I was reading the NIST 800 60 V1R1 Guide for Mapping Types of Information and Information Systems to Security Categories A key note is the security classification process. The first step is to classify the information system and the second step is to select the most appropriate security control for a particular IS based on the controls in FIPS 200 by evaluating local conditions, compliance with the particular organization, threats, cost-benefit analysis, and any special circumstances. Step 3 is to implement the controls. All controls must meet the security requirements of the system. Step 4 is to evaluate the controls to break down which controls are functioning as intended, are being used correctly, and are producing the desired results. Step 5 is to authorize the information system and determine that the risk is acceptable. The final step is to continuously monitor the controls in place through documentation, security impact analysis, and status reporting to organizational officials.
At present, according to the importance of the network, information system, data and information on the network, it is divided into five levels of security protection, from level one to level five, step by step. Different levels of networks, information systems, data on the network should have different security protection measures.
Level 1: After the information system is damaged, it will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but it will not harm national security, social order and public interests.
Level 2: After the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but it does not harm national security.
Level 3: After the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but it does not harm national security.
Level 4: After the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but it does not harm national security.
Level 5: After the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but it does not harm national security.
To help organizations determine the security categories of their information and information systems in order to implement appropriate security controls for those systems and information. To achieve this, the guide provides a mapping between information and information system types and security categories.
Under FIPS 199, security categories are classified based on the impact that loss of confidentiality, integrity and availability of information or information systems may have on an organization.
Low impact: Loss of confidentiality, integrity, and availability has a small impact on the organization and does not result in significant losses.
Medium impact: Loss of confidentiality, integrity, and availability may have a moderate impact on some of the organization’s operations or assets.
High impact: Loss of confidentiality, integrity, and availability can have a significant impact on an organization’s critical operations or assets and may even threaten the survival of the organization.
One striking aspect of NIST 800-60 V1R1 is its emphasis on mapping types of information and information systems to security categories. This process helps organizations better understand the value and sensitivity of their information assets, enabling them to determine and implement appropriate security controls effectively. By clearly defining the types of information and information systems and mapping them to the appropriate security categories, organizations can better protect their information assets, reduce security risks, and comply with applicable security standards and guidelines.
From reading this chapter, I believe it is important to assign a security classification to a system when designing a security plan for an information system. In order to establish a security classification for a system, it is necessary to identify the type of data that will be stored and how the system will be used within the organization. Having this information will allow the organization to determine the potential impact of this information on the organization and how it relates to the security goals (confidentiality, integrity, and availability). Using FIPS 199 to set the impact level to low, medium, and high will help the organization determine what the most cost-effective security controls are needed to help mitigate risk. In addition, using a risk management framework security lifecycle will help ensure that the organization remains secure.
NIST 800-60 V1R1 “Guideline for Mapping Types of Information and Information Systems to Security Categories” provides organizations with a useful framework for aligning different types of information and information systems with security categories. This guideline is intended to help agencies consistently map security impact levels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative). This guideline applies to all Federal information systems other than national security systems. National security systems store, process, or communicate national security information. It offers clear guidance, promotes consistency, enhances risk identification and management, and facilitates information sharing, thereby helping organizations improve their overall security posture.
The guide defines the different types of information and information systems, including the types of information processed, stored or transmitted and the functions, uses and architecture of the system. These categorizations may be based on the sensitivity of the data (e.g., confidentiality, privacy, critical infrastructure protection, etc.) as well as the complexity, importance or criticality of the system. In the mapping process, there are a number of factors to consider: sensitivity of information, complexity of systems, business process dependencies and potential security threats and vulnerabilities. The guidance also emphasizes the importance of communication and collaboration with stakeholders (e.g., business leaders, legal counsel, security experts, etc.) to ensure the effectiveness and compliance of the mapping process.
