16 ◾  Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
crashes; local shoe sale in the next week is Low, because the information
could hold for several days.
Integrity: Depends on the need for accuracy of the information: airplane
tracking information is High, because inaccurate tracking data can result
in providing inaccurate advice to pilots and potential plane crashes;
weather reports to the public is Moderate, because of the minimal accu-
racy of the reports and impact.
Condentiality: Depends on the type of information: shoe sale is not appli-
cable, because they want everyone to see it; a persons private information
is Moderate or High, because it is very sensitive information and there is
the potential for lawsuits and nes; weapon capabilities is High, because
it could cause loss of life or serious injury.
Sharing Research Information:
Availability: Low, because research is normally a methodical, long-term eort.
Integrity: Moderate, because results are used for the development of solu-
tions that have to be tested.
Condentiality: Not applicable if it is publicly available research; Moderate
or High if R&D supports future products development; and up to High
if R&D supports weapons systems.
Matching Harvested Human Organs to Patients in Need:
Availability: High, because harvested organs only last hours.
Integrity: High, because of the need to get the right information for organ
matches and shipping.
Condentiality: Moderate if the patient’s privacy protected information and
health information are identied, but could be Low if patients are identi-
ed by codes.
Allowing Gamblers to Gamble Online:
Availability: High, because gamblers want to gamble now.
Integrity: High, because the money and reputation of the casino can be
impacted.
Condentiality: High, because of the reputation of the casino for protecting
client condentiality.
NIST has identied another way to conduct an impact analysis: Security
Categorization.
Security Categorization Process
In an attempt to provide a checklist process to help organizations identify what
level of protection a system requires, NIST produced the Security Categorization
process and supporting tables to do an initial assessment based on the system
information types and the mission supported. is process is called Security
Categorization (SECCAT). e process is documented in FIPS 199, Standards
Enterprise Security Management Practices ◾  17
© 2011 by Taylor & Francis Group, LLC
for Security Categorization of Federal Information and Information Systems. By
issuing the process in the NIST FIPS series, the process is mandatory for all U.S.
government systems.
SECCAT uses basic tables located in NIST SP 800-60, “Guide for Mapping
Types of Information and Information Systems to Security Categories,” and NIST
SP 800-53, “Recommended Security Controls for Federal Information Systems.
ese documents are used to equate the systems types of information and operations
supported, both internally and externally, to the three security Availability, Integrity,
and Condentiality (AIC) properties to provide an overall system impact rating of
High, Moderate, or Low for each property for each information type and operation
supported. With this impact rating, NIST 800-53 tables are used to provide rec-
ommendations on the types of controls to be used to secure the system. Figure1.2
provides a visual presentation of the process. Following are the basic steps:
System Information and Supported Operations: Identify the types of infor-
mation and operations supported by the system—this data was collected dur-
ing the review of the business processes supported by the system, discussed in
the section on Group Business Processes.
LowModerateHighType Info B
N/ALowModerateType Info C
LowModerateHighType Ops 2
LowLowLowType Ops 1
N/AModerateLowType Info A
ConfidentialityIntegrityAvailabilityType
Business
Analysis
List of system information types and operations supported
Overall Impact Rating
ConfidentialityIntegrityAvailability
HighLowModerateHigh
Control
Description
Low Moderate High
Control Baselines
Control A No Yes Yes
Control B Yes
Control C No
Control D Yes
Control E No
Yes Yes
No Yes
No Yes
No No
AIC High-Water Marks
AIC Impact Determination
Overall Impact High-Water Mark
Identification
of Systems
Minimum
Control
Baseline
Tables in
NIST SP
800-60
Table in
NIST SP
800-53
Figure 1.2 Security categorization process.
18 ◾  Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
Recommended AIC Impacts: Using the tables in the NIST SP 800-60 series,
determine the impact levels (Low, Moderate, or High) for each type of infor-
mation and operation supported.
Overall System AIC Impact: Consolidate all the AIC impacts determined in
the last step by identifying the high-water markfor each AIC property
and, by nding the “high-water mark” with those three impacts, identify the
overall system SECCAT as Low-Impact, Moderate-Impact, or High-Impact.
Figure1.2 provides a simplistic view of this consolidation process.
Recommended Baseline Security Controls: Using the system SECCAT, refer-
ence the table in NIST SP 800-53, Appendix D, Minimum Security Control–
Summary, and select the column related to the category providing the min i mum
security controls required for the system.
e security controls are from the 17 control families in the management, oper-
ational, and technical classes of controls described in NIST SP 800-53. Table1.4
provides a list of these security control classes and families.
