NIST SP800-60 demonstrates the complexities of information security systems and how information taxonomy flows from one entity to another, for example, as a sub-factor of its information type. The SCADA System example helped to synthesize this information into a digestible diagram. Distilling complex processes into clear documentation helps ensure adoption and follow through as non-technical parties are able to comprehend rather technical processes. This documentation helps to assign responsibility and ownership at the various information conjunction points (receiving and retrieving sensitive data).
NIST 800 60 V1R1 mentions the RMF process. The RMF Process involves seven steps: prepare, categorize, select, implement, assess, authorize, monitor. The purpose of the preparation stage is to carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF. The second step is categorization. The purpose of the categorization stage is to Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. The third step is the selection stage. It involves selecting, tailor, and document the controls necessary to protect the system and organization commensurate with risk. The fourth step of the RMF process is the implementation phase. Which involves Implementing the controls in the security and privacy plans for the system and organization.The fifth step is the Assessment Phase which determines if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.
The sixth step is the authorization step. Provides accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable. The last step is the monitoring phase,Which involves maintaining ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions
I agree with you that the purpose of the preparation phase in the RMF process is to carry out the necessary activities, as it allows to clarify the objectives and direction of the activities before starting. Also, for that process, monitoring maintains a continuous situational awareness of the security and privacy status of the system and the organization. On the other hand, confidentiality, integrity and availability are among the indicators that confirm the security of the system.
NIST SP 800-60 addresses the direction FISMA has taken to develop guidelines for the types of information and information systems recommended to be included in each potential security impact category. This guidance is intended to help agencies consistently map security impact levels to the following types: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigative); and (ii) information systems (e.g., mission-critical, mission support, administrative).
It was developed to assist federal government agencies in classifying information and information systems. The guide’s goal is to promote the application of appropriate levels of information security based on the range of impacts or consequences that may result from unauthorized disclosure, modification, or use of information or information systems.
Excellent post; identifying what information types or systems an organization has is the most important step in developing a system security plan. NIST SP800-60 indeed helps guide and simplify this critical step based on industry standards.
NIST SP 800-60 points out in particular something I did not previously consider regarding categorizing information systems as described in FIPS 199; three major areas that a categorized information system can help support are an organization’s business impact analysis (BIA), Capital Planning and Investment Control (CPIC) and enterprise architecture (EA), and System Design. A security categorized information system can be used to drive spending on improvements and to also avoid potentially wasteful expenditures. The intersection between a business impact analysis and a security categorization should suggest accuracies in the business impact analysis and enable relevant personnel to decide whether it should be reevaluated.
Through NIST SP 800-60 , I learned that for information systems, the potential security impact levels assigned are for each of the corresponding security objectives: confidentiality, integrity, and availability. This is the highest level (i.e., high water mark) of any of these objectives that has been identified for the type of information that resides on the information system. To avoid the system required to consider the system processes in the security classification. The basic requirements for protecting integrity, availability, and keys information such as passwords and encryption keys, while system-level confidentiality handles high-water mark functions and information. This is essential to protect system-level processing functions and to the operation of information systems.
When creating a data matrix which assesses impact of a breach of confidentiality, integrity, and availability, the first step is to identify information types. To create this data inventory, you should conduct interviews with employees from different functions across the organization. After asking these questions from various individuals across the organization, you can start to develop your data inventory. Creating a data inventory will help you be compliant with regulation such as GDPR and CCPA, and it will increase your visibility into your network. And, once you have this data inventory, you can then start assessing the impact of a breach on confidentiality, integrity, and availability on each of these data types.
NIST SP 800-60 essentially explains the FISMA’s focus to come out with meaningful guidelines suggesting the types of information and information systems to be part and parcel of each category of potential security impact. This guideline is primarily meant to assist agencies continuously map security impact levels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative). The chapter of the book went on by saying that the guideline is applicable to all Federal information systems other than national security systems. National security systems store, process, or communicate national security information. The article further opined that security categorization proffer a vital step in integrating security into the government agency’s business and information technology management assessments and thus determine the foundation for security standardization amongst their information systems. Security categorization, however, begins with the examination of what information supports which government lines of business, as being depicted by the Federal Enterprise Architecture (FEA).
Furthermore, the steps undoubtedly pay attention on the evaluation of the need for security as regards confidentiality, integrity, and availability. Hence, the outcome of that would be strong
linkage between missions, information, and information systems with cost effective information
security being established.