When starting to design a security plan for an information system, it is important to assign security categories to the system. In order to establish the security classification of the system, it is necessary to determine what type of data will be stored and how the system (business functions) will be used within the organization. Having this information will enable the organization to determine the potential impact of this information on the organization and how it relates to security objectives (confidentiality, integrity, and availability). Setting low, medium and high impact levels using FIPS 199 will help organizations determine which of the most cost-effective security controls are needed to help reduce risk. Also, leveraging the risk management framework security lifecycle will help ensure that the organization remains secure.
The guide covers four main topics, including:
1.Information Categorization: It explains how to categorize information based on its sensitivity, confidentiality, integrity, and availability requirements.
2.Information System Classification: It provides guidance on classifying information systems based on their function, purpose, and the sensitivity of the information they process, store, or transmit.
3.Mapping to Security Categories: The guide details how to map information and information systems to specific security categories based on their sensitivity and criticality.
4.Security Control Selection: It provides guidance on selecting appropriate security controls for each security category. This includes controls for access control, identification and authentication, auditing and monitoring, and other key areas.
NIST SP 800-60 was developed to ensure that information systems are accurately categorized according to the low, medium, and high impact levels specified in FIPS 199. System classification is a core step in safeguarding the confidentiality, integrity, and availability of information assets against threats by ensuring that information assets are protected by appropriate minimum requirements and necessary controls. With accurate system categorization, the subsequent steps of the NIST Risk Management Framework can move forward in a solid manner.
This article describes a four-step process designed to ensure maximum accuracy in impact level assignments. The first step is to identify the type of information stored or processed by the system, whether it is classified, restricted, or public. The second step involves temporarily assigning an impact level to the system based on the type of information. The third step involves reviewing additional details of the system in order to adjust the impact level and finalize the classification. The final step is to formally assign a security category to the system. Through this process, we are able to more accurately protect information assets and ensure that they are safe and secure.
NIST 800-60 V1R1 Guide for Mapping Types of Information and Information Systems to Security Categories highlights the significance of the security classification process. This process involves several crucial steps. Initially, organizations must classify their information systems. Subsequently, they must select the most suitable security controls for each IS, considering local conditions, organizational compliance, threats, cost-benefit analysis, and special circumstances, referencing FIPS 200. Implementation of these controls is the next step, ensuring they align with the system’s security requirements. Evaluation follows, aiming to assess the controls’ performance, correctness, and their alignment with desired outcomes. Authorization of the information system is then granted upon determining the risk is acceptable. Finally, continuous monitoring of the implemented controls is essential, involving documentation, security impact analysis, and regular status reporting to organizational officials. A noteworthy aspect of NIST 800-60 V1R1 is its emphasis on mapping information and systems to security categories, which enhances organizations’ understanding of asset value and sensitivity. This mapping allows for more effective determination and implementation of suitable security controls, thereby protecting assets, mitigating risks, and ensuring compliance with relevant security standards and guidelines.
NIST 800 60 V1R1 Guide fundamentally explains FISMA’s focus on developing meaningful guidance that recommends the types of information and information systems that are important components of each category of potential security impact. The guidance is primarily intended to help agencies continuously map security impact levels to the following types: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigative); (ii) Information systems (e.g., mission critical, mission support, administration). The section goes on to say that the guidance applies to all federal information systems except national security systems. National security systems store, process, or communicate national security information. The paper further argues that security classification is an important step in integrating security into the assessment of government agencies’ operations and information technology management, thereby determining the basis for standardization of their information system security. However, security classification first examines which information supports which lines of government business, as described in the Federal Enterprise Architecture (FEA). In addition, these steps undoubtedly focus on assessing security requirements in terms of confidentiality, integrity, and availability. The result, therefore, will be a close linkage between missions, information and information systems, and the establishment of cost-effective information security.
