NIST 800 60 is about to use relevant technical standards and guidelines. It has realized security categorization, adopted different management work modes for some important information systems of the country, and formed systematic standards and guidance documents.
It provides hierarchical and structured security control requirements for security control, awareness and training, certification, accreditation, and security assessment, configuration management, continuous planning, incident response, maintenance, media protection, physical and environmental protection, planning, Personnel safety, risk assessment, system and service procurement, system and information integrity. After the information system’s protection level is determined, there is a set of standards and guidelines stipulating how to choose corresponding security measures for it.
The key point I get from this document is to determine the importance of correct security classification of information system, which is conducive to effective risk management, and apply appropriate control measures according to the results of risk assessment process. Therefore, this document describes the role of security classification in the NIST risk management framework and in the certification and accreditation process. Each organization should establish a formal process to determine the system level security classification, which is the first step to meet the information security requirements and establish reliable security procedures.
Hi Wenyao, I agree with your point of view. Each organization should determine its own classification of different security levels for different company information. Through classification, they are able to determine what is important to them and what is less important to them.
Hi Wenyao,
Good point. I believe it’s important to ensure that adequate security is being enforced for each information type. One best way to ensure that happens is making sure we classify information in the most appropriate categories.
Hi Wenyao, I agree with your opinion. Each company should have its own security classification standards. Every company handles a large amount of information in various aspects and requires large-capacity and efficient transmission of this information. Companies should prepare security classification standards so that they can better safeguard company‘s operation.
NIST 800 60 V1R1 Guide for Mapping Types of Information and Information Systems to Security Categories talks about the importance of security categorization and how essential it is to the selection of security controls to ensure confidentiality, integrity, and availability of the system and its information. Security categorization is the first key step and starting point in the risk management framework, and it affects the other steps of selecting security controls, implementing security controls, assessing security controls, authorizing information systems, and monitoring security state. FIPS 199 defines the security categories, objectives, and impact levels to which SP 800-60 maps information types. The security categories are based on the impact level of low, moderate, and high to secure information and information systems for the security objectives confidentiality, integrity, and availability. This document also provides a four-step security categorization process to assign the appropriate security impact levels and security categorizations for information types and systems consistent with the organization’s mission and business functions based on FIPS 199. The process begins with identifying information types, selecting provisional impact levels, reviewing provisional impact levels, adjusting/finalizing information impact levels, an assigning system security category.
Hi Ranu,
I agree with you. Many NGOs and companies use its security classification system because it is a very simple and clear way to determine what is the most important, what components are the most important (CIA triad), and how important it is to the company’s business continuity. Many government audits have to comply with FIPS 200, as well as private companies such as education, media, natural gas/oil / utilities, who have also used it.
My concern is FIPS 200. This is one of the best readings. I think it is straightforward and readable. FIPS 200 focuses on the minimum requirements for information and information security. It aims to help develop, implement and protect information systems. FIPS 200 considers that policies and procedures are necessary for effective implementation, but no mention is made of governance. We know that policies and procedures are key components of governance. Although it is explicitly stated that governance will add a layer, I believe its importance relative to fips200 guarantees its inclusion.
I find that the minimum safety requirements are inclusive and common sense. All 16 requirements relate to PolP, awareness, training, CIA, patch deployment and maintenance, BIA, BCP, security, risk (Management/evaluation), and other key components related to maintaining business security to a certain extent.
NIST 800 60 V1R1 Guide is used to assist to categorize all information and information systems, and the guideline categorize information and information systems by a range of levels of impact or consequences result from possible the breach.
One key point I noticed is that the guideline introduce the provisional security impact levels for common information types. FIPS 199 establishes three level of potential impact (low, moderate, and high), and this three level also according to the information’s confidentiality, integrity, and availability which is three security objectives for information and information systems.
Hi Xinyi,
The idea of provisional security impact levels for common information types helps us not to re-invent the wheel in such cases. This publication provides great guidelines to ensure we are not doing redundant work in developing the System Security Plans.
