This document provides the importance of correct categorization of information assets for federal agencies as well as provides a methodology to information system owners and managers for establishing accurate security categorization for their information assets. An incorrect analysis of security categorization may lead to organizations either over protecting the information system thus wasting valuable security resources, or under protecting the information system and placing important operations and assets at risk. Security categories are highly influenced by the mission and critical business areas of an organization. Security categorization of IT assets is the first step of an effective risk management program and plays a very valuable role in System Development Lifecycle as well as in the certification and accreditation process to meet regulatory requirements. Senior leadership oversight in the security categorization process is essential so that the next steps in the NIST Risk Management Framework can be carried out in an effective and consistent manner.
Hi, Akshay Shendarkar
You showed the importance of content. For information system security, accuracy of control is a must. Effective and accurate asset classification is very useful to help risk assessors accurately locate the need for control hierarchy.
Thanks for stating the need for Federal agencies to appropriately categorize information assets. We should always remember that inaccurate analysis or improper security categorization may impact the organization in many ways – like wrong risk analysis, inability to identify vulnerabilities, poor configuration of security defense systems, and/or inability to meet the requirements of external agencies. According to the NIST 800-60 V1 R1 document, unauthorized modification of elements of the information type can reduce public confidence in an agency, initiate or create confusion by promoting incorrect procedure or policy. It can also influence personnel decisions on implementation of policies that may affect operations of many businesses.
One key point which took from the NIST 800 60 V1R1 (Guide for Mapping Types of Information and Information systems to Security Categories) is that risk management framework is related to security categories. It comprises of 6 steps; Categorize information system, Select security controls, Implement Security Controls, Assess security controls, Authorize information systems, and Monitor security state. Also, considering the risk impact assessment to be low, medium, or high among CIA is important for system security categories.
Numneung, yes, this standard points out the importance of determining proper security categorization of information systems to conduct effective risk assessment because it is the first step of creating SSP and next steps are done according the results of security categorization. The goal is to put proper controls in place, and the success of controls highly depend on the result of security categorization process.
The key point that I took from this document is the importance of determining proper security categorization of information systems to conduct an effective risk management process and apply appropriate controls according to result of risk assessment process. To do so, this document explains the role of security categorization in the NIST risk management framework and role in the certification and accreditation process. Every organization should put a formal process in place to determine system level security categorizations as a first step to meet information security requirements and establish a robust security program.
Hello,
Reading through your thoughts on the NIST 800-60 publication, I see that you understand the significance of both the risk assessment and the risk management process to the completion and coverage of an organization’s information security program. I also appreciate how you brought up the relevance that these processes play in the certification and accreditation of the organization’s information security program.
In this reading, I learned that Federal information systems are categorized based on the information the system processes, stores or transmits. This information is classified based on the impact level (low, moderate or high) assigned to the security objectives; Confidentiality, integrity and availability (CIA).
It’s important to note that the highest Impact level (Low, Moderate and High) of the CIA becomes the overall classification of the system-High water mark. The two publications for categorization of information systems are the FIPS199 and NIST SP 800-60.
A key takeaway from NIST 800 60 V1R1 Guide for Mapping Types of Information and Information Systems to Security Categories was the methodology for assigning security impact levels and security categorizations for all the systems. The process starts with identifying all information systems. Next you identify all the information types the system processes. The second step is to select provisional impact levels. Third you review the levels and if needed return to step 2 until you finalize the information impact levels. last you assign a system security category. the process ends this security categorization and a selections of controls from SP 800-53. This process helped put in prospective how the processes in FIPS 199 are used and then flow into using SP 800-53 based upon the categorization results process.
I’m glad you mentioned the methodology for assigning security impact levels and security categorizations for all the systems. It definitely makes it clearer as to why its managed and applied the way it is!
After reading through the NIST publication 800-60 titled Guide for mapping Types of Information and Information Systems to Security Categories, I made sure to spend extra time studying the section on Identifying Mission-based Information Types. The reason for this is because the tables, provided through the Office of Management and Budget’s Business Reference Model, included in this section helped me learn more about the missions areas (categories) and information types (sub categories) that information systems can be categorized into by the system owner, management, operations and security stakeholders.