The guide aims to define all types of information and information systems, covering the types of information to be processed, stored, or transmitted, as well as system functions, applications, and architectures. Such classifications can be divided according to data sensitivity (ie, confidentiality, privacy, critical infrastructure protection, etc.) and system complexity, importance, or criticality. In the mapping process, the information sensitivity, system complexity, business process dependence, and potential security threats and vulnerabilities should be considered comprehensively. The guidelines also emphasize the importance of communication and cooperation with stakeholders (such as business leaders, legal advisers, security experts, etc.) to ensure the effectiveness and compliance of the mapping process.
After reading the NIST 800 60 V1R1 guide for mapping information and information system types to security categories, security protection is divided into five levels according to the importance of network information systems, data, and information on the network. Different levels of network, information systems, and data on the network have different security protection measures. Information classification is also explored, which is based on the sensitivity, confidentiality, integrity and availability requirements of information according to FIPS 199. According to the controls in FIPS 200, the appropriate security controls for information security are selected by evaluating specific conditions, specific organization compliance, threats, cost-benefit analysis and other factors. NIST 800-60 V1R1 also addresses an emphasis on mapping information and systems into security categories, thereby enhancing an organization’s understanding of asset value and sensitivity.
NIST 800-60 V1R1 is a guide published by the National Institute of Standards and Technology (NIST) in the United States, commonly known as the Guide for Mapping Types of Information and Information Systems to Security Categories.
The purpose of this guide is to provide organizations and institutions with a method to classify their information and information systems into different security categories. Security categories are defined based on the sensitivity of information and the need for its protection. By categorizing information and information systems into different security categories, organizations can better understand the security requirements of their information assets and take corresponding security measures to protect these assets.
The NIST 800-60 guidelines provide a detailed set of steps and processes to help organizations determine the security categories of their information and information systems. These steps include identifying the types of information and information systems, determining the sensitivity level of information, evaluating the value and impact of information, and mapping information and information systems to corresponding security categories.
By using the NIST 800-60 guidelines, organizations can better understand the security requirements of their information assets and develop corresponding security strategies and measures to protect these assets. This helps organizations establish an effective information security management system to ensure the confidentiality, integrity, and availability of information.
It provides a framework to help organizations map their information and information system types to the appropriate security categories. The purpose of this guidance is to simplify and harmonize the process by which federal agencies conduct information security classification.
Information Type classification: Details the different types of information (such as personal information, sensitive but non-personal private information, public information, etc.) and their potential levels of impact (low, medium, high).
Classification of information systems: Provides guidance on how to classify information systems based on factors such as system purpose, type of information processed, user groups, etc.
Mapping process: describes specific steps and methods for mapping information and information system types to security categories. This includes determining the sensitivity of the information, assessing the complexity of the system, and applying the “take high” principle to determine the overall security category.
Examples and case studies: Practical examples and case studies are provided to help readers understand and apply the mapping process.
Tools and resources: Provides tools and resources that can be used to assist the mapping process, such as templates, checklists, etc.
By following the guidance of NIST SP 800-60 Volume 1, Revision 1, organizations can ensure that their information and information systems are properly classified for security, thereby laying the foundation for implementing appropriate security controls. This classification also helps to determine the security requirements of the system in security assessment programs such as FedRAMP.
The NIST SP 800-60 Process Roadmap provides detailed steps for identifying the information system.
Step 1 identifies all of the information types that are input, stored, processed, and/or output from each system.
Step 2 selects provisional impact level and Determine the security category (SC) for each information type: SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
Step 3 reviews the appropriateness of the provisional impact levels based on the organization, environment, mission, use, and data sharing. Step 4 Assign the overall information system impact level based on the highest impact level for the system security objectives (confidentiality, integrity, availability).
This process roadmap can be used to the selection of the set of security controls necessary for each system and the system risk assessment.
In order to better coordinate available resources, maximise security during the operation of information systems, spend the least amount of money to provide security measures and achieve minimum standards of confidentiality, integrity and availability of information systems, we should carry out a security design at the beginning of the construction of an information system, assigning the corresponding security level to the system.