NIST SP 800-60 was developed to help ensure accurate system categorization for information systems based off the low, moderate, and high impact levels identified in FIPS 199. System categorization is the most important step to ensure the information asset has the minimum requirements and necessary controls to protect confidentiality, integrity, and availability from threats. By having an accurate system categorization, it establishes a solid foundation for the following steps in the NIST Risk Management framework. This special publication identifies a four step process to determine the greatest accuracy of impact level assignments. The first step is to identify the information type the system stores or processes whether it’s confidential, restricted or public. The second step is to temporarily assign the system an impact level based off of the information type. The third step is to review other varying details about the system to adjust the impact level to finalize the categorization and the final step is to formally assign the security category.
There are three security objective, which are confidentiality, integrity and availability. Confidentiality represents that “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” in the FISMA Definition. In the FIPS 199 Definition, confidentiality represents A loss of confidentiality is the unauthorized disclosure of information. Integrity in FISMA represents that “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…”. In the FIPS 199, it represents the unauthorized modification or destruction of information. Availability in FISMA represents that ensuring timely and reliable access to and use of information. In the FIPS 199 represents A loss of availability is the disruption of access to or use of information or an information system. There are similarity in the in different standards of definition, but there are some difference between them.
The NIST 800-60 is very useful because it can help you categorize the information and information systems. In section three, the document shows you can categorize based on confidentiality, integrity, and availability. The impact assessment is then done on the potential of one of these categories being compromised. You can rate these as low, moderate, and high potential impact.
In section four, you learn the methods which can be used to assign the security impact levels for the information types. The method can be broken down into four parts:
1. Identify the information types
2. Select the provisional impact level
3. Review and adjust the impact level
4. Assign the system security category
As a part of all steps, NIST 800-60 mentions the importance of documenting the system category process. In my experience, documenting the events which occurred is often the most important part of the process and most often overlooked. The documentation of the process is very important. It provides the steps which were taken and can be very useful when reviewing the process years later.
In the end, after using the process outlined in NIST 800-60, the business will have an organized list of systems. The findings can be used in the future when performing system disaster planning, business impact analysis and planning for the future of the company assets.
Hi Jonathan,
NIST 800 60 V1R1 highlights the importance of security categorization of information system to ensure confidentiality, integrity, and availability. I agree with you that documenting the security categorization process is essential. It is very important to document the research, key decisions and approvals, and supporting rationale driving the security categorization and should be included in the information system’s security plan. This document provides an example of information details that should be collected which is very helpful. It basically highlights the information system name, identifying information types, system categorization, and overall information system impact.
Hi, Jonathan. I agree with you that it is very important to having documentation when the company needs to make an audit planning. Usually, the IT auditor can look for some inherent risks that may occur in the previous audit report. Besides, if a person does not provide the document that points out the issue, or the person just requests to fix the computer without any documentation, the computer support specialist cannot fix the issue efficiently and effectively.
NIST 800-60 addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. The FIPS 199 defines the security categories, security objectives, and impact levels to which NIST 800-60 maps information types. FIPS 199 establishes security categories based on the magnitude of harm expected to result from compromises rather than on the results of an assessment. The security categories in question are Confidentiality, Integrity, and Availability. FIPS 199 then establishes three potential levels of impact that could effect these categories. The levels of impact are labeled either low, moderate, or high. The security categories outlined by FIPS 199 can be associated with both user information and system information in both electronic and non-electronic forms.
Very nice summary of the reading and how the various publications work together. Where I focused time was on the assessment steps and documentation that came out of each of those steps including justification for the impact rating at every stage of the process. The documentation builds as the process steps from identification of information types to reviewing provisional impact levels. This documentation allows auditors and stakeholders to easily move through the security plan for multiple agencies and still understand what drove the impact assessment.
NIST 800 60 V1R1 key concept is breaking down of organizational information to mission-based information types, which enable the organization in determining the security risks and impact levels threats have on each information type. Security categorization is emphasized along with ensuring the security objectives are met for each set of information. The publication also provides guidelines to identify and classify any information types not commonly used or not listed that might need to be covered by security policies and plans.
