A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed. A source of vulnerability analysis is a Nessus Scan. Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network.
A vulnerability assessment typically uses various data sources as input. These include prior risk assessments, security requirements, security test results, regulatory requirements (HIPAA, GLBA, etc.), and prior problems. If the system is in the process of being implemented, the vulnerabilities assessment should focus on more specific information such as the planned security features; security and design documentation; and the results of system certification, testing, staging, and evaluation. If the system has been implemented and is operational, the vulnerabilities assessment should include the analysis of the system’s security features, security controls (technical, operational, and environmental), and standard IT operating procedures.
Hi Wenyao,
While I think all of the 17 security areas of FIPS 200 are important, I would like to highlight the access control security requirement. I think it is very important to assess as to who has access to your company’s data and how to make sure only authorized users have access. An organization’s access control policy must address all these points. Access should only be limited to authorized users and this control ensures that each staff has the right level access. A simple way to put this out is: access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to company data. One of the ways this can be confirmed is using authentication and authorization.
I think the most important to focus on is Awareness and Training. The security of an environment is only as strong as its weakest link. In this case, the weakest link is the human factor. Obviously the majority of people in an organization are not going to be infosec wizards, so the only way to ensure they do their due diligence, especially when it comes to phishing emails and other social engineering techniques, is to make sure they are trained and aware.
Security management is an important part of enterprise product management and comprehensive system science. The object of security management is the state management and control of all people, objects, and environments in production. Security management is a kind of dynamic management. Security management is mainly organizing the implementation of enterprise security management planning, guidance, inspection, and decision-making. At the same time, it is the fundamental link to ensure that production is in the best safe state. Analysis and Countermeasures of problems in safety management. Compared with the security technology, the current security management problems and difficulties, the idea of security management is not clear. Security management is to organize the implementation of enterprise security management planning, guidance, inspection, and decision-making. At the same time, it is the fundamental link to ensure the products in the best safe state.
Security management is more difficult for a couple reasons. The first is because it is never ending, compared to tech where there are times there is nothing to update. Security management continues all the time in regards to patching, detecting threats and monitoring logs, among other things. The second reason it is harder is because this also includes making sure employees are informed about risks and what they can do to reduce them. As we’ve said humans are almost always the weakest link so not only do you have to monitor the systems but you have to keep employees up to date on policies and standards.
Given the list of Pro’s and Con’s regarding whether Security should full under the IT dept or outside the IT dept, or a hybrid: In your organizations, where have you seen the Security department located on the org chart and what experiences have you had with that structural decision?
The organization should first perform security categorization of the information system based on potential impact – low, moderate, high. From there, the baseline can be defined and controls can be selected based on the cost and benefit of using resources to address certain risks.
Once the system’s are categorized using FIPS 199 impact level, the organization can use FIPS 200 to identify the minimum requirements for the system and then use NIST 800-53 to find the security controls for needed based on the impact level.
The weakest link in the security chain are the factors responsible for the failure of security systems. For example The weakest link in an organization when preventing cyber attacks are employees. Being that the most common attack is Phising.
Phising is a fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details or other sensitive details, by impersonating oneself as a trustworthy entity in a digital communication.
Empoyees are very sustainable to fall for phising attempts due to the deception and the false sense of trust. If the proper security awareness training is not applied companies can suffer from security breaches.
The weakest link can occur at any point in a business process. Sadly it is usually tied to human interaction with the process as humans are the most vulnerable targets. Social engineering attacks are the most common attacks geared towards the human weak link. It’s very interesting that lately there have been grumblings in the IT world that security professionals are placing to much blame on human failure rather than their own systems and technology. Check out the article I reference in the In the News section. 🙂
I think a company can use the NIST framework, first by identifying each employee’s data protection responsibilities, and conduct security training for company personnel. The company’s software, hardware, and all the ways to obtain data should be protected and tested. Finally, establish a reasonable and sustainable company operating system. Report any security breaches in a timely manner and updating your cybersecurity policy and plan with lessons learned.
The next topic we will be covering is cryptography. With the advancement of quantum computers, the encryption used for communicating will be cracked easier and users can read everything in plaintext if they have access to this type of computing power. Do you feel cryptography will be useless? If yes, does that mean the end of confidentiality and privacy when communicating online?
How can definitions in the system security plan be made to provide a clear distinction between an actual system security plan and compliance with industry standards?
Out of all of the controls listed in FIPS 200, which three carry the most weight in your opinion? They are all important but do any standout above the others?
It is difficult for small businesses to follow many steps and requirements in these documents. How the small businesses protect their information system and meet the security requirements?
Do you think the fraud triangle is complete? Do you think there are other factors that play a role in fraud and abuse other than opportunity, pressure and rationalization?