After reading the NIST 800 60, I’ve learned the different categories/factors that go into the categorization of systems which leads to the correlation of impact. It seems as though this is the root of what auditors abide by, and as they should. Following this documentation and taking into consideration each factor helps enable more clarity in areas of vulnerabilities for organizations. The FIPS 199 Security Categorization Criteria shows clearly how each security objective can correlate with the level of impact.
Hi Natalie,
Being able to correlate each security objective with its impact level is a good point you make here. as regards to the FIPS199 document. The impact levels of high, low and medium have to be evaluated against the impact of the system.
NIST SP 800-60 V1R1 deals with integrating security to federal information/information systems through the security categorization process using FIPS 199. What I found to be interesting was the role that security categorization plays in the SDLC, since we always emphasize how security and risk management should be part of every phase of the SDLC. Initial security categorizations that occur early in the SDLC aid in identifying system security requirements, which will allow system engineers to effectively integrate security controls while also meeting functional, operational, and other system requirements. By conducting security categorizations early on, we can potentially avoid pitfalls later on in the system life cycle by having these guidelines established.
Hi Sarah, I agree with the fact that security categorization is one of the cornerstones to securing information systems. One of the categorization methods that we learned in the ITACS programs is taking a risk analysis of IS assets. By doing that analysis we learn which systems are most critical and which ones to apply the most attention to. Nice response!
The NIST 800 60 V1R1 Guide presents a hierarchy of H/M/L in the CIA.By classifying and rating various it-related factors.This is related to the asset classification that I mainly studied last semester. Only when I know the impact level of assets can I accurately classify the impact level according to the guide.This process is necessary and requires experience.Although this guide gives very detailed classified information.However, the actual level of security classification still depends on the actual situation to make the final decision.IT auditors need this set of standards to remain independent.
First of all, you need blank after a dot.
The point you made about actual level of security classification still depends on the actual situation is very right. The Guide is just the guide. It acts as a reference for our IT Auditors to finish our job.
NIST 800-60 V1R1’s title give a great introduction and framework to what the standard lays out. Important to note, 800-60 gives a focus to many federal and governmental systems. At first this is a “guide for mapping” the “types of information and information systems”, followed by the “security categories” that the guide puts the info and systems into. Personally, I find the types of information and their systems the most fascinating out of the three areas I focussed on. The federal government has quite possibly one of the most diverse sets of data in the entire world. From all human record, to natural data, to information that is seemingly useless, all the way to super classified documents, It is very reassuring that the federal government employs the same frameworks (mapping guides) to their data that we’re learning about.
This NIST 800-60v1r1 guide to assessing and grade an Overall Information System Impact by using several techniques that we have learned in the previous lessons. I found interesting in that the result of it can help to make better decisions in several areas:
– Business Impact Analysis (BIA)
– Capital Planning and Investment Control (CPIC)
– Enterprise Architecture (EA)
– System Design
– Contingency and Disaster Recovery Planning
– Information Sharing and System Interconnection Agreements.
The key point I took from the publication is the way the guide divide the information types by mission and it’s relation with volume 2 of the document. Things like defense and national security are obviously the most important ones, while pollution prevention and control can be lower. But to different companies, the ratings can be different as different companies have different goals. With a good evaluation for the right type of information, risks can be defined more specifically, therefore the planning will have a better result.
One key idea to remember form the NIST 800 60 V1R1 handbook is that the result of security categorization can and should be used by , or made available to, appropriate agency personnel to support agency activities like the Business impact analysis, Capital Planning and Investment Control ( CPIC) and Enterprise Architecture, and the System Design. Example: The security categorization that begins with the security life cycle is a business-enabling activity directly supporting the enterprise architecture and Capital Planning and Investment Control Processes for new investments, as well as migration and upgrade decisions.