In order to establish the security classification of a system, it is necessary to identify the type of data that will be stored and how the system will be used within the organisation. Using FIPS 199 to set the impact level to low, medium and high will help the organisation to determine what the most cost-effective security controls are needed to help reduce risk. In addition, using the Risk Management Framework Security Lifecycle will help ensure that the organisation stays secure.A notable aspect of NIST 800-60 V1R1 is its emphasis on mapping information and information system types to security categories. This process can help organisations better understand the value and sensitivity of their information assets, enabling them to effectively identify and implement appropriate security controls. By clearly defining information and information system types and mapping them to appropriate security categories, organisations can better protect their information assets, mitigate security risks and comply with applicable security standards and guidelines.
Corresponding to the foreign rainbow book, China has also compiled corresponding levels of cybersecurity level protection, and security protection is carried out in accordance with the corresponding levels.
NISTSP800-60 develops guidelines for FISMA direction, including information and types of information systems in each potential security impact category. This guide applies to all federal information systems except for national security systems. Security classification is a crucial first step in a risk management framework, and the initial security classification should be conducted early in the system development lifecycle (SDLC) of the organization. SP800-60 maps information types to security categories, security objectives, and impact levels. The method of assigning security impact levels and security classifications to information types and information systems.
From this page I know that NIST SP 800-60 Volume I, Revision 1 Guidance on Mapping Information and Information System Types to Security Categories is a guide published by the National Institute of Standards and Technology (NIST). Designed to provide federal government agencies and other organizations with guidance on mapping information and information system types to appropriate security categories. The guide is part of the NIST SP 800 series of special publications focused on information security.
The primary goal of the NIST SP 800-60 V1R1 is to help organizations determine the security categories of their information and information systems so that they can select and implement appropriate security controls to protect these information assets. Security categories are determined based on the potential impact of confidentiality, integrity, and availability of information (the CIA triad).
This document addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. The one of the key points that I took from this reading is how to establish an appropriate security category for an information type and the generalized format for expressing the security category of an information type is: Security Category information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}.
The safety life cycle is divided into six cyclic steps.
Safety classification is a critical first step in a risk management framework.
Step2 is to utilize NIST SP 800-53 and SP 800-30, Guidelines for Risk Management of Information Technology Systems, based on risk and local conditions assessment, including the security needs of a specific organization, specific threat information, cost-benefit analysis, or initial customized security controls for special circumstances.
Step3 is to implement security controls in the information system.
Step4 is to evaluate security controls using appropriate methods and procedures.
Step5 is to authorize information system operations based on the risks arising from information system operations and the determination of the Federal Information System Security Certification and Certification Guidelines set forth in NIST SP 800-37.
Step6: continuously monitors and evaluates selected security controls in the information system.
In this guide, data types are divided into very fine, there are hundreds of categories, and information data from the perspective of confidentiality, integrity, availability to describe its potential impact, a total of low, medium, high three levels.
In this reading material, the key point I found is Guidelines for System Categorization. In some cases, the impact level for a system security category will be higher than any security objective impact level for any information type processed by the system. The primary factors that most commonly raise the impact levels of the system security category above that of its constituent information types are aggregation and critical system functionality. This section provides us some general guidelines regarding how aggregation, critical functionality, and other system factors may affect system security categorization. Agency personnel should be aware that there are several factors that should be considered during the aggregation of system information types. When considering these factors, previously unforeseen concerns may surface affecting the confidentiality, integrity, and/or availability impact levels at the system level. These factors include data aggregation, critical system functionality, extenuating circumstances, and other system factors.
This guide provides basic information on how to prepare a system security plan in accordance with applicable federal requirements and can be easily adapted to a variety of organizational structures. First, the plan should clearly define the responsibilities and expected behaviors of all individuals who have access to the system. Then, organizational policies should clearly define who is responsible for system security plan approval and the procedures established for plan submission, including any special memorandum language or other documentation required by the agency.FIPS 200 provides seventeen minimum security requirements for federal information and information systems. These requirements represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting the confidentiality, integrity, and availability of federal information and information systems.