I think the planning phase would take the most time. This involves a risk analysis, policy planning, and and understanding of the threat environment. I imagine this is done through many meetings and even more disagreements on where to allocate funds for security devices, tools, and training.
Hi, Krish. I also think the planning phase will spend the most time in the plan-protect-respond cycle. As the textbook chapter two mentions that the organization will never have comprehensive security without an excellent plan. For example, an effective audit planning memo helps the organization to implement the works, including the risk metric has different risk categories with risk controls, the time will spend on the audit period with different positions, and the responsibility for different people. So, I think that an effective plan will help the organization complete half of the risk controls.
Hello Junhan,
I think management can instill the culture culture which is related to everyone. Build security community, and let people can connections and support each other across the organization. Besides, company also can reward and recognize those people that do the right thing for security. And IT security culture as important as the IT security plan.
I think top management can get to know whether their safety control through the report filed by the IT Auditor they hired. They also can know it from the CIO of the company as well.
Short answer: research. CISO, CIO, CTO, managers, and everyone involved should be actively aware of their business environments. Keeping up to date with the latest technology trends, patches, hacks/breaches, training with employees. A review of current policies and updating them. Having a pen-tester validate your technology environments is a plus. Periodic testing of policies. Maintaining an accurate log of the technologies and hardware used and where they are located. Maintaining a log of vendors and their security measures. Staying in compliance by having internal audits.
There are many ways to stay afloat with new threats.
Vanessa
FIPS 200 addresses the specification of minimum security requirements for federal information and information systems. FIPS 199 addresses the classification divides systems. It divides the systems into high, moderate, and low impact systems based on their impact on individuals and organizations.
I think no matter who is more important, both are important, and they are a coherent and interdependent document. FIPS Publication 200 is a mandatory federal standard developed by NIST in response to FISMA. In order to comply with federal standards, the organization first determines the security category of its information system according to FIPS Publication 199.
FIPS 200 is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS199. So I think both of them are important to organziation’s security.
It seems like the NIST standards and FIPS 200 are very documentation heavy. Does anyone think that the emphasis on documentation is superseding the focus on managing risk?
NIST and FIPS are federal requirements and essentially best practice guidelines for the private sector. One private company will probably never use all the documentation. However, it is good that it is out there and available. The framework that has been laid out facilitates the approach at managing your risk. I’m a fan of documentation rather than reinventing the wheel. There is a process in place that is well defined and I can pick and choose what is relevant to me. That to me is better than making it up as I go and assuming I’ve dotted my i’s and crossed my t’s. Managing risk is best accomplished in a structured way, in my opinion.
My question would be regarding the assignment of low, moderate, or high. Is it common for there to be disagreement among the IT Auditor and the client regarding the ranking since this seems to me to be more subjective than objective? If so, how should the IT Auditor find consensus agreeable assignment of risk?
I think the documentation requirements for NIST SP800-60V1R1 Guide for Mapping Types of Information and Information Systems at each stage of the process requires justification by the Senior Agency Information Security Officer (SAISO). While the SAISO is responsible for ensuring the documentation is complete, many of the steps in the mapping exercise involve information owners and mission owners (process owners) where justification documentation is part of the process. While auditors have significant sway on risk testing, unless they have an example of where a risk is a different impact rating than the team comprised of the SAISO, mission owners and information owners the likelihood that the auditor’s opinion would shift the categorization is unlikely. A better method to solve for this is to include audit as a reviewer on the information and information systems mapping exercise so perspective and questions can be resolved as part of drafting of the security plan.
In my opinion, I think it is not the decision that is made by one person. It is the decision that is made through all the data, calculation, and analysis. A team or a group should do all these, and then they will come up with the best result or with a couple of alternatives for their supervisor to determine after careful discussion. I think it is not one time and one person decision. It also requires a consistent update as well.
Zibai Yang says
What are the sources of vulnerability analysis? How to determine the vulnerability?
Kyuande Johnson says
A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed. A source of vulnerability analysis is a Nessus Scan. Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network.
Anthony Messina says
A vulnerability assessment typically uses various data sources as input. These include prior risk assessments, security requirements, security test results, regulatory requirements (HIPAA, GLBA, etc.), and prior problems. If the system is in the process of being implemented, the vulnerabilities assessment should focus on more specific information such as the planned security features; security and design documentation; and the results of system certification, testing, staging, and evaluation. If the system has been implemented and is operational, the vulnerabilities assessment should include the analysis of the system’s security features, security controls (technical, operational, and environmental), and standard IT operating procedures.
Wenyao Ma says
Among the 17 security areas of FIPS 200, which one do you think is the most important?
Priyanka Ranu says
Hi Wenyao,
While I think all of the 17 security areas of FIPS 200 are important, I would like to highlight the access control security requirement. I think it is very important to assess as to who has access to your company’s data and how to make sure only authorized users have access. An organization’s access control policy must address all these points. Access should only be limited to authorized users and this control ensures that each staff has the right level access. A simple way to put this out is: access control is a method of guaranteeing that users are who they say they are and that they have the appropriate access to company data. One of the ways this can be confirmed is using authentication and authorization.