This document provides the importance of correct categorization of information assets for federal agencies as well as provides a methodology to information system owners and managers for establishing accurate security categorization for their information assets. An incorrect analysis of security categorization may lead to organizations either over protecting the information system thus wasting valuable security resources, or under protecting the information system and placing important operations and assets at risk. Security categories are highly influenced by the mission and critical business areas of an organization. Security categorization of IT assets is the first step of an effective risk management program and plays a very valuable role in System Development Lifecycle as well as in the certification and accreditation process to meet regulatory requirements. Senior leadership oversight in the security categorization process is essential so that the next steps in the NIST Risk Management Framework can be carried out in an effective and consistent manner.
Hi, Akshay Shendarkar
You showed the importance of content. For information system security, accuracy of control is a must. Effective and accurate asset classification is very useful to help risk assessors accurately locate the need for control hierarchy.
Hi Akshay,
Thanks for stating the need for Federal agencies to appropriately categorize information assets. We should always remember that inaccurate analysis or improper security categorization may impact the organization in many ways – like wrong risk analysis, inability to identify vulnerabilities, poor configuration of security defense systems, and/or inability to meet the requirements of external agencies. According to the NIST 800-60 V1 R1 document, unauthorized modification of elements of the information type can reduce public confidence in an agency, initiate or create confusion by promoting incorrect procedure or policy. It can also influence personnel decisions on implementation of policies that may affect operations of many businesses.
One key point which took from the NIST 800 60 V1R1 (Guide for Mapping Types of Information and Information systems to Security Categories) is that risk management framework is related to security categories. It comprises of 6 steps; Categorize information system, Select security controls, Implement Security Controls, Assess security controls, Authorize information systems, and Monitor security state. Also, considering the risk impact assessment to be low, medium, or high among CIA is important for system security categories.
Numneung, yes, this standard points out the importance of determining proper security categorization of information systems to conduct effective risk assessment because it is the first step of creating SSP and next steps are done according the results of security categorization. The goal is to put proper controls in place, and the success of controls highly depend on the result of security categorization process.
The key point that I took from this document is the importance of determining proper security categorization of information systems to conduct an effective risk management process and apply appropriate controls according to result of risk assessment process. To do so, this document explains the role of security categorization in the NIST risk management framework and role in the certification and accreditation process. Every organization should put a formal process in place to determine system level security categorizations as a first step to meet information security requirements and establish a robust security program.
Hello,
Reading through your thoughts on the NIST 800-60 publication, I see that you understand the significance of both the risk assessment and the risk management process to the completion and coverage of an organization’s information security program. I also appreciate how you brought up the relevance that these processes play in the certification and accreditation of the organization’s information security program.
In this reading, I learned that Federal information systems are categorized based on the information the system processes, stores or transmits. This information is classified based on the impact level (low, moderate or high) assigned to the security objectives; Confidentiality, integrity and availability (CIA).
It’s important to note that the highest Impact level (Low, Moderate and High) of the CIA becomes the overall classification of the system-High water mark. The two publications for categorization of information systems are the FIPS199 and NIST SP 800-60.
A key takeaway from NIST 800 60 V1R1 Guide for Mapping Types of Information and Information Systems to Security Categories was the methodology for assigning security impact levels and security categorizations for all the systems. The process starts with identifying all information systems. Next you identify all the information types the system processes. The second step is to select provisional impact levels. Third you review the levels and if needed return to step 2 until you finalize the information impact levels. last you assign a system security category. the process ends this security categorization and a selections of controls from SP 800-53. This process helped put in prospective how the processes in FIPS 199 are used and then flow into using SP 800-53 based upon the categorization results process.
Hi Chris!
I’m glad you mentioned the methodology for assigning security impact levels and security categorizations for all the systems. It definitely makes it clearer as to why its managed and applied the way it is!
Best,
Natalie Dorely
After reading through the NIST publication 800-60 titled Guide for mapping Types of Information and Information Systems to Security Categories, I made sure to spend extra time studying the section on Identifying Mission-based Information Types. The reason for this is because the tables, provided through the Office of Management and Budget’s Business Reference Model, included in this section helped me learn more about the missions areas (categories) and information types (sub categories) that information systems can be categorized into by the system owner, management, operations and security stakeholders.