I was reading the NIST 800 60 V1R1 Guide for Mapping Types of Information and Information Systems to Security Categories A key note is the security classification process. The first step is to classify the information system and the second step is to select the most appropriate security control for a particular IS based on the controls in FIPS 200 by evaluating local conditions, compliance with the particular organization, threats, cost-benefit analysis, and any special circumstances. Step 3 is to implement the controls. All controls must meet the security requirements of the system. Step 4 is to evaluate the controls to break down which controls are functioning as intended, are being used correctly, and are producing the desired results. Step 5 is to authorize the information system and determine that the risk is acceptable. The final step is to continuously monitor the controls in place through documentation, security impact analysis, and status reporting to organizational officials.
At present, according to the importance of the network, information system, data and information on the network, it is divided into five levels of security protection, from level one to level five, step by step. Different levels of networks, information systems, data on the network should have different security protection measures.
Level 1: After the information system is damaged, it will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but it will not harm national security, social order and public interests.
Level 2: After the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but it does not harm national security.
Level 3: After the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but it does not harm national security.
Level 4: After the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but it does not harm national security.
Level 5: After the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but it does not harm national security.
To help organizations determine the security categories of their information and information systems in order to implement appropriate security controls for those systems and information. To achieve this, the guide provides a mapping between information and information system types and security categories.
Under FIPS 199, security categories are classified based on the impact that loss of confidentiality, integrity and availability of information or information systems may have on an organization.
Low impact: Loss of confidentiality, integrity, and availability has a small impact on the organization and does not result in significant losses.
Medium impact: Loss of confidentiality, integrity, and availability may have a moderate impact on some of the organization’s operations or assets.
High impact: Loss of confidentiality, integrity, and availability can have a significant impact on an organization’s critical operations or assets and may even threaten the survival of the organization.
One striking aspect of NIST 800-60 V1R1 is its emphasis on mapping types of information and information systems to security categories. This process helps organizations better understand the value and sensitivity of their information assets, enabling them to determine and implement appropriate security controls effectively. By clearly defining the types of information and information systems and mapping them to the appropriate security categories, organizations can better protect their information assets, reduce security risks, and comply with applicable security standards and guidelines.
From reading this chapter, I believe it is important to assign a security classification to a system when designing a security plan for an information system. In order to establish a security classification for a system, it is necessary to identify the type of data that will be stored and how the system will be used within the organization. Having this information will allow the organization to determine the potential impact of this information on the organization and how it relates to the security goals (confidentiality, integrity, and availability). Using FIPS 199 to set the impact level to low, medium, and high will help the organization determine what the most cost-effective security controls are needed to help mitigate risk. In addition, using a risk management framework security lifecycle will help ensure that the organization remains secure.
NIST 800-60 V1R1 “Guideline for Mapping Types of Information and Information Systems to Security Categories” provides organizations with a useful framework for aligning different types of information and information systems with security categories. This guideline is intended to help agencies consistently map security impact levels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative). This guideline applies to all Federal information systems other than national security systems. National security systems store, process, or communicate national security information. It offers clear guidance, promotes consistency, enhances risk identification and management, and facilitates information sharing, thereby helping organizations improve their overall security posture.
The guide defines the different types of information and information systems, including the types of information processed, stored or transmitted and the functions, uses and architecture of the system. These categorizations may be based on the sensitivity of the data (e.g., confidentiality, privacy, critical infrastructure protection, etc.) as well as the complexity, importance or criticality of the system. In the mapping process, there are a number of factors to consider: sensitivity of information, complexity of systems, business process dependencies and potential security threats and vulnerabilities. The guidance also emphasizes the importance of communication and collaboration with stakeholders (e.g., business leaders, legal counsel, security experts, etc.) to ensure the effectiveness and compliance of the mapping process.
