A key note I took from reading the NIST 800 60 V1R1 Guide for Mapping Types of Information and Information Systems to Security Categories was the security categorization process. The first step is is categorizing the information systems, the second is to select security controls best suited for the particular IS based on the controls in FIPS 200. This is selected through the assessment of local conditions, compliance to the specific organization, threats, cost benefit analysis and any special circumstances. Step 3 is to implement the controls. Step 4 is to assess the controls to break down which controls are being operated as intended, used correctly, and producing an expected outcome. All controls must meet security requirements for the system. Step 5 is to authorize the information system as long as it has been determined that risk is acceptable. The last step monitors the controls in place continuously by documentation, security impact analyses, and reporting the status to organization officials.
Information security has become an effective risk manager for the confidentiality, integrity, and availability of information. With constant changes in the risk environment, it has also become a critical mission oriented function. This is why the categorization of information security is a valuable asset to allow agencies to proactively execute proper controls based on the evaluated potential impact and sustain the mission in a cost-effective manner.
The SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)} formula is a helpful method to evaluate and assign a security category. Use this formula against multiple aspects of the targeted system or event and combine with the high water mark or maximum potential impact values for each security objective is very sensible.
Hi Xiduo, I agree that this formula is useful to evaluate and assign a security category. Categorization of systems begins by determining the security category for all information types resident on the target information system, taking into account each of the three security objectives (Confidentially, Integrity, and Availability) independently.
When beginning to design a security plan for an information system it is important to assign a security categorization to the system. In order to establish the security categorization of the system it is required to determine what type of data is going to be stored and how will the system be used within the organization (business functions). Having this information will allow the organization to determine the potential impact this information has on the organization and how it relates to the security objectives: confidentiality, integrity, and availability. Using FIPS 199 to set an impact level of low, moderate, and high will help the organization to determine what the most cost-effective security controls are needed to help mitigate risks. Also, utilizing the risk management framework security life cycle will help make sure the organization is staying secure.
This document addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. The one of the key points that I took from this reading is how to establish an appropriate security category for an information type and the generalized format for expressing the security category of an information type is: Security Category information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}.
Wei, thank you for sharing. The Security Category provides an easy to understand easy to scale way for organizations to apply and evaluate against a wide range of data, resources within the organization.
A key takeaway is the guidance provided on the selection of provisional impact levels within the security categorization process. The organization needs to assess the impact of a breach of confidentiality, integrity, and availability, by evaluating their information/information systems, instead of simply reviewing a list of information assets and arbitrarily assigning impact levels based on initial thoughts. These impact levels should be well evaluated, as it impacts the selection of baseline controls to meet the minimum-security requirements as outlined in FIPS 200.
The NIST SP 800-60 Process Roadmap provides detailed steps for identifying the information system. Step 1 identifies all of the information types that are input, stored, processed, and/or output from each system. Step 2 selects provisional impact level and Determine the security category (SC) for each information type: SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)} Step 3 reviews the appropriateness of the provisional impact levels based on the organization, environment, mission, use, and data sharing. Step 4 Assign the overall information system impact level based on the highest impact level for the system security objectives (confidentiality, integrity, availability). This process roadmap can be used to the selection of the set of security controls necessary for each system and the system risk assessment.
Proper information and information system categorization is a critical aspect to planning protection. It starts at the very top of the organization. The organization (agency in this case) needs to have its mission and business areas documented. The business areas need to be categorized as it is a trickle down effect. And it’s not just the effort of the CIO or CISO categorizing all the systems. Management and operations staff working with the systems need to be involved with designating categorizations. The security categorizations should also be periodically reviewed, updated, and/or validated.
A key point that stood out to me from this text was the consistent inclusion of the organization’s mission within its security planning. Throughout the document, the text references the mission as an important piece of information to consider when making security decisions. For example, the agency’s business and mission areas are among the first listed within the security categorization information collection. I believe this brings about an important point that is often overlooked when curating information systems security: all actions and decisions must point back to the enterprise’s mission. Looking at security measures in isolation of the overall mission of the organization will result in a less-quality security system.
Hi Taylor – I think this is also a very important point based on the way the documentation prioritizes the organization’s mission. Ultimately, all business processes exist to further the organization’s mission, and information security operations are no different. Without the central goal of the enterprise in mind, it would be impossible to make effective security decisions.
Thinking about the agency (or organization’s) business objectives and mission-critical activities is absolutely a vital aspect of system security planning. Systems and IT are there to support the business. By thinking about the asset in terms of how they contribute to the agency’s goal and how important they are to critical functions, you can better understand how important they are to protect. At the end of the day, how much money to spend and where to focus the most expensive controls is a business decision based around the cost/benefit of it all.
One point I found to be interesting was the automatic categorization of trade secrets. In the reading, it states that systems with trade secrets always are always classified as a moderate. Because of this, it is really important to keep track of where trade secrets are stored. This can make a system that would otherwise be classified as a low confidentiality, actually a medium.
Hi Charlie. That’s a great point that you bring up here. For me, trade secrets are intellectual property and should be highly confidential information. Trade secrets are usually commercial valuable and the exposure of these trade secrets could lead a company to lose revenue and profits. In my opinion, I would rank trade secretes as High personally and would make sure that only authorized individuals within the organization have access to this type of information.