According to the publication, all information types fall under certain established categories, therefore making sure that information is placed under the correct mission. This ensures proper security measures are defined for it, therefore giving the information adequate security.
The key takeaway from this document is the integration of the NIST risk management framework. This essential process is the building block for a security plan as you cannot protect what you don’t know you have. During the plan, the integration of information security objectives comes in to play. This is where you determine out of everything you have accounted for what is most important and in what aspect. Some things are much more important from a confidentiality standpoint rather than from an integrity or availability POV. This matrix helps assign values and levels of potential risk to everything that was categorized in the NIST risk management framework. Once these have been determined the process of how to protect each categorization can begin. This is where you devise what security measures are applicable and which are not for each specific department. The SSP is long because there are many levels to each category, after completion of one level there is almost always another and the best systems have depth when it comes to levels of security for each item.
I think your answer is spot on. Without the proper categorization of information, a security plan will fall apart. While SSP is verbose, it’s important to have everything accounted for in the event of a risk.
The steps of the security categorization process help the organizations to select effective security controls. The mission owners and information owners act as the main characters in process steps. They cooperate with CIO and SAISO to establish the policy that regards the information system identification for security categorization purposes. In order to complete the policy, the mission owners and information owners need to identify the appropriate information types to support the organizational environment. After finishing to select provisional impact levels, the mission owners and information owners can assist to review and finalize it that is applicable to the organization. If it is not, they can help to adjust components, such as the CIA factors and any legal or statutory reasons. While assigning system security category, they need to follow the oversight process to provide the appropriate access to authorized users, so the organization can meet the system security objectives.
NIST 800-60 addresses a guide to map different types and categories of information and information systems to security categories. The security categorization highlights the importance and criticality to select security controls to achieve the information security objectives to get confidentiality, integrity and availability of the information assets. This document addresses the FISMA requirements to develop the security category guidelines to categorize a potential security impact. These categories and their guidelines will help federal information systems departments map the impact level of information and information systems.
The purpose of NIST 800-60 is to help agencies categorize impact levels relating to information and information systems in accordance to FISMA guidelines. A large part of the document is how an organization categorizes security objectives and information systems through FIPS 199. These security objectives are part of the CIA triad, where they are detailed by Confidentiality, Integrity, and Availability. The objectives are then categorized further through an impact assessment, where the potential impacts are ranked Low, Moderate, and High. The next step is to assign the impact levels and security categorization through a five step process: Identify Information Types, Select Provisional Impact Levels, Review Provisional Impact Levels, Adjust/Finalize Information Impact Levels, and then Assign System Security Category. Once this process is finished, Potential Impact can be more detailed and categorized through the CIA triad.
I agree this document helps agencies categorize their impact levels. I also like how it can help assign the impact levels. I also like how you included the five step process. You broke it down and simplified it. I think I missed the names of the five steps while reading the document details. Thanks for including them.
Hi, Krish, I like your analysis on the NIST 800-60, I think NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets. And I also like your mentioned these five step process, I didn’t not noticed these when I was read this document,
NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets but such standards and guidelines shall not apply to national security systems. And NIST guideline can be use by federal agencies and nongovernment organization. The NIST SP 800-60 is intend to help agencies consistently map security impact levels to types of 1. information, 2. information system. This document let user review the guidelines provided in Volume I to choose only that specific material from the appendices that applies to their own systems and applications.
The NIST 800 60 V1R1 guide is used to assist in classifying all information and information systems. The categorization of information systems is the key to the risk rating of information systems. The evaluation method can be used by identifying the level of confidentiality, integrity and availability as the final assignment result of the information according to the characteristics of the enterprise itself, or according to the different levels of confidentiality, integrity, and availability of the information,Including unauthorized disclosure of information, unauthorized modification or damage to information and interruption of access to information systems. A weighted assignment security event is the occurrence of an identifiable state of a system, service, or network.