When starting to design a security plan for an information system, it is important to assign security categories to the system. In order to establish the security classification of the system, it is necessary to determine what type of data will be stored and how the system (business functions) will be used within the organization. Having this information will enable the organization to determine the potential impact of this information on the organization and how it relates to security objectives (confidentiality, integrity, and availability). Setting low, medium and high impact levels using FIPS 199 will help organizations determine which of the most cost-effective security controls are needed to help reduce risk. Also, leveraging the risk management framework security lifecycle will help ensure that the organization remains secure.
The guide covers four main topics, including:
1.Information Categorization: It explains how to categorize information based on its sensitivity, confidentiality, integrity, and availability requirements.
2.Information System Classification: It provides guidance on classifying information systems based on their function, purpose, and the sensitivity of the information they process, store, or transmit.
3.Mapping to Security Categories: The guide details how to map information and information systems to specific security categories based on their sensitivity and criticality.
4.Security Control Selection: It provides guidance on selecting appropriate security controls for each security category. This includes controls for access control, identification and authentication, auditing and monitoring, and other key areas.
NIST SP 800-60 was developed to ensure that information systems are accurately categorized according to the low, medium, and high impact levels specified in FIPS 199. System classification is a core step in safeguarding the confidentiality, integrity, and availability of information assets against threats by ensuring that information assets are protected by appropriate minimum requirements and necessary controls. With accurate system categorization, the subsequent steps of the NIST Risk Management Framework can move forward in a solid manner.
This article describes a four-step process designed to ensure maximum accuracy in impact level assignments. The first step is to identify the type of information stored or processed by the system, whether it is classified, restricted, or public. The second step involves temporarily assigning an impact level to the system based on the type of information. The third step involves reviewing additional details of the system in order to adjust the impact level and finalize the classification. The final step is to formally assign a security category to the system. Through this process, we are able to more accurately protect information assets and ensure that they are safe and secure.
NIST 800-60 V1R1 Guide for Mapping Types of Information and Information Systems to Security Categories highlights the significance of the security classification process. This process involves several crucial steps. Initially, organizations must classify their information systems. Subsequently, they must select the most suitable security controls for each IS, considering local conditions, organizational compliance, threats, cost-benefit analysis, and special circumstances, referencing FIPS 200. Implementation of these controls is the next step, ensuring they align with the system’s security requirements. Evaluation follows, aiming to assess the controls’ performance, correctness, and their alignment with desired outcomes. Authorization of the information system is then granted upon determining the risk is acceptable. Finally, continuous monitoring of the implemented controls is essential, involving documentation, security impact analysis, and regular status reporting to organizational officials. A noteworthy aspect of NIST 800-60 V1R1 is its emphasis on mapping information and systems to security categories, which enhances organizations’ understanding of asset value and sensitivity. This mapping allows for more effective determination and implementation of suitable security controls, thereby protecting assets, mitigating risks, and ensuring compliance with relevant security standards and guidelines.
NIST 800 60 V1R1 Guide fundamentally explains FISMA’s focus on developing meaningful guidance that recommends the types of information and information systems that are important components of each category of potential security impact. The guidance is primarily intended to help agencies continuously map security impact levels to the following types: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigative); (ii) Information systems (e.g., mission critical, mission support, administration). The section goes on to say that the guidance applies to all federal information systems except national security systems. National security systems store, process, or communicate national security information. The paper further argues that security classification is an important step in integrating security into the assessment of government agencies’ operations and information technology management, thereby determining the basis for standardization of their information system security. However, security classification first examines which information supports which lines of government business, as described in the Federal Enterprise Architecture (FEA). In addition, these steps undoubtedly focus on assessing security requirements in terms of confidentiality, integrity, and availability. The result, therefore, will be a close linkage between missions, information and information systems, and the establishment of cost-effective information security.