Out of this reading, I found interesting that there are methods utilized to assign security impact levels for information types such as: identify information types, select provisional impact levels, review provisional impact levels & adjust/finalize information impact levels, and assign the system security category (Page 12).
NIST 800-60 tells us how important it is to document the system category process. It is essential to document the research, key decisions, approvals, and supporting rationale driving the information system security categorization (Page 31). The results of the system security categorization can be used by the business impact analysis, capital planning & investment control & enterprise architecture, system design, contingency & DR planning, and information sharing & system interconnection agreements.
NIST 800-60 V1r1 gave me a better picture of the specific types of information that government entities contain (specifically, table 4). A key point that I took from this was that it is easy to guess and brainstorm what potential types of information that organizations contain, but seeing how a government publication like NIST breaks them down helps to eliminate the guessing and expand my view by seeing some information categories that I was not able to infer, for instance, the water transportation information type under D.11.
Hello Michael,
Excellent points being raised in your analysis since such standards simplify the security categorization task by identifying all information types used by the organization and evaluating their impact levels, reducing the need for system owners to consult federal guidance on security categorization for generic information types or to define their own information types.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 has been developed to assist Federal government agencies in categorizing information and information systems.
NIST SP 800-60 addresses the FISMA direction to develop guidelines recommending the types of information and information systems in each category of potential security impact. System categorization or ranking in line with the inherent level of risk is provided for and clearly articulated. Plans are categorized and mapped to the appropriate risk classification for adequate controls allocation.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 was developed to assist Federal government agencies in categorizing information and information systems based on the inherent potential security impact to an organization.
NIST SP 800-60 serves as a guideline for recommending the types of information and information systems in each category of potential security impact. The Objective is to aid agencies inconsistently mapping security impact levels to types of
(i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation).
(ii) Information systems (e.g., mission-critical, mission support, administrative).
Security Categorization is the critical first step in the Risk Management Framework because of its effect on all other actions in the framework, from selecting security controls to the level of effort in assessing security control effectiveness, further elaborating the importance of the categorization process.
Kelly Sharadin says
NIST SP800-60 demonstrates the complexities of information security systems and how information taxonomy flows from one entity to another, for example, as a sub-factor of its information type. The SCADA System example helped to synthesize this information into a digestible diagram. Distilling complex processes into clear documentation helps ensure adoption and follow through as non-technical parties are able to comprehend rather technical processes. This documentation helps to assign responsibility and ownership at the various information conjunction points (receiving and retrieving sensitive data).
Kyuande Johnson says
NIST 800 60 V1R1 mentions the RMF process. The RMF Process involves seven steps: prepare, categorize, select, implement, assess, authorize, monitor. The purpose of the preparation stage is to carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF. The second step is categorization. The purpose of the categorization stage is to Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. The third step is the selection stage. It involves selecting, tailor, and document the controls necessary to protect the system and organization commensurate with risk. The fourth step of the RMF process is the implementation phase. Which involves Implementing the controls in the security and privacy plans for the system and organization.The fifth step is the Assessment Phase which determines if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.
The sixth step is the authorization step. Provides accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable. The last step is the monitoring phase,Which involves maintaining ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions
Dan Xu says
Hi Kyuande,
I agree with you that the purpose of the preparation phase in the RMF process is to carry out the necessary activities, as it allows to clarify the objectives and direction of the activities before starting. Also, for that process, monitoring maintains a continuous situational awareness of the security and privacy status of the system and the organization. On the other hand, confidentiality, integrity and availability are among the indicators that confirm the security of the system.
zijian ou says
NIST SP 800-60 addresses the direction FISMA has taken to develop guidelines for the types of information and information systems recommended to be included in each potential security impact category. This guidance is intended to help agencies consistently map security impact levels to the following types: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigative); and (ii) information systems (e.g., mission-critical, mission support, administrative).
It was developed to assist federal government agencies in classifying information and information systems. The guide’s goal is to promote the application of appropriate levels of information security based on the range of impacts or consequences that may result from unauthorized disclosure, modification, or use of information or information systems.
Kelly Sharadin says
Hi Zijian,
Excellent post; identifying what information types or systems an organization has is the most important step in developing a system security plan. NIST SP800-60 indeed helps guide and simplify this critical step based on industry standards.