HI, Junhan
You showed the importance of classifying information systems. For the security of information system, the accuracy of control is necessary. Effective and accurate asset classifications are very useful to help risk assessors pinpoint the requirements of the control hierarchy.
NIST explains the importance of performing security categorization on federal agencies ‘ business and information systems. The categorization is a crucial step in establishing the foundation of standardization across their security systems. Security categorization can be proved valuable to agencies, their missions, security programs in place, and IT management.
The value of categorization information security helps the agency implement appropriate control based on the results of the potential impact assessment(low, moderate, high). Having an incorrect categorization or lack of categorization creates risks of the organization over protecting their systems and wasting resources, or under protecting and causing their assets to be at risk. Having security categorization in place proves value to both the system development lifecycle and the C&A process as well.
The Risk Management Framework is a United States federal government policy and standards to help secure information systems developed by the National Institute of Standards and Technology. RMF aims to improve information security, strengthen the risk management processes, and encourage reciprocity among federal agencies.There are six steps in the RMF Process Categorize Information Systems, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize Information System, Monitor Security Controls.
Security Categorization is the key first step in the Risk Management Framework because of its effect on all other steps in the framework
Security categorization starts with the identification of what information supports which government lines of business. It is important to routinely revisit the security categorization as the mission/ business changes because it is likely the impact levels or even information types may change as well. The second step in the RMF process is to Select an initial set of security controls for the information system based on the FIPS 199 security categorization and apply tailoring guidance as appropriate, to obtain a starting point for required controls as specified in FIPS 200. The third step involves implementing the security controls in the information system and describing how the controls are employed within the information system and its environment of operation. The fourth step is to Assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly. The fifth step is to Authorize the information system to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system. The last step is to Monitor and assess selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis.
The reading steps through the process of mapping security impact levels to types of information and information systems for federal agencies. The special publication covers the security objectives and classification types. The security objectives of confidentiality, integrity and availability are outlined as well as the classification types of high, moderate and low. What I found interesting was the level of granularity that the steps for classifying information was so prescriptive including the roles that are responsible for completing each step. The steps encourage collaboration between the Chief Information Officer, Senior Agency Information Security Officer, mission owners and information owners to solidify the information types and how they are classified based on the security objectives. Another area where the classification steps are very specific is in the tasks that encompass each step and documentation required for each step.
In this week’s reading assignment, NIST 800 60 V1R1 outlines the importance of security categorization of information and how essential selection of security controls to ensure confidentiality, integrity, and availability. After categorization, the information must be ranked as low, moderate, or high as defined in FIPS 199. A key takeaway from this week’s assignment is that FIPS 199 defines the security categories, objectives, and impact levels to which SP 800-60 maps information types. IT auditors must then assign the appropriate risk to either low, moderate, or high during their risk analysis.
I wasn’t even looking at this from an IT auditor’s perspective (sad, I know) but am glad you mentioned it. This document can help guide the organization and the auditors when they are categorizing and ranking the impact of the security controls. Thanks for that reminder IT auditing is the perspective I should be reviewing this from.
NIST SP 800-60 addresses the mapping of security impact levels to the types of information being protected. Volume 1 sets the guidelines or standards, associates related NIST guides to be used in support, It also provides the instructions for mapping alongside the identification of the mission based and management and support of information types. Volume II Contains the listing of all the potential combinations of security impact levels for management and support and the way to properly document the mapping.
NIST 800-60 addresses the FISMA direction to create rules prescribing the sorts of data and data frameworks to be included in each category of potential security affect. The FIPS 199 characterizes the security categories, security targets, and affect levels to which NIST 800-60 maps data sorts. FIPS 199 builds up security categories based on the greatness of hurt anticipated to result from compromises instead of on the comes about of an appraisal. The security categories in address are Privacy, Judgment, and Accessibility. FIPS 199 at that point sets up three potential levels of affect that might impact these categories. The levels of affect are labeled either moo, direct, or tall. The security categories laid out by FIPS 199 can be related with both client data and framework data in both electronic and non-electronic types..