After reading the NIST 800 60, I’ve learned the different categories/factors that go into the categorization of systems which leads to the correlation of impact. It seems as though this is the root of what auditors abide by, and as they should. Following this documentation and taking into consideration each factor helps enable more clarity in areas of vulnerabilities for organizations. The FIPS 199 Security Categorization Criteria shows clearly how each security objective can correlate with the level of impact.
Hi Natalie,
Being able to correlate each security objective with its impact level is a good point you make here. as regards to the FIPS199 document. The impact levels of high, low and medium have to be evaluated against the impact of the system.
NIST SP 800-60 V1R1 deals with integrating security to federal information/information systems through the security categorization process using FIPS 199. What I found to be interesting was the role that security categorization plays in the SDLC, since we always emphasize how security and risk management should be part of every phase of the SDLC. Initial security categorizations that occur early in the SDLC aid in identifying system security requirements, which will allow system engineers to effectively integrate security controls while also meeting functional, operational, and other system requirements. By conducting security categorizations early on, we can potentially avoid pitfalls later on in the system life cycle by having these guidelines established.
Hi Sarah, I agree with the fact that security categorization is one of the cornerstones to securing information systems. One of the categorization methods that we learned in the ITACS programs is taking a risk analysis of IS assets. By doing that analysis we learn which systems are most critical and which ones to apply the most attention to. Nice response!
The NIST 800 60 V1R1 Guide presents a hierarchy of H/M/L in the CIA.By classifying and rating various it-related factors.This is related to the asset classification that I mainly studied last semester. Only when I know the impact level of assets can I accurately classify the impact level according to the guide.This process is necessary and requires experience.Although this guide gives very detailed classified information.However, the actual level of security classification still depends on the actual situation to make the final decision.IT auditors need this set of standards to remain independent.
Hi Junjie,
First of all, you need blank after a dot.
The point you made about actual level of security classification still depends on the actual situation is very right. The Guide is just the guide. It acts as a reference for our IT Auditors to finish our job.
NIST 800-60 V1R1’s title give a great introduction and framework to what the standard lays out. Important to note, 800-60 gives a focus to many federal and governmental systems. At first this is a “guide for mapping” the “types of information and information systems”, followed by the “security categories” that the guide puts the info and systems into. Personally, I find the types of information and their systems the most fascinating out of the three areas I focussed on. The federal government has quite possibly one of the most diverse sets of data in the entire world. From all human record, to natural data, to information that is seemingly useless, all the way to super classified documents, It is very reassuring that the federal government employs the same frameworks (mapping guides) to their data that we’re learning about.
This NIST 800-60v1r1 guide to assessing and grade an Overall Information System Impact by using several techniques that we have learned in the previous lessons. I found interesting in that the result of it can help to make better decisions in several areas:
– Business Impact Analysis (BIA)
– Capital Planning and Investment Control (CPIC)
– Enterprise Architecture (EA)
– System Design
– Contingency and Disaster Recovery Planning
– Information Sharing and System Interconnection Agreements.
The key point I took from the publication is the way the guide divide the information types by mission and it’s relation with volume 2 of the document. Things like defense and national security are obviously the most important ones, while pollution prevention and control can be lower. But to different companies, the ratings can be different as different companies have different goals. With a good evaluation for the right type of information, risks can be defined more specifically, therefore the planning will have a better result.
One key idea to remember form the NIST 800 60 V1R1 handbook is that the result of security categorization can and should be used by , or made available to, appropriate agency personnel to support agency activities like the Business impact analysis, Capital Planning and Investment Control ( CPIC) and Enterprise Architecture, and the System Design. Example: The security categorization that begins with the security life cycle is a business-enabling activity directly supporting the enterprise architecture and Capital Planning and Investment Control Processes for new investments, as well as migration and upgrade decisions.