A key takeaway from this reading is related to the consideration of information in aggregate, which is part of step 4, Assign System Security Category. The concept of considering data in the aggregate is critical. For example, there might be 5 individual pieces of information that are all considered not sensitive; however, in aggregate could be deemed highly sensitive (think of categories such as last name and account number). The guidance notes “In general, the sensitivity of a given data element is likely to be greater in context than in isolation”. Once reviewed, if it is determined the information has a higher rating when considered in aggregate, then the system security objective impact levels will probably need to be raised to a higher level than initially considered due to the security impact.
A key point from this reading is that when determining security categorization of information and information systems, it is important to identify the information type in addition to the impact a breach of CIA objections might have. This applies specifically to the government organizations the document is designed to cover. Knowledge of the four top-level business areas a government operation can fall under, the information types those business areas are categorized in, and how those affect security decision-making, are all major priorities for government entities.
From this reading, I really liked the approach mentioned of identifying “mission-based information types”. I believe this concept is a good demonstration of how IT and Information Security can and should support the business and that the functions of the business should be linked with Information Security. I also think the approach outlined in the reading, where stakeholders from management, operational areas, enterprise architecture, and security are involved is a good one to ensure that there is a balanced perspective in assessing the meaningfulness and risk of information and information systems in supporting the business. This ensures that Security is not performed in a silo and helps to support the idea of cost-effective controls.
In this week NIST 800 60 V1R1 outlines the importance of security categorization of information and how essential selection of security controls to ensure confidentiality, integrity, and availability. After categorization the information must be ranked as low, moderate or high as defined in FIPS 199. A key take away from this week assignment is that FIPS 199 defines the security categories, objectives, and impact levels to which SP 800-60 maps information types. IT auditors must then assign the appropriate risk to either low, moderate or high during their risk analysis.
This reading reminds me of an overview of what we’ve learned so far in ITACS. It gives a high-level view of things like risk modeling, risk rating, asset identification, etc… It outlines the roles each position has and support systems. Most importantly, it touches on how to document these processes as well. I think the categorization of the aspects is something I haven’t seen as much, at least not in those terms. This is definitely a framework I could see myself using at work in the future when I reach a level where I’ll be developing scopes.
I felt it was good to have the security classification reiterated. This is the first step in the process to determine the classification of the documents Once the classification has been established then the organization can properly measure the risk and determine a mitigation or strategy.
A key note I took from reading the NIST 800 60 V1R1 Guide for Mapping Types of Information and Information Systems to Security Categories was the security categorization process. The first step is is categorizing the information systems, the second is to select security controls best suited for the particular IS based on the controls in FIPS 200. This is selected through the assessment of local conditions, compliance to the specific organization, threats, cost benefit analysis and any special circumstances. Step 3 is to implement the controls. Step 4 is to assess the controls to break down which controls are being operated as intended, used correctly, and producing an expected outcome. All controls must meet security requirements for the system. Step 5 is to authorize the information system as long as it has been determined that risk is acceptable. The last step monitors the controls in place continuously by documentation, security impact analyses, and reporting the status to organization officials.
Information security has become an effective risk manager for the confidentiality, integrity, and availability of information. With constant changes in the risk environment, it has also become a critical mission oriented function. This is why the categorization of information security is a valuable asset to allow agencies to proactively execute proper controls based on the evaluated potential impact and sustain the mission in a cost-effective manner.
The SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)} formula is a helpful method to evaluate and assign a security category. Use this formula against multiple aspects of the targeted system or event and combine with the high water mark or maximum potential impact values for each security objective is very sensible.
Hi Xiduo, I agree that this formula is useful to evaluate and assign a security category. Categorization of systems begins by determining the security category for all information types resident on the target information system, taking into account each of the three security objectives (Confidentially, Integrity, and Availability) independently.
When beginning to design a security plan for an information system it is important to assign a security categorization to the system. In order to establish the security categorization of the system it is required to determine what type of data is going to be stored and how will the system be used within the organization (business functions). Having this information will allow the organization to determine the potential impact this information has on the organization and how it relates to the security objectives: confidentiality, integrity, and availability. Using FIPS 199 to set an impact level of low, moderate, and high will help the organization to determine what the most cost-effective security controls are needed to help mitigate risks. Also, utilizing the risk management framework security life cycle will help make sure the organization is staying secure.
This document addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. The one of the key points that I took from this reading is how to establish an appropriate security category for an information type and the generalized format for expressing the security category of an information type is: Security Category information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}.
Wei, thank you for sharing. The Security Category provides an easy to understand easy to scale way for organizations to apply and evaluate against a wide range of data, resources within the organization.
A key takeaway is the guidance provided on the selection of provisional impact levels within the security categorization process. The organization needs to assess the impact of a breach of confidentiality, integrity, and availability, by evaluating their information/information systems, instead of simply reviewing a list of information assets and arbitrarily assigning impact levels based on initial thoughts. These impact levels should be well evaluated, as it impacts the selection of baseline controls to meet the minimum-security requirements as outlined in FIPS 200.
