As all were important in understanding the overall picture, I think the most important was the FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems” because understanding the minimum requirements will help with implementation of controls. The minimum requirements are the baseline or starting point to ensure all major security areas have countermeasures/controls to address applicable risks.
I think you made a great point in explaining why FIPS 200 is the most important standard in making an effective security plan. Minimum requirements are crucial in determining controls for applicable risks and when you don’t have these, it will cause a lot of issues in the future.
Out of the seventeen security-related areas identified as minimum security requirements, which one would you like to prioritize and why? (you can explain multiple areas as well)
The area I would prioritize is Access. Access controls are very important in security due to that without access controls operating effectively, a system/enterprise can be easily compromised. Many attacks are tied back to access or lack of access controls, whether it be third party access, privileged access, or inappropriate access.
The area i will prioritize is the awareness and training because it is very important to have an organization that is well informed and prepared in case of a breach or attack. When organizations have a robust security and awareness training its employees are well prepared when they see anything unusual, they can report the same quickly.
Hi Abayomi,
I also believe that priority should be given to Awareness and Training. Effective security awareness training helps employees understand security risks and identify cyberattacks they may encounter through email and the web.
How does an organization determine the appropriate security category for a given type of information or information system, and what are the potential consequences of misclassification?
An organization would need to perform an assessment to determine the appropriate security category. The information stored in each system/application would need to be classified to determine criticality and then the data/systems would have a ranking of high, moderate, or low. Potential consequences of misclassification would be lack of controls, weak security of low ranked data/systems, and potential vulnerabilities.
The three common implementation classifications are technical, management, and operational.
Technical controls use technology.
Management controls use administrative or management methods.
Operational controls are implemented by people in day-to-day operations.
Great point Frank, You identified the three common implementation classifications which are technical, management, and operational. Another method of classifying security controls is based on how they are implemented.
Few examples of Technical control includes;
*Encryption
*Antivirus software
*Intrusion detection systems (IDSs)
*Least Priviledge
*Firewalls
Some common examples of Management controls are;
*Risk assessments
*Vulnerability assessments
*Penetration tests
Operational controls include the following;
*Awareness and training
*Configuration and change management
*Contingency planning
*Physical and environmental protection
Hi Samuel,
When an unauthorized person reviews and approves the system security plan, there are several risks that can arise
a. The unauthorized person may not have the necessary knowledge or expertise to properly assess the security needs and controls of the system;
b. After approval, It may not meet regulatory or industry standards, putting the organization at risk of non-compliance
c. It may cause confusion and miscommunication between different departments or stakeholders.
d. Unauthorized person may overlook important security measures or approve weak controls, leaving the system vulnerable to threats
So, It is important to ensure that the right individual with proper expertise and authority review and approve the system security plan.
Speaking of Minimum Security Requirements for Federal Information and Information Systems, FIPS PUB 200, which one security requirement that deals with track, document, and report incidents to appropriate organizational officials and/or authorities?
Hi Shepherd,
“Incident Response” deals with “track, document, and report incidents to appropriate organizational officials and/or authorities”. Further, I believe it is very important to establish an “incident response team” who can, in no time, provide support incase any incident hits the organizational information systems. In addition to this, the employees should be made aware about how and when to report an incident.
Referring to the minimum security requirements for federal information and information systems mentioned in FIPS 200, what should the IT department emphasize in order to ensure the effectiveness of the system contingency plan? Password management? Post-disaster response?
Hi menqgi,
When guaranteeing the success of their contingency plan, IT departments should place an emphasis on the deployment of secure configurations and control mechanisms for their systems. According to FIPS 200, secure configurations, access controls, identity and authentication, incident response, and maintenance are among the basic security standards for federal information and information systems. Although password management and post-disaster response are crucial components of a comprehensive contingency plan, they should be seen in the context of securing the system and protecting data.
How would you resolve disagreements between the information owners and the IT Security team with regards to security categorization of the information types?
This is a very interesting question because I think people can have different perspective to this while answering.
It is the information owner who knows the data in and out. Information owner is the best person who can identify all the information types stored in, processed by, or transmitted by the systems. So it should be information owner who determines the security categorization. If there is a major disagreement, senior leadership oversight is essential. Further, “potential impact” associated with the loss of CIA of the information should be taken into final consideration.
All information assets both external and internal assets which includes people, customers, technology, facilities and equipment, systems and processes should all be secured. That is why organizations have an Enterprise Risk management which provides a framework within which organizations can assess and manage risks in their business plan.
