Per
National Institute of Standards and Technology Special Publication 800-37
Revision 1, the first step in the Risk Management Framework (RMF) is to
categorize the information system (NIST, 2010) . The guide to
categorizing information systems for non-national security systems is FIPS 199 (NIST, 2004) and the guide for national
security systems is CNSS 1253 (CNSS, 2012) . However, both
documents reference the need to classify data types as a prerequisite to
determining confidentiality, integrity and availability (CIA). This is part of categorizing
an information system and is a direct input into determining the appropriate
security controls in step 2.
The NIST
guide that is used to determine information types is NIST 800-60 (Stine, Kissel, Barker,
Fahlsing, & Gulick , 2008) . This document,
along with the appendix, aids organizations in understanding the types of data
that have been determined, and the applicability of them to an organization. Additionally,
the documents also identify basic level of protections required for
confidentiality, integrity and availability. While most have probably not read
these and other associated documents, they actually serve as the foundation of the
RMF since they are part of step 1 and affect everything that follows.
Of
note in this process of categorizing systems based on data types is that
classification of systems appears to take a secondary role, though the
documents do mention them. This is an interesting take and somewhat resembles
the approach of industry to a degree. Industry has moved towards service based
delivery and quantifies its services and associated contracts in service level
agreements, or SLAs. Government does not appear anywhere close to being able to
qualify or quantify its services or to sign an SLA guaranteeing a standard
level of service. However, forcing government agencies to go through the
process of focusing on data types is a way of focusing on what the organization
is providing to its customers. This is a step in the right direction for organizations
to both understand their systems and functions from a service and service level
perspective but also to understand the IT systems supporting those services in
that same context. When an organization begins to understand the services it
provides, it gains much more of an understanding of the systems that support
that service. When that occurs, it is in a much better place to really
understand the risk to its systems and services and better apply risk
management.
Works Cited
CNSS. (2012, March 15). SECURITY CATEGORIZATION
AND NATIONAL SECURITY SYSTEMS. Retrieved July 16, 2015, from
http://www.sandia.gov/fso/PDF/flowdown/Final_CNSSI_1253.pdf
NIST. (2004, February). Standards for Security
Categorization of Federal Information and Information Systems. Retrieved
July 16, 2015, from csrc.nist.gov: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
NIST. (2010, February). Guide for Applying the
Risk. Retrieved July 16, 2015, from /nvlpubs.nist.gov:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf
Stine, K., Kissel, K., Barker, W. C., Fahlsing, J.,
& Gulick , J. (2008, August). Guide for Mapping Types of Information
and Information Systems to Security Categories (Voumel I). Retrieved July
16, 2015, from csrc.nist.gov:
http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf
No comments:
Post a Comment