Kelly
Antonio Cozza says
NIST SP 800-60 points out in particular something I did not previously consider regarding categorizing information systems as described in FIPS 199; three major areas that a categorized information system can help support are an organization’s business impact analysis (BIA), Capital Planning and Investment Control (CPIC) and enterprise architecture (EA), and System Design. A security categorized information system can be used to drive spending on improvements and to also avoid potentially wasteful expenditures. The intersection between a business impact analysis and a security categorization should suggest accuracies in the business impact analysis and enable relevant personnel to decide whether it should be reevaluated.
Dan Xu says
Through NIST SP 800-60 , I learned that for information systems, the potential security impact levels assigned are for each of the corresponding security objectives: confidentiality, integrity, and availability. This is the highest level (i.e., high water mark) of any of these objectives that has been identified for the type of information that resides on the information system. To avoid the system required to consider the system processes in the security classification. The basic requirements for protecting integrity, availability, and keys information such as passwords and encryption keys, while system-level confidentiality handles high-water mark functions and information. This is essential to protect system-level processing functions and to the operation of information systems.
Madalyn Stiverson says
When creating a data matrix which assesses impact of a breach of confidentiality, integrity, and availability, the first step is to identify information types. To create this data inventory, you should conduct interviews with employees from different functions across the organization. After asking these questions from various individuals across the organization, you can start to develop your data inventory. Creating a data inventory will help you be compliant with regulation such as GDPR and CCPA, and it will increase your visibility into your network. And, once you have this data inventory, you can then start assessing the impact of a breach on confidentiality, integrity, and availability on each of these data types.
kofi bonsu says
NIST SP 800-60 essentially explains the FISMA’s focus to come out with meaningful guidelines suggesting the types of information and information systems to be part and parcel of each category of potential security impact. This guideline is primarily meant to assist agencies continuously map security impact levels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative). The chapter of the book went on by saying that the guideline is applicable to all Federal information systems other than national security systems. National security systems store, process, or communicate national security information. The article further opined that security categorization proffer a vital step in integrating security into the government agency’s business and information technology management assessments and thus determine the foundation for security standardization amongst their information systems. Security categorization, however, begins with the examination of what information supports which government lines of business, as being depicted by the Federal Enterprise Architecture (FEA).
Furthermore, the steps undoubtedly pay attention on the evaluation of the need for security as regards confidentiality, integrity, and availability. Hence, the outcome of that would be strong
linkage between missions, information, and information systems with cost effective information
security being established.
Victoria Zak says
Out of this reading, I found interesting that there are methods utilized to assign security impact levels for information types such as: identify information types, select provisional impact levels, review provisional impact levels & adjust/finalize information impact levels, and assign the system security category (Page 12).
NIST 800-60 tells us how important it is to document the system category process. It is essential to document the research, key decisions, approvals, and supporting rationale driving the information system security categorization (Page 31). The results of the system security categorization can be used by the business impact analysis, capital planning & investment control & enterprise architecture, system design, contingency & DR planning, and information sharing & system interconnection agreements.
Michael Jordan says
NIST 800-60 V1r1 gave me a better picture of the specific types of information that government entities contain (specifically, table 4). A key point that I took from this was that it is easy to guess and brainstorm what potential types of information that organizations contain, but seeing how a government publication like NIST breaks them down helps to eliminate the guessing and expand my view by seeing some information categories that I was not able to infer, for instance, the water transportation information type under D.11.
kofi bonsu says
Hello Michael,
Excellent points being raised in your analysis since such standards simplify the security categorization task by identifying all information types used by the organization and evaluating their impact levels, reducing the need for system owners to consult federal guidance on security categorization for generic information types or to define their own information types.
Olayinka Lucas says
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 has been developed to assist Federal government agencies in categorizing information and information systems.
NIST SP 800-60 addresses the FISMA direction to develop guidelines recommending the types of information and information systems in each category of potential security impact. System categorization or ranking in line with the inherent level of risk is provided for and clearly articulated. Plans are categorized and mapped to the appropriate risk classification for adequate controls allocation.
Olayinka Lucas says
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 was developed to assist Federal government agencies in categorizing information and information systems based on the inherent potential security impact to an organization.
NIST SP 800-60 serves as a guideline for recommending the types of information and information systems in each category of potential security impact. The Objective is to aid agencies inconsistently mapping security impact levels to types of
(i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation).
(ii) Information systems (e.g., mission-critical, mission support, administrative).
Security Categorization is the critical first step in the Risk Management Framework because of its effect on all other actions in the framework, from selecting security controls to the level of effort in assessing security control effectiveness, further elaborating the importance of the categorization process.