The NIST SP 800-60 Process Roadmap provides detailed steps for identifying the information system. Step 1 identifies all of the information types that are input, stored, processed, and/or output from each system. Step 2 selects provisional impact level and Determine the security category (SC) for each information type: SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)} Step 3 reviews the appropriateness of the provisional impact levels based on the organization, environment, mission, use, and data sharing. Step 4 Assign the overall information system impact level based on the highest impact level for the system security objectives (confidentiality, integrity, availability). This process roadmap can be used to the selection of the set of security controls necessary for each system and the system risk assessment.
Proper information and information system categorization is a critical aspect to planning protection. It starts at the very top of the organization. The organization (agency in this case) needs to have its mission and business areas documented. The business areas need to be categorized as it is a trickle down effect. And it’s not just the effort of the CIO or CISO categorizing all the systems. Management and operations staff working with the systems need to be involved with designating categorizations. The security categorizations should also be periodically reviewed, updated, and/or validated.
A key point that stood out to me from this text was the consistent inclusion of the organization’s mission within its security planning. Throughout the document, the text references the mission as an important piece of information to consider when making security decisions. For example, the agency’s business and mission areas are among the first listed within the security categorization information collection. I believe this brings about an important point that is often overlooked when curating information systems security: all actions and decisions must point back to the enterprise’s mission. Looking at security measures in isolation of the overall mission of the organization will result in a less-quality security system.
Hi Taylor – I think this is also a very important point based on the way the documentation prioritizes the organization’s mission. Ultimately, all business processes exist to further the organization’s mission, and information security operations are no different. Without the central goal of the enterprise in mind, it would be impossible to make effective security decisions.
Thinking about the agency (or organization’s) business objectives and mission-critical activities is absolutely a vital aspect of system security planning. Systems and IT are there to support the business. By thinking about the asset in terms of how they contribute to the agency’s goal and how important they are to critical functions, you can better understand how important they are to protect. At the end of the day, how much money to spend and where to focus the most expensive controls is a business decision based around the cost/benefit of it all.
One point I found to be interesting was the automatic categorization of trade secrets. In the reading, it states that systems with trade secrets always are always classified as a moderate. Because of this, it is really important to keep track of where trade secrets are stored. This can make a system that would otherwise be classified as a low confidentiality, actually a medium.
Hi Charlie. That’s a great point that you bring up here. For me, trade secrets are intellectual property and should be highly confidential information. Trade secrets are usually commercial valuable and the exposure of these trade secrets could lead a company to lose revenue and profits. In my opinion, I would rank trade secretes as High personally and would make sure that only authorized individuals within the organization have access to this type of information.
A key takeaway from this reading is related to the consideration of information in aggregate, which is part of step 4, Assign System Security Category. The concept of considering data in the aggregate is critical. For example, there might be 5 individual pieces of information that are all considered not sensitive; however, in aggregate could be deemed highly sensitive (think of categories such as last name and account number). The guidance notes “In general, the sensitivity of a given data element is likely to be greater in context than in isolation”. Once reviewed, if it is determined the information has a higher rating when considered in aggregate, then the system security objective impact levels will probably need to be raised to a higher level than initially considered due to the security impact.
A key point from this reading is that when determining security categorization of information and information systems, it is important to identify the information type in addition to the impact a breach of CIA objections might have. This applies specifically to the government organizations the document is designed to cover. Knowledge of the four top-level business areas a government operation can fall under, the information types those business areas are categorized in, and how those affect security decision-making, are all major priorities for government entities.
From this reading, I really liked the approach mentioned of identifying “mission-based information types”. I believe this concept is a good demonstration of how IT and Information Security can and should support the business and that the functions of the business should be linked with Information Security. I also think the approach outlined in the reading, where stakeholders from management, operational areas, enterprise architecture, and security are involved is a good one to ensure that there is a balanced perspective in assessing the meaningfulness and risk of information and information systems in supporting the business. This ensures that Security is not performed in a silo and helps to support the idea of cost-effective controls.
In this week NIST 800 60 V1R1 outlines the importance of security categorization of information and how essential selection of security controls to ensure confidentiality, integrity, and availability. After categorization the information must be ranked as low, moderate or high as defined in FIPS 199. A key take away from this week assignment is that FIPS 199 defines the security categories, objectives, and impact levels to which SP 800-60 maps information types. IT auditors must then assign the appropriate risk to either low, moderate or high during their risk analysis.
Elias,
I agree with you. This to me was also the key point. Your point about the IT auditors was a different to approach.
This reading reminds me of an overview of what we’ve learned so far in ITACS. It gives a high-level view of things like risk modeling, risk rating, asset identification, etc… It outlines the roles each position has and support systems. Most importantly, it touches on how to document these processes as well. I think the categorization of the aspects is something I haven’t seen as much, at least not in those terms. This is definitely a framework I could see myself using at work in the future when I reach a level where I’ll be developing scopes.
I felt it was good to have the security classification reiterated. This is the first step in the process to determine the classification of the documents Once the classification has been established then the organization can properly measure the risk and determine a mitigation or strategy.