Minimal controls for each impact level are 100 controls for Low-Impact
Systems, 212 controls for Moderate-Impact Systems, and 277 controls for High-
Impact Systems.
Caution must be exercised when using this process, because the “minimal con-
trols” may not all apply. Remember, the overall system impact is a “high-water
measurement of impact.For example, take a High-Impact System in which the
individual overall AIC ratings were Availability impact High, Integrity impact
Moderate, and Condentiality impact was Not Applicable. Many of the controls
that support only condentiality requirements may not be required and some of the
integrity controls may be overkill for the system. ese must be reviewed, the risks
assessed, and justications documented to support security reviews.
Of course the opposite is also true; the organization may add additional con-
trols because management wants the system to have fewer security risks or for busi-
ness or management reasons. An example of the latter is when all the systems in the
organization are using two-factor authentication devices and it is more economical
to deploy the devices on all systems, even those that only require passwords.
Information Classification
Information classication establishes a formal process for identifying what infor-
mation needs to be protected and labeling the information in a uniform manner
so individuals and systems can provide the level of protection they require. An
accurate and clear information classication system is critical for identifying what
information needs to be protected, the level of protection required, and setting
resource priorities.
Enterprise Security Management Practices ◾  19
© 2011 by Taylor & Francis Group, LLC
ere are several concepts related to information classication that need to be
understood: level of impact, “need to know,” classication, and compartmentation.
Basically, the rst two are the basis for establishing the latter two concepts.
Level of Impact: e level of impact is the negative result on the success of the
mission or business if the information is not available, is modied without
authorization, or is disclosed to unauthorized people. As discussed in the last
section, the impact can be on operations, assets, or individuals.
Need to Know: e concept of need to know” is based on what individuals
or processes need the information to support their actions. Least privilege
ensures that only those people or processes with access to the information
have that access in order to do their work.
Table1.4 Controls
Control Class Control Family Identifier
Management Certification, Accreditation, and
Security Assessments
CA
Planning PL
Risk Assessment RA
System and Services Acquisition SA
Operational Awareness and Training AT
Configuration Management CM
Contingency Planning CP
Incident Response IR
Maintenance MA
Media Protection MP
Physical and Environmental Protection PE
Personnel Security PS
System and Information Integrity SI
Technical Access Control AC
Audit and Accountability AU
Identification and Authentication IA
System and Communications Protection SC
20 ◾  Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
e ISSMP needs to determine which individuals and processes require what
information. is is derived from the business processes review mentioned in the
last section. From that review, the ISSMP will be able to identify what information
is “requiredand what information is desired.Good security is about minimal
access, so the ISSMP needs to reduce the availability to what is required, what the
individual or role truly “needs to know.
Classication is a label used to identify the sensitivity level of the information
based on impact. ere can be several classications, but keeping them to a mini-
mum makes it easier to document and manage, and for the employees to under-
stand. Organizations use a lot of dierent labels for identifying the various levels of
sensitivity. Below are some examples:
Sensitive Corporate Condential
Private Proprietary Information
Public Product Sensitive
Restricted For Company Use Only
Trade Secret Personnel Information
Each organization uses labels that are meant to be understandable by its
employees and relate to the sensitivity level of the information. One of the most
well-known information classication systems is the one used by the U.S. govern-
ment, which denes three levels of security classication as follows:
Top Secret: shall be applied to information, the unauthorized disclosure of
which reasonably could be expected to cause exceptionally grave damage
to the national security that the original classication authority is able to
identify or describe.
Secret: “shall be applied to information, the unauthorized disclosure of which
reasonably could be expected to cause serious damage to the national secu-
rity that the original classication authority is able to identify or describe.
Condential: shall be applied to information, the unauthorized disclosure of
which reasonably could be expected to cause damage to the national security
that the original classication authority is able to identify or describe. (Source:
Executive Order 12958, as Amended, Classied National Security Information,
http://www.archives.gov/isoo/policy-documents/eo-12958-amendment.html)
Notice that each level is based on the expected damage (impact) if the informa-
tion is disclosed. Restricting information to only those trusted individuals who
have authorized access reduces the potential for disclosure of that information and
the risk of the damage occurring. Using the concept of compartmentation, this
risk can be further lowered. Compartmentation is dened as the establishment and
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.144.18