Any contingency plan’s goal is to enable a company to resume regular operations as soon as feasible after an unexpected catastrophe. The contingency plan identifies essential personnel and assigns specific roles in the context of the recovery, protecting resources and minimizing customer disturbance. Overall responsibility for contingency planning rests with senior leadership, who must also provide resources for the effort to create, test, and maintain the plan.
Among the controls proposed by FIPS 200 Minimum Security Requirements for Federal Information and Information Systems, which three do you think should be prioritized?
I would recommend prioritizing Access control, Risk assessment, and Incident response. These three controls are interrelated and complement each other in protecting information and information systems. Organizations can make sure that their crucial data and systems are adequately safeguarded and ready to respond to security incidents quickly and effectively by giving these controls priority.
The question I have for my fellow classmates this week is regarding the 9 publications highlighted from the NIST SP 800-60 reading. In the reading it lists two FIPS and 7 NIST publications that are “intended to provide a structured, yet flexible framework for selecting, specifying, employing, evaluating, and monitoring the security controls in Federal information systems—and thus, makes a significant contribution toward satisfying the requirements of the Federal Information Security Management Act (FISMA) of 2002. While the publications are mutually reinforcing and have some dependencies, in most cases, they can be effectively used independently of one another”.
With respect to the last sentence which document(s) if any would you choose to exclusively use/reference while leaving out the rest?
According to FIPS 200, the minimum-security requirements are seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems. They are (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity.
I believe if you are following the outlined documentation verbatim, it would be quite hard to not be “good enough”. Most of the publications hold your hand through the process, giving you check list items to complete. Now if you were to mockup your own framework, it would depend on what/how you base it off of.
Of the three documents that we read, which one do you think is the most important standard in terms of creating and effective security plan?
As all were important in understanding the overall picture, I think the most important was the FIPS 200 “Minimum Security Requirements for Federal Information and Information Systems” because understanding the minimum requirements will help with implementation of controls. The minimum requirements are the baseline or starting point to ensure all major security areas have countermeasures/controls to address applicable risks.
I agree with you Jill. The minimum requirements serves as a foundation that an organization can build upon it.
Hi Jill,
I think you made a great point in explaining why FIPS 200 is the most important standard in making an effective security plan. Minimum requirements are crucial in determining controls for applicable risks and when you don’t have these, it will cause a lot of issues in the future.
Out of the seventeen security-related areas identified as minimum security requirements, which one would you like to prioritize and why? (you can explain multiple areas as well)
The area I would prioritize is Access. Access controls are very important in security due to that without access controls operating effectively, a system/enterprise can be easily compromised. Many attacks are tied back to access or lack of access controls, whether it be third party access, privileged access, or inappropriate access.
Hi Aayush,
The area i will prioritize is the awareness and training because it is very important to have an organization that is well informed and prepared in case of a breach or attack. When organizations have a robust security and awareness training its employees are well prepared when they see anything unusual, they can report the same quickly.
Hi Abayomi,
I also believe that priority should be given to Awareness and Training. Effective security awareness training helps employees understand security risks and identify cyberattacks they may encounter through email and the web.
How does an organization determine the appropriate security category for a given type of information or information system, and what are the potential consequences of misclassification?
An organization would need to perform an assessment to determine the appropriate security category. The information stored in each system/application would need to be classified to determine criticality and then the data/systems would have a ranking of high, moderate, or low. Potential consequences of misclassification would be lack of controls, weak security of low ranked data/systems, and potential vulnerabilities.
What are the three approaches to implement the controls?
The three common implementation classifications are technical, management, and operational.
Technical controls use technology.
Management controls use administrative or management methods.
Operational controls are implemented by people in day-to-day operations.
Great point Frank, You identified the three common implementation classifications which are technical, management, and operational. Another method of classifying security controls is based on how they are implemented.
Few examples of Technical control includes;
*Encryption
*Antivirus software
*Intrusion detection systems (IDSs)
*Least Priviledge
*Firewalls
Some common examples of Management controls are;
*Risk assessments
*Vulnerability assessments
*Penetration tests
Operational controls include the following;
*Awareness and training
*Configuration and change management
*Contingency planning
*Physical and environmental protection
What are the risks when an unauthorized person reviews and approves the system security planning?