The guide aims to define all types of information and information systems, covering the types of information to be processed, stored, or transmitted, as well as system functions, applications, and architectures. Such classifications can be divided according to data sensitivity (ie, confidentiality, privacy, critical infrastructure protection, etc.) and system complexity, importance, or criticality. In the mapping process, the information sensitivity, system complexity, business process dependence, and potential security threats and vulnerabilities should be considered comprehensively. The guidelines also emphasize the importance of communication and cooperation with stakeholders (such as business leaders, legal advisers, security experts, etc.) to ensure the effectiveness and compliance of the mapping process.
After reading the NIST 800 60 V1R1 guide for mapping information and information system types to security categories, security protection is divided into five levels according to the importance of network information systems, data, and information on the network. Different levels of network, information systems, and data on the network have different security protection measures. Information classification is also explored, which is based on the sensitivity, confidentiality, integrity and availability requirements of information according to FIPS 199. According to the controls in FIPS 200, the appropriate security controls for information security are selected by evaluating specific conditions, specific organization compliance, threats, cost-benefit analysis and other factors. NIST 800-60 V1R1 also addresses an emphasis on mapping information and systems into security categories, thereby enhancing an organization’s understanding of asset value and sensitivity.
NIST 800-60 V1R1 is a guide published by the National Institute of Standards and Technology (NIST) in the United States, commonly known as the Guide for Mapping Types of Information and Information Systems to Security Categories.
The purpose of this guide is to provide organizations and institutions with a method to classify their information and information systems into different security categories. Security categories are defined based on the sensitivity of information and the need for its protection. By categorizing information and information systems into different security categories, organizations can better understand the security requirements of their information assets and take corresponding security measures to protect these assets.
The NIST 800-60 guidelines provide a detailed set of steps and processes to help organizations determine the security categories of their information and information systems. These steps include identifying the types of information and information systems, determining the sensitivity level of information, evaluating the value and impact of information, and mapping information and information systems to corresponding security categories.
By using the NIST 800-60 guidelines, organizations can better understand the security requirements of their information assets and develop corresponding security strategies and measures to protect these assets. This helps organizations establish an effective information security management system to ensure the confidentiality, integrity, and availability of information.
It provides a framework to help organizations map their information and information system types to the appropriate security categories. The purpose of this guidance is to simplify and harmonize the process by which federal agencies conduct information security classification.
Information Type classification: Details the different types of information (such as personal information, sensitive but non-personal private information, public information, etc.) and their potential levels of impact (low, medium, high).
Classification of information systems: Provides guidance on how to classify information systems based on factors such as system purpose, type of information processed, user groups, etc.
Mapping process: describes specific steps and methods for mapping information and information system types to security categories. This includes determining the sensitivity of the information, assessing the complexity of the system, and applying the “take high” principle to determine the overall security category.
Examples and case studies: Practical examples and case studies are provided to help readers understand and apply the mapping process.
Tools and resources: Provides tools and resources that can be used to assist the mapping process, such as templates, checklists, etc.
By following the guidance of NIST SP 800-60 Volume 1, Revision 1, organizations can ensure that their information and information systems are properly classified for security, thereby laying the foundation for implementing appropriate security controls. This classification also helps to determine the security requirements of the system in security assessment programs such as FedRAMP.
The NIST SP 800-60 Process Roadmap provides detailed steps for identifying the information system.
Step 1 identifies all of the information types that are input, stored, processed, and/or output from each system.
Step 2 selects provisional impact level and Determine the security category (SC) for each information type: SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
Step 3 reviews the appropriateness of the provisional impact levels based on the organization, environment, mission, use, and data sharing. Step 4 Assign the overall information system impact level based on the highest impact level for the system security objectives (confidentiality, integrity, availability).
This process roadmap can be used to the selection of the set of security controls necessary for each system and the system risk assessment.
In order to better coordinate available resources, maximise security during the operation of information systems, spend the least amount of money to provide security measures and achieve minimum standards of confidentiality, integrity and availability of information systems, we should carry out a security design at the beginning of the construction of an information system, assigning the corresponding security level to the system.