Anthony Messina says
I think the most important to focus on is Awareness and Training. The security of an environment is only as strong as its weakest link. In this case, the weakest link is the human factor. Obviously the majority of people in an organization are not going to be infosec wizards, so the only way to ensure they do their due diligence, especially when it comes to phishing emails and other social engineering techniques, is to make sure they are trained and aware.
Priyanka Ranu says
Why is security management the difficult part as opposed to security technology?
Haozhe Lin says
Security management is an important part of enterprise product management and comprehensive system science. The object of security management is the state management and control of all people, objects, and environments in production. Security management is a kind of dynamic management. Security management is mainly organizing the implementation of enterprise security management planning, guidance, inspection, and decision-making. At the same time, it is the fundamental link to ensure that production is in the best safe state. Analysis and Countermeasures of problems in safety management. Compared with the security technology, the current security management problems and difficulties, the idea of security management is not clear. Security management is to organize the implementation of enterprise security management planning, guidance, inspection, and decision-making. At the same time, it is the fundamental link to ensure the products in the best safe state.
Austin Mecca says
Security management is more difficult for a couple reasons. The first is because it is never ending, compared to tech where there are times there is nothing to update. Security management continues all the time in regards to patching, detecting threats and monitoring logs, among other things. The second reason it is harder is because this also includes making sure employees are informed about risks and what they can do to reduce them. As we’ve said humans are almost always the weakest link so not only do you have to monitor the systems but you have to keep employees up to date on policies and standards.
Haozhe Lin says
Given the list of Pro’s and Con’s regarding whether Security should full under the IT dept or outside the IT dept, or a hybrid: In your organizations, where have you seen the Security department located on the org chart and what experiences have you had with that structural decision?
Xinyi Zheng says
How should the organization to select the appropriate security controls to meet requirements?
Mei X Wang says
The organization should first perform security categorization of the information system based on potential impact – low, moderate, high. From there, the baseline can be defined and controls can be selected based on the cost and benefit of using resources to address certain risks.
Anthony Wong says
Once the system’s are categorized using FIPS 199 impact level, the organization can use FIPS 200 to identify the minimum requirements for the system and then use NIST 800-53 to find the security controls for needed based on the impact level.
Anthony Wong says
Who within an organization is responsible that policies and procedures are adhere to?
Anthony Messina says
What are weakest-link failures?
Kyuande Johnson says
The weakest link in the security chain are the factors responsible for the failure of security systems. For example The weakest link in an organization when preventing cyber attacks are employees. Being that the most common attack is Phising.
Phising is a fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details or other sensitive details, by impersonating oneself as a trustworthy entity in a digital communication.
Empoyees are very sustainable to fall for phising attempts due to the deception and the false sense of trust. If the proper security awareness training is not applied companies can suffer from security breaches.
Vanessa Marin says
The weakest link can occur at any point in a business process. Sadly it is usually tied to human interaction with the process as humans are the most vulnerable targets. Social engineering attacks are the most common attacks geared towards the human weak link. It’s very interesting that lately there have been grumblings in the IT world that security professionals are placing to much blame on human failure rather than their own systems and technology. Check out the article I reference in the In the News section. 🙂
Ting-Yen Huang says
how does a company use the guideline of the NIST document to effectively design their information security level?
Junhan Hao says
I think a company can use the NIST framework, first by identifying each employee’s data protection responsibilities, and conduct security training for company personnel. The company’s software, hardware, and all the ways to obtain data should be protected and tested. Finally, establish a reasonable and sustainable company operating system. Report any security breaches in a timely manner and updating your cybersecurity policy and plan with lessons learned.
Jonathan Castelli says
The next topic we will be covering is cryptography. With the advancement of quantum computers, the encryption used for communicating will be cracked easier and users can read everything in plaintext if they have access to this type of computing power. Do you feel cryptography will be useless? If yes, does that mean the end of confidentiality and privacy when communicating online?
Humbert Amiani says
How can definitions in the system security plan be made to provide a clear distinction between an actual system security plan and compliance with industry standards?
Austin Mecca says
Out of all of the controls listed in FIPS 200, which three carry the most weight in your opinion? They are all important but do any standout above the others?
Cami Chen says
It is difficult for small businesses to follow many steps and requirements in these documents. How the small businesses protect their information system and meet the security requirements?
Prince Patel says
Do you think the fraud triangle is complete? Do you think there are other factors that play a role in fraud and abuse other than opportunity, pressure and rationalization?
Krish Damany says
In the Plan-Protect-Response process, which takes the most time?
Wenyao Ma says
The wide majority of time is spent on the protection phase.