NIST 800 60 is about to use relevant technical standards and guidelines. It has realized security categorization, adopted different management work modes for some important information systems of the country, and formed systematic standards and guidance documents.
It provides hierarchical and structured security control requirements for security control, awareness and training, certification, accreditation, and security assessment, configuration management, continuous planning, incident response, maintenance, media protection, physical and environmental protection, planning, Personnel safety, risk assessment, system and service procurement, system and information integrity. After the information system’s protection level is determined, there is a set of standards and guidelines stipulating how to choose corresponding security measures for it.
The key point I get from this document is to determine the importance of correct security classification of information system, which is conducive to effective risk management, and apply appropriate control measures according to the results of risk assessment process. Therefore, this document describes the role of security classification in the NIST risk management framework and in the certification and accreditation process. Each organization should establish a formal process to determine the system level security classification, which is the first step to meet the information security requirements and establish reliable security procedures.
Hi Wenyao, I agree with your point of view. Each organization should determine its own classification of different security levels for different company information. Through classification, they are able to determine what is important to them and what is less important to them.
Hi Wenyao,
Good point. I believe it’s important to ensure that adequate security is being enforced for each information type. One best way to ensure that happens is making sure we classify information in the most appropriate categories.
Hi Wenyao, I agree with your opinion. Each company should have its own security classification standards. Every company handles a large amount of information in various aspects and requires large-capacity and efficient transmission of this information. Companies should prepare security classification standards so that they can better safeguard company‘s operation.
NIST 800 60 V1R1 Guide for Mapping Types of Information and Information Systems to Security Categories talks about the importance of security categorization and how essential it is to the selection of security controls to ensure confidentiality, integrity, and availability of the system and its information. Security categorization is the first key step and starting point in the risk management framework, and it affects the other steps of selecting security controls, implementing security controls, assessing security controls, authorizing information systems, and monitoring security state. FIPS 199 defines the security categories, objectives, and impact levels to which SP 800-60 maps information types. The security categories are based on the impact level of low, moderate, and high to secure information and information systems for the security objectives confidentiality, integrity, and availability. This document also provides a four-step security categorization process to assign the appropriate security impact levels and security categorizations for information types and systems consistent with the organization’s mission and business functions based on FIPS 199. The process begins with identifying information types, selecting provisional impact levels, reviewing provisional impact levels, adjusting/finalizing information impact levels, an assigning system security category.
Hi Ranu,
I agree with you. Many NGOs and companies use its security classification system because it is a very simple and clear way to determine what is the most important, what components are the most important (CIA triad), and how important it is to the company’s business continuity. Many government audits have to comply with FIPS 200, as well as private companies such as education, media, natural gas/oil / utilities, who have also used it.
My concern is FIPS 200. This is one of the best readings. I think it is straightforward and readable. FIPS 200 focuses on the minimum requirements for information and information security. It aims to help develop, implement and protect information systems. FIPS 200 considers that policies and procedures are necessary for effective implementation, but no mention is made of governance. We know that policies and procedures are key components of governance. Although it is explicitly stated that governance will add a layer, I believe its importance relative to fips200 guarantees its inclusion.
I find that the minimum safety requirements are inclusive and common sense. All 16 requirements relate to PolP, awareness, training, CIA, patch deployment and maintenance, BIA, BCP, security, risk (Management/evaluation), and other key components related to maintaining business security to a certain extent.
NIST 800 60 V1R1 Guide is used to assist to categorize all information and information systems, and the guideline categorize information and information systems by a range of levels of impact or consequences result from possible the breach.
One key point I noticed is that the guideline introduce the provisional security impact levels for common information types. FIPS 199 establishes three level of potential impact (low, moderate, and high), and this three level also according to the information’s confidentiality, integrity, and availability which is three security objectives for information and information systems.
Hi Xinyi,
The idea of provisional security impact levels for common information types helps us not to re-invent the wheel in such cases. This publication provides great guidelines to ensure we are not doing redundant work in developing the System Security Plans.