In order to establish the security classification of a system, it is necessary to identify the type of data that will be stored and how the system will be used within the organisation. Using FIPS 199 to set the impact level to low, medium and high will help the organisation to determine what the most cost-effective security controls are needed to help reduce risk. In addition, using the Risk Management Framework Security Lifecycle will help ensure that the organisation stays secure.A notable aspect of NIST 800-60 V1R1 is its emphasis on mapping information and information system types to security categories. This process can help organisations better understand the value and sensitivity of their information assets, enabling them to effectively identify and implement appropriate security controls. By clearly defining information and information system types and mapping them to appropriate security categories, organisations can better protect their information assets, mitigate security risks and comply with applicable security standards and guidelines.
Corresponding to the foreign rainbow book, China has also compiled corresponding levels of cybersecurity level protection, and security protection is carried out in accordance with the corresponding levels.
NISTSP800-60 develops guidelines for FISMA direction, including information and types of information systems in each potential security impact category. This guide applies to all federal information systems except for national security systems. Security classification is a crucial first step in a risk management framework, and the initial security classification should be conducted early in the system development lifecycle (SDLC) of the organization. SP800-60 maps information types to security categories, security objectives, and impact levels. The method of assigning security impact levels and security classifications to information types and information systems.
From this page I know that NIST SP 800-60 Volume I, Revision 1 Guidance on Mapping Information and Information System Types to Security Categories is a guide published by the National Institute of Standards and Technology (NIST). Designed to provide federal government agencies and other organizations with guidance on mapping information and information system types to appropriate security categories. The guide is part of the NIST SP 800 series of special publications focused on information security.
The primary goal of the NIST SP 800-60 V1R1 is to help organizations determine the security categories of their information and information systems so that they can select and implement appropriate security controls to protect these information assets. Security categories are determined based on the potential impact of confidentiality, integrity, and availability of information (the CIA triad).
This document addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. The one of the key points that I took from this reading is how to establish an appropriate security category for an information type and the generalized format for expressing the security category of an information type is: Security Category information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}.
The safety life cycle is divided into six cyclic steps.
Safety classification is a critical first step in a risk management framework.
Step2 is to utilize NIST SP 800-53 and SP 800-30, Guidelines for Risk Management of Information Technology Systems, based on risk and local conditions assessment, including the security needs of a specific organization, specific threat information, cost-benefit analysis, or initial customized security controls for special circumstances.
Step3 is to implement security controls in the information system.
Step4 is to evaluate security controls using appropriate methods and procedures.
Step5 is to authorize information system operations based on the risks arising from information system operations and the determination of the Federal Information System Security Certification and Certification Guidelines set forth in NIST SP 800-37.
Step6: continuously monitors and evaluates selected security controls in the information system.
In this guide, data types are divided into very fine, there are hundreds of categories, and information data from the perspective of confidentiality, integrity, availability to describe its potential impact, a total of low, medium, high three levels.
In this reading material, the key point I found is Guidelines for System Categorization. In some cases, the impact level for a system security category will be higher than any security objective impact level for any information type processed by the system. The primary factors that most commonly raise the impact levels of the system security category above that of its constituent information types are aggregation and critical system functionality. This section provides us some general guidelines regarding how aggregation, critical functionality, and other system factors may affect system security categorization. Agency personnel should be aware that there are several factors that should be considered during the aggregation of system information types. When considering these factors, previously unforeseen concerns may surface affecting the confidentiality, integrity, and/or availability impact levels at the system level. These factors include data aggregation, critical system functionality, extenuating circumstances, and other system factors.
This guide provides basic information on how to prepare a system security plan in accordance with applicable federal requirements and can be easily adapted to a variety of organizational structures. First, the plan should clearly define the responsibilities and expected behaviors of all individuals who have access to the system. Then, organizational policies should clearly define who is responsible for system security plan approval and the procedures established for plan submission, including any special memorandum language or other documentation required by the agency.FIPS 200 provides seventeen minimum security requirements for federal information and information systems. These requirements represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting the confidentiality, integrity, and availability of federal information and information systems.