Anthony Messina says
I think the planning phase would take the most time. This involves a risk analysis, policy planning, and and understanding of the threat environment. I imagine this is done through many meetings and even more disagreements on where to allocate funds for security devices, tools, and training.
Cami Chen says
Hi, Krish. I also think the planning phase will spend the most time in the plan-protect-respond cycle. As the textbook chapter two mentions that the organization will never have comprehensive security without an excellent plan. For example, an effective audit planning memo helps the organization to implement the works, including the risk metric has different risk categories with risk controls, the time will spend on the audit period with different positions, and the responsibility for different people. So, I think that an effective plan will help the organization complete half of the risk controls.
Junhan Hao says
How does the management establish a IT security culture within the organization? Is a good IT security culture more important than a IT security plan?
Xinyi Zheng says
Hello Junhan,
I think management can instill the culture culture which is related to everyone. Build security community, and let people can connections and support each other across the organization. Besides, company also can reward and recognize those people that do the right thing for security. And IT security culture as important as the IT security plan.
Mei X Wang says
How can top-level management ensure that the organization is continuously kept up with as new cyber threats may come into play?
Zibai Yang says
Hi Mei,
I think top management can get to know whether their safety control through the report filed by the IT Auditor they hired. They also can know it from the CIO of the company as well.
Vanessa Marin says
Short answer: research. CISO, CIO, CTO, managers, and everyone involved should be actively aware of their business environments. Keeping up to date with the latest technology trends, patches, hacks/breaches, training with employees. A review of current policies and updating them. Having a pen-tester validate your technology environments is a plus. Periodic testing of policies. Maintaining an accurate log of the technologies and hardware used and where they are located. Maintaining a log of vendors and their security measures. Staying in compliance by having internal audits.
There are many ways to stay afloat with new threats.
Vanessa
Kyuande Johnson says
Being that RMF is the current Framework being supported by the DOD. What are some major improvements from the previous framework DIACAP?
Zhen Li says
Which is important? the FIPS 199 or FIPS 200?
Kyuande Johnson says
FIPS 200 addresses the specification of minimum security requirements for federal information and information systems. FIPS 199 addresses the classification divides systems. It divides the systems into high, moderate, and low impact systems based on their impact on individuals and organizations.
Zibai Yang says
Hi Zhen,
I think no matter who is more important, both are important, and they are a coherent and interdependent document. FIPS Publication 200 is a mandatory federal standard developed by NIST in response to FISMA. In order to comply with federal standards, the organization first determines the security category of its information system according to FIPS Publication 199.
Xinyi Zheng says
FIPS 200 is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations first determine the security category of their information system in accordance with FIPS199. So I think both of them are important to organziation’s security.
Heather Ergler says
It seems like the NIST standards and FIPS 200 are very documentation heavy. Does anyone think that the emphasis on documentation is superseding the focus on managing risk?
Vanessa Marin says
NIST and FIPS are federal requirements and essentially best practice guidelines for the private sector. One private company will probably never use all the documentation. However, it is good that it is out there and available. The framework that has been laid out facilitates the approach at managing your risk. I’m a fan of documentation rather than reinventing the wheel. There is a process in place that is well defined and I can pick and choose what is relevant to me. That to me is better than making it up as I go and assuming I’ve dotted my i’s and crossed my t’s. Managing risk is best accomplished in a structured way, in my opinion.
Elias Harake says
My question would be regarding the assignment of low, moderate, or high. Is it common for there to be disagreement among the IT Auditor and the client regarding the ranking since this seems to me to be more subjective than objective? If so, how should the IT Auditor find consensus agreeable assignment of risk?
Heather Ergler says
I think the documentation requirements for NIST SP800-60V1R1 Guide for Mapping Types of Information and Information Systems at each stage of the process requires justification by the Senior Agency Information Security Officer (SAISO). While the SAISO is responsible for ensuring the documentation is complete, many of the steps in the mapping exercise involve information owners and mission owners (process owners) where justification documentation is part of the process. While auditors have significant sway on risk testing, unless they have an example of where a risk is a different impact rating than the team comprised of the SAISO, mission owners and information owners the likelihood that the auditor’s opinion would shift the categorization is unlikely. A better method to solve for this is to include audit as a reviewer on the information and information systems mapping exercise so perspective and questions can be resolved as part of drafting of the security plan.
Vanessa Marin says
The list of Security Impact Levels is daunting ! Who should have the final say on the decision of what impact level and control should be?
Zibai Yang says
Hi Vanessa,
In my opinion, I think it is not the decision that is made by one person. It is the decision that is made through all the data, calculation, and analysis. A team or a group should do all these, and then they will come up with the best result or with a couple of alternatives for their supervisor to determine after careful discussion. I think it is not one time and one person decision. It also requires a consistent update as well.