NIST SP 800-60 was developed to help ensure accurate system categorization for information systems based off the low, moderate, and high impact levels identified in FIPS 199. System categorization is the most important step to ensure the information asset has the minimum requirements and necessary controls to protect confidentiality, integrity, and availability from threats. By having an accurate system categorization, it establishes a solid foundation for the following steps in the NIST Risk Management framework. This special publication identifies a four step process to determine the greatest accuracy of impact level assignments. The first step is to identify the information type the system stores or processes whether it’s confidential, restricted or public. The second step is to temporarily assign the system an impact level based off of the information type. The third step is to review other varying details about the system to adjust the impact level to finalize the categorization and the final step is to formally assign the security category.
There are three security objective, which are confidentiality, integrity and availability. Confidentiality represents that “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” in the FISMA Definition. In the FIPS 199 Definition, confidentiality represents A loss of confidentiality is the unauthorized disclosure of information. Integrity in FISMA represents that “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…”. In the FIPS 199, it represents the unauthorized modification or destruction of information. Availability in FISMA represents that ensuring timely and reliable access to and use of information. In the FIPS 199 represents A loss of availability is the disruption of access to or use of information or an information system. There are similarity in the in different standards of definition, but there are some difference between them.
The NIST 800-60 is very useful because it can help you categorize the information and information systems. In section three, the document shows you can categorize based on confidentiality, integrity, and availability. The impact assessment is then done on the potential of one of these categories being compromised. You can rate these as low, moderate, and high potential impact.
In section four, you learn the methods which can be used to assign the security impact levels for the information types. The method can be broken down into four parts:
1. Identify the information types
2. Select the provisional impact level
3. Review and adjust the impact level
4. Assign the system security category
As a part of all steps, NIST 800-60 mentions the importance of documenting the system category process. In my experience, documenting the events which occurred is often the most important part of the process and most often overlooked. The documentation of the process is very important. It provides the steps which were taken and can be very useful when reviewing the process years later.
In the end, after using the process outlined in NIST 800-60, the business will have an organized list of systems. The findings can be used in the future when performing system disaster planning, business impact analysis and planning for the future of the company assets.
Hi Jonathan,
NIST 800 60 V1R1 highlights the importance of security categorization of information system to ensure confidentiality, integrity, and availability. I agree with you that documenting the security categorization process is essential. It is very important to document the research, key decisions and approvals, and supporting rationale driving the security categorization and should be included in the information system’s security plan. This document provides an example of information details that should be collected which is very helpful. It basically highlights the information system name, identifying information types, system categorization, and overall information system impact.
Hi, Jonathan. I agree with you that it is very important to having documentation when the company needs to make an audit planning. Usually, the IT auditor can look for some inherent risks that may occur in the previous audit report. Besides, if a person does not provide the document that points out the issue, or the person just requests to fix the computer without any documentation, the computer support specialist cannot fix the issue efficiently and effectively.
NIST 800-60 addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. The FIPS 199 defines the security categories, security objectives, and impact levels to which NIST 800-60 maps information types. FIPS 199 establishes security categories based on the magnitude of harm expected to result from compromises rather than on the results of an assessment. The security categories in question are Confidentiality, Integrity, and Availability. FIPS 199 then establishes three potential levels of impact that could effect these categories. The levels of impact are labeled either low, moderate, or high. The security categories outlined by FIPS 199 can be associated with both user information and system information in both electronic and non-electronic forms.
Hi Anthony….
Very nice summary of the reading and how the various publications work together. Where I focused time was on the assessment steps and documentation that came out of each of those steps including justification for the impact rating at every stage of the process. The documentation builds as the process steps from identification of information types to reviewing provisional impact levels. This documentation allows auditors and stakeholders to easily move through the security plan for multiple agencies and still understand what drove the impact assessment.
NIST 800 60 V1R1 key concept is breaking down of organizational information to mission-based information types, which enable the organization in determining the security risks and impact levels threats have on each information type. Security categorization is emphasized along with ensuring the security objectives are met for each set of information. The publication also provides guidelines to identify and classify any information types not commonly used or not listed that might need to be covered by security policies and plans.
