service to its consumers.
Alyanna Inocentes says
FIPS 199 security categorizations would be applied by matching the appropriate safeguards recommended in the FGDC guidelines. This ensures that the proper security measures are in place to protect geospatial information effectively. Here are things to consider:
• Determine the data’s impact level (low, moderate, or high).
• Refer to FGDC guidelines for recommended safeguards.
• Match the impact level to the appropriate safeguards:
• Low Impact: limited adverse effect. The loss of confidentiality, integrity, or availability could have limited
adverse effects on an organization’s operations.
• Moderate impact: The loss of confidentiality, integrity, or availability is expected to have serious adverse
effects on an organization’s operations.
• High Impact: The loss of confidentiality, integrity, or availability is expected to have severe or catastrophic
effects on an organization’s operations.
Overall, the security objective of FIPS is to preserve confidentiality, integrity, and availability during potential impacts on an organization or individuals. This is achieved by implementing security risk mitigation safeguards recommended by the FGDC.
Alex Ruiz says
You’d start by analyzing the information/ information system and applying the security categorizations described in the FIPS 199 to confidentiality, integrity, and availability of the system and each’s potential impact to get it’s security category. Using the security category you’ve reached you can more in-depth analyze if you believe more safeguards are needed/worthwhile to lower the potential impact of each category of CIA. Following your choice to implement more safeguards you can follow the decision tree described in the FGDC guidelines to determine further steps to plan for potentially safeguarding the system.
Jennifer Garcia says
Hi Alex,
I like how you explained the application of FIPS 199 in case of risk mitigations. FGDC guidelines help to determine the category of the impact of the risk and to implement controls after that. The FGDC is a great tool indeed for IT auditors and IT professionals in general. As the class progresses, it would be interesting to explore real-life examples of its implementation. could be interesting how we can implement it with real examples.
Akintunde Akinmusire says
According to FIPS publication 199, FIPS 199 is the federal government standard that is used by federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security based on the range of risk levels. To decide if each of the information security risk mitigation is needed, I would apply the three areas which are low, moderate, and high to the security objectives. If the loss of CIA is expected to have little or no impact on the organization’s operations, assets, or people, the potential impact is low. If the loss of CIA is expected to have serious effect on operations, assets, or people, the potential impact is high. If the loss of CIA is expected to have a severe impact on an organization, the potential impact is high.
Ashley A. Jones says
As an IT auditor, early in the learning process, here is how I would apply FIPS 199 security categorizations to decide if safeguards described in the FGDC guidelines are needed.
a. According to FIPS 199, the security category is dependent on the information type and the level of impact that a breach of CIA will have on a company. Based on Figure 1 in the FGDC guidelines, the authority of safeguarding lies with the originating organization. How I would apply FIPS 199 to the FGDC guidelines is by understanding the different information types that the originating organization’s data lies within and take each of these types in order to map our the security category for each (SC, information type = confidentiality impact, integrity impact, availability impact) then, in the same order of information type mapped out previously, I would then go by the Decision Tree Providing Appropriate Access to Geospatial Data in Response to Security Concerns diagram in Figure 1 of FGDC guidelines. Since the impact on information type can never be zero, I would focus more on what legalities already exist depending on who the originating organization is and use that as the primary guide for handling the data according to each information type.
Alyanna Inocentes says
Hey Ashley,
I really appreciated seeing your POV as an IT auditor. When you explained how you would apply FIPS 199 to FGDC guidelines, as someone without any experience in IT auditing experience, you provided me a clear mental roadmap for implementing these guidelines. Your step-by-step instructions were definitely effective in conveying the process.
Jeffrey Sullivan says
2. How would you apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
I first had to familiarize myself with the boatload of information that this question is asking. After reading over the FIPS 199 Publication there are three pieces of many pieces of inforimatino0 that stood out:
What I gleaned from the FIPS 199 publication establishes security categories for both information and information systems. Those categories are based on the potential impact of an organization if events occurred and jeopardize said information or information systems etc.
3 security objectives: Confidentiality, Integrity & Availability then it grades each incident on a scale: Low, moderate & High.
The generalized format for expressing the security category, SC, of an information type is SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, or HIGH.
The NSDI publication also has procedures and criteria that are:
Identifying sensitive information content of geospatial data that poses a risk to security and review decisions about sensitive information content during reassessments of safeguards on geospatial data.
What I gleaned from that publication is that they also categorize their guidelines in a sequence of decisions. The decision of this is based on three factors: Risk to security, Uniqueness of information and Net benefit of disseminating data.