Hi Samuel,
When an unauthorized person reviews and approves the system security plan, there are several risks that can arise
a. The unauthorized person may not have the necessary knowledge or expertise to properly assess the security needs and controls of the system;
b. After approval, It may not meet regulatory or industry standards, putting the organization at risk of non-compliance
c. It may cause confusion and miscommunication between different departments or stakeholders.
d. Unauthorized person may overlook important security measures or approve weak controls, leaving the system vulnerable to threats
So, It is important to ensure that the right individual with proper expertise and authority review and approve the system security plan.
Speaking of Minimum Security Requirements for Federal Information and Information Systems, FIPS PUB 200, which one security requirement that deals with track, document, and report incidents to appropriate organizational officials and/or authorities?
Hi Shepherd,
“Incident Response” deals with “track, document, and report incidents to appropriate organizational officials and/or authorities”. Further, I believe it is very important to establish an “incident response team” who can, in no time, provide support incase any incident hits the organizational information systems. In addition to this, the employees should be made aware about how and when to report an incident.
Referring to the minimum security requirements for federal information and information systems mentioned in FIPS 200, what should the IT department emphasize in order to ensure the effectiveness of the system contingency plan? Password management? Post-disaster response?
Hi menqgi,
When guaranteeing the success of their contingency plan, IT departments should place an emphasis on the deployment of secure configurations and control mechanisms for their systems. According to FIPS 200, secure configurations, access controls, identity and authentication, incident response, and maintenance are among the basic security standards for federal information and information systems. Although password management and post-disaster response are crucial components of a comprehensive contingency plan, they should be seen in the context of securing the system and protecting data.
How would you resolve disagreements between the information owners and the IT Security team with regards to security categorization of the information types?
This is a very interesting question because I think people can have different perspective to this while answering.
It is the information owner who knows the data in and out. Information owner is the best person who can identify all the information types stored in, processed by, or transmitted by the systems. So it should be information owner who determines the security categorization. If there is a major disagreement, senior leadership oversight is essential. Further, “potential impact” associated with the loss of CIA of the information should be taken into final consideration.
What information assets need to be secured?
Hello Pranavi,
All information assets both external and internal assets which includes people, customers, technology, facilities and equipment, systems and processes should all be secured. That is why organizations have an Enterprise Risk management which provides a framework within which organizations can assess and manage risks in their business plan.
Hi Pranavi, I believe organizations should Consider all internal and external assets, including but not limited to:
*People – Employees, contractors, vendors, visitors
*Customers – Contact and purchase information
*Technology – IT systems, networks, communications
*Information- Employee PII, business sensitive or proprietary
*Facilities and equipment- Buildings, vehicles, machinery
*Systems- Alarm
*Processes – Supply chain
Why is it important for organizations to have contingency planning?
Any contingency plan’s goal is to enable a company to resume regular operations as soon as feasible after an unexpected catastrophe. The contingency plan identifies essential personnel and assigns specific roles in the context of the recovery, protecting resources and minimizing customer disturbance. Overall responsibility for contingency planning rests with senior leadership, who must also provide resources for the effort to create, test, and maintain the plan.
Among the controls proposed by FIPS 200 Minimum Security Requirements for Federal Information and Information Systems, which three do you think should be prioritized?
Hi Wei,
I would recommend prioritizing Access control, Risk assessment, and Incident response. These three controls are interrelated and complement each other in protecting information and information systems. Organizations can make sure that their crucial data and systems are adequately safeguarded and ready to respond to security incidents quickly and effectively by giving these controls priority.
The question I have for my fellow classmates this week is regarding the 9 publications highlighted from the NIST SP 800-60 reading. In the reading it lists two FIPS and 7 NIST publications that are “intended to provide a structured, yet flexible framework for selecting, specifying, employing, evaluating, and monitoring the security controls in Federal information systems—and thus, makes a significant contribution toward satisfying the requirements of the Federal Information Security Management Act (FISMA) of 2002. While the publications are mutually reinforcing and have some dependencies, in most cases, they can be effectively used independently of one another”.
With respect to the last sentence which document(s) if any would you choose to exclusively use/reference while leaving out the rest?
What are the minimum security requirements for FIPS 200?
According to FIPS 200, the minimum-security requirements are seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems. They are (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity.
How do we determine if our framework is good enough to handle the potential risks?
Hi Parmita,
I believe if you are following the outlined documentation verbatim, it would be quite hard to not be “good enough”. Most of the publications hold your hand through the process, giving you check list items to complete. Now if you were to mockup your own framework, it would depend on what/how you base it off of.
State one (1) problem associated with developing a positive vision of users.