According to the publication, all information types fall under certain established categories, therefore making sure that information is placed under the correct mission. This ensures proper security measures are defined for it, therefore giving the information adequate security.
The key takeaway from this document is the integration of the NIST risk management framework. This essential process is the building block for a security plan as you cannot protect what you don’t know you have. During the plan, the integration of information security objectives comes in to play. This is where you determine out of everything you have accounted for what is most important and in what aspect. Some things are much more important from a confidentiality standpoint rather than from an integrity or availability POV. This matrix helps assign values and levels of potential risk to everything that was categorized in the NIST risk management framework. Once these have been determined the process of how to protect each categorization can begin. This is where you devise what security measures are applicable and which are not for each specific department. The SSP is long because there are many levels to each category, after completion of one level there is almost always another and the best systems have depth when it comes to levels of security for each item.
Hi Austin,
I think your answer is spot on. Without the proper categorization of information, a security plan will fall apart. While SSP is verbose, it’s important to have everything accounted for in the event of a risk.
The steps of the security categorization process help the organizations to select effective security controls. The mission owners and information owners act as the main characters in process steps. They cooperate with CIO and SAISO to establish the policy that regards the information system identification for security categorization purposes. In order to complete the policy, the mission owners and information owners need to identify the appropriate information types to support the organizational environment. After finishing to select provisional impact levels, the mission owners and information owners can assist to review and finalize it that is applicable to the organization. If it is not, they can help to adjust components, such as the CIA factors and any legal or statutory reasons. While assigning system security category, they need to follow the oversight process to provide the appropriate access to authorized users, so the organization can meet the system security objectives.
NIST 800-60 addresses a guide to map different types and categories of information and information systems to security categories. The security categorization highlights the importance and criticality to select security controls to achieve the information security objectives to get confidentiality, integrity and availability of the information assets. This document addresses the FISMA requirements to develop the security category guidelines to categorize a potential security impact. These categories and their guidelines will help federal information systems departments map the impact level of information and information systems.
The purpose of NIST 800-60 is to help agencies categorize impact levels relating to information and information systems in accordance to FISMA guidelines. A large part of the document is how an organization categorizes security objectives and information systems through FIPS 199. These security objectives are part of the CIA triad, where they are detailed by Confidentiality, Integrity, and Availability. The objectives are then categorized further through an impact assessment, where the potential impacts are ranked Low, Moderate, and High. The next step is to assign the impact levels and security categorization through a five step process: Identify Information Types, Select Provisional Impact Levels, Review Provisional Impact Levels, Adjust/Finalize Information Impact Levels, and then Assign System Security Category. Once this process is finished, Potential Impact can be more detailed and categorized through the CIA triad.
I agree this document helps agencies categorize their impact levels. I also like how it can help assign the impact levels. I also like how you included the five step process. You broke it down and simplified it. I think I missed the names of the five steps while reading the document details. Thanks for including them.
Hi, Krish, I like your analysis on the NIST 800-60, I think NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets. And I also like your mentioned these five step process, I didn’t not noticed these when I was read this document,
NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets but such standards and guidelines shall not apply to national security systems. And NIST guideline can be use by federal agencies and nongovernment organization. The NIST SP 800-60 is intend to help agencies consistently map security impact levels to types of 1. information, 2. information system. This document let user review the guidelines provided in Volume I to choose only that specific material from the appendices that applies to their own systems and applications.
The NIST 800 60 V1R1 guide is used to assist in classifying all information and information systems. The categorization of information systems is the key to the risk rating of information systems. The evaluation method can be used by identifying the level of confidentiality, integrity and availability as the final assignment result of the information according to the characteristics of the enterprise itself, or according to the different levels of confidentiality, integrity, and availability of the information,Including unauthorized disclosure of information, unauthorized modification or damage to information and interruption of access to information systems. A weighted assignment security event is the occurrence of an identifiable state of a system, service, or network.