If the data can be safe guarded, then the guidelines offer two options: change the data or restrict the data.
From what I am reading the FIPS 199 categorizes the risk into low, medium, or high, the NSDI organizes the guidelines in terms of risk to security, uniqueness and net benefit of disseminating the data, then safeguarding it. Then if it can be safeguarded change the data and/or restrict the data. It then has you follow a decision tree to prove the appropriate access to data in response to security concerns but if I was to apply the FIPS 199 guidelines onto this, I would then I would use categorization of the FIPS 199 and the objectives and apply it to the organized safeguards that are in place on the NSDI end but it all ultimately comes with the knowledge of the actual data and risk to ensure business continuity.
Kelly Conger says
To decide if FGDC’s information security risk mitigations are needed, an organization can use FIPS 199 to assess the potential impact on three security objectives: Confidentiality, Integrity, and Availability. Each objective can be rated as Low, Medium, or High.
For instance, if geospatial data is intended for public use, its Confidentiality might be rated ‘Low,’ making additional security measures optional. However, if the Integrity of the data is crucial, a ‘High’ rating would necessitate safeguards like data encryption or restricted modification access, as outlined in FGDC guidelines.
Ultimately, organizations should assess their specific risk levels for each security objective to determine which FGDC safeguards are necessary. This enables tailored risk mitigation, aligning closely with the organization’s unique needs.
Chidi Okafor says
The security categories are used to evaluate the potential impact on an organization if certain events should take place which will jeopardize both information and information systems of the institution. This in turn will affect the ability of the organization to protect its assets. These categories help assess risks in conjunction with vulnerability and threat information. Federal Information Processing System (FIPS) Standards aim to standardize data and processes among federal agencies for efficiency. FGDC standards aim to reduce duplication, cut data collection costs, and promote data sharing. Combining these federal standard frameworks can enhance risk mitigation efforts.
Michael Obiukwu says
To effectively ascertain the necessity of implementing various information security risk mitigations (or “safeguards”) outlined in the FGDC guidelines, a wise approach would involve applying the FIPS 199 security categorizations. By aligning these categorizations with the provided safeguards, a comprehensive assessment of their relevance can be achieved. Emphasizing a professional tone, this framework allows for a disciplined evaluation of the potential risks associated with data confidentiality, integrity, and availability. By diligently considering the potential impact on national security, personal privacy, and public trust, we can effectively determine the level of security controls required. The FIPS 199 security categorizations serve as a reliable compass in making informed decisions regarding the implementation of these safeguards, ensuring a robust protection of information assets and bolstering the overall resilience of our digital landscape.
Ikenna Alajemba says
well said Micheal, the FIPS 199 categorization give clear basis for determining security controls required for selection, at least baseline security controls requriement.
Michael Obiukwu says
Thank you,Ikenna. FIPS 199 is quite wholistic in it framework.
Ikenna Alajemba says
Analyzing the applicability of the Federal Information Processing Standards (FIPS) 199 security categorizations involves rigorous consideration. This process involves examining the efficacy of each proposed information security risk mitigation measures—or “safeguards,” as enumerated by the Federal Geographic Data Committee (FGDC) guidelines. By categorizing potential risks based on their severity (i.e., low, moderate, or high), we can systematically evaluate the necessity and relevance of each safeguard. One must also consider factors such as the sensitivity and importance of the information at risk, as well as the potential impacts of unauthorized access, use, disclosure, disruption, modification, or destruction. Crafting a detailed yet adaptive approach will ensure that we maximize security without imposing unwarranted constraints on information accessibility and usage.
Erskine Payton says
The FIPS 199 is a more high-level type of document that give the standards of how to access a security risk. The CIA Triad (confidentiality, Integrity, and availability are used to access the potential threat. The FGDC guidelines takes it a bit deeper in terms data security by asking questions throughout the data mining process constantly addressing security concerns. I would apply the FIPS 199 categorizations to each safeguard by using the Decision Tree approach. I would apply CIA triad to scrutinizes the data security asking questions in the data tree at each time there may be a perceived security concern.
Kelly Conger says
I agree Erskine, FIPS 199 provides a strong foundation for evaluating security risks, while the CIA triad helps prioritize threats and vulnerabilities. The FGDC guidelines complement these with a practical approach for continuous security assessment during data mining. Combining these frameworks ensures comprehensive data security by addressing both high-level standards and specific implementation details.