18 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Recommended AIC Impacts: Using the tables in the NIST SP 800-60 series,
determine the impact levels (Low, Moderate, or High) for each type of infor-
mation and operation supported.
Overall System AIC Impact: Consolidate all the AIC impacts determined in
the last step by identifying the “high-water mark” for each AIC property
and, by nding the “high-water mark” with those three impacts, identify the
overall system SECCAT as Low-Impact, Moderate-Impact, or High-Impact.
Figure1.2 provides a simplistic view of this consolidation process.
Recommended Baseline Security Controls: Using the system SECCAT, refer-
ence the table in NIST SP 800-53, Appendix D, Minimum Security Control–
Summary, and select the column related to the category providing the min i mum
security controls required for the system.
e security controls are from the 17 control families in the management, oper-
ational, and technical classes of controls described in NIST SP 800-53. Table1.4
provides a list of these security control classes and families.
Minimal controls for each impact level are 100 controls for Low-Impact
Systems, 212 controls for Moderate-Impact Systems, and 277 controls for High-
Impact Systems.
Caution must be exercised when using this process, because the “minimal con-
trols” may not all apply. Remember, the overall system impact is a “high-water
measurement of impact.” For example, take a High-Impact System in which the
individual overall AIC ratings were Availability impact High, Integrity impact
Moderate, and Condentiality impact was Not Applicable. Many of the controls
that support only condentiality requirements may not be required and some of the
integrity controls may be overkill for the system. ese must be reviewed, the risks
assessed, and justications documented to support security reviews.
Of course the opposite is also true; the organization may add additional con-
trols because management wants the system to have fewer security risks or for busi-
ness or management reasons. An example of the latter is when all the systems in the
organization are using two-factor authentication devices and it is more economical
to deploy the devices on all systems, even those that only require passwords.
Information Classification
Information classication establishes a formal process for identifying what infor-
mation needs to be protected and labeling the information in a uniform manner
so individuals and systems can provide the level of protection they require. An
accurate and clear information classication system is critical for identifying what
information needs to be protected, the level of protection required, and setting
resource priorities.