HI, Junhan
You showed the importance of classifying information systems. For the security of information system, the accuracy of control is necessary. Effective and accurate asset classifications are very useful to help risk assessors pinpoint the requirements of the control hierarchy.
NIST explains the importance of performing security categorization on federal agencies ‘ business and information systems. The categorization is a crucial step in establishing the foundation of standardization across their security systems. Security categorization can be proved valuable to agencies, their missions, security programs in place, and IT management.
The value of categorization information security helps the agency implement appropriate control based on the results of the potential impact assessment(low, moderate, high). Having an incorrect categorization or lack of categorization creates risks of the organization over protecting their systems and wasting resources, or under protecting and causing their assets to be at risk. Having security categorization in place proves value to both the system development lifecycle and the C&A process as well.
The Risk Management Framework is a United States federal government policy and standards to help secure information systems developed by the National Institute of Standards and Technology. RMF aims to improve information security, strengthen the risk management processes, and encourage reciprocity among federal agencies.There are six steps in the RMF Process Categorize Information Systems, Select Security Controls, Implement Security Controls, Assess Security Controls, Authorize Information System, Monitor Security Controls.
Security Categorization is the key first step in the Risk Management Framework because of its effect on all other steps in the framework
Security categorization starts with the identification of what information supports which government lines of business. It is important to routinely revisit the security categorization as the mission/ business changes because it is likely the impact levels or even information types may change as well. The second step in the RMF process is to Select an initial set of security controls for the information system based on the FIPS 199 security categorization and apply tailoring guidance as appropriate, to obtain a starting point for required controls as specified in FIPS 200. The third step involves implementing the security controls in the information system and describing how the controls are employed within the information system and its environment of operation. The fourth step is to Assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly. The fifth step is to Authorize the information system to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system. The last step is to Monitor and assess selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis.
The reading steps through the process of mapping security impact levels to types of information and information systems for federal agencies. The special publication covers the security objectives and classification types. The security objectives of confidentiality, integrity and availability are outlined as well as the classification types of high, moderate and low. What I found interesting was the level of granularity that the steps for classifying information was so prescriptive including the roles that are responsible for completing each step. The steps encourage collaboration between the Chief Information Officer, Senior Agency Information Security Officer, mission owners and information owners to solidify the information types and how they are classified based on the security objectives. Another area where the classification steps are very specific is in the tasks that encompass each step and documentation required for each step.
In this week’s reading assignment, NIST 800 60 V1R1 outlines the importance of security categorization of information and how essential selection of security controls to ensure confidentiality, integrity, and availability. After categorization, the information must be ranked as low, moderate, or high as defined in FIPS 199. A key takeaway from this week’s assignment is that FIPS 199 defines the security categories, objectives, and impact levels to which SP 800-60 maps information types. IT auditors must then assign the appropriate risk to either low, moderate, or high during their risk analysis.
I wasn’t even looking at this from an IT auditor’s perspective (sad, I know) but am glad you mentioned it. This document can help guide the organization and the auditors when they are categorizing and ranking the impact of the security controls. Thanks for that reminder IT auditing is the perspective I should be reviewing this from.
NIST SP 800-60 addresses the mapping of security impact levels to the types of information being protected. Volume 1 sets the guidelines or standards, associates related NIST guides to be used in support, It also provides the instructions for mapping alongside the identification of the mission based and management and support of information types. Volume II Contains the listing of all the potential combinations of security impact levels for management and support and the way to properly document the mapping.
NIST 800-60 addresses the FISMA direction to create rules prescribing the sorts of data and data frameworks to be included in each category of potential security affect. The FIPS 199 characterizes the security categories, security targets, and affect levels to which NIST 800-60 maps data sorts. FIPS 199 builds up security categories based on the greatness of hurt anticipated to result from compromises instead of on the comes about of an appraisal. The security categories in address are Privacy, Judgment, and Accessibility. FIPS 199 at that point sets up three potential levels of affect that might impact these categories. The levels of affect are labeled either moo, direct, or tall. The security categories laid out by FIPS 199 can be related with both client data and framework data in both electronic and non-electronic types..