Chapter 1: Enterprise Security Management Practices (4/15)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

16 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

crashes; local shoe sale in the next week is Low, because the information

could hold for several days.

Integrity: Depends on the need for accuracy of the information: airplane

tracking information is High, because inaccurate tracking data can result

in providing inaccurate advice to pilots and potential plane crashes;

weather reports to the public is Moderate, because of the minimal accu-

racy of the reports and impact.

Condentiality: Depends on the type of information: shoe sale is not appli-

cable, because they want everyone to see it; a person’s private information

is Moderate or High, because it is very sensitive information and there is

the potential for lawsuits and nes; weapon capabilities is High, because

it could cause loss of life or serious injury.

Sharing Research Information:

Availability: Low, because research is normally a methodical, long-term eort.

Integrity: Moderate, because results are used for the development of solu-

tions that have to be tested.

Condentiality: Not applicable if it is publicly available research; Moderate

or High if R&D supports future products development; and up to High

if R&D supports weapons systems.

Matching Harvested Human Organs to Patients in Need:

Availability: High, because harvested organs only last hours.

Integrity: High, because of the need to get the right information for organ

matches and shipping.

Condentiality: Moderate if the patient’s privacy protected information and

health information are identied, but could be Low if patients are identi-

ed by codes.

Allowing Gamblers to Gamble Online:

Availability: High, because gamblers want to gamble now.

Integrity: High, because the money and reputation of the casino can be

impacted.

Condentiality: High, because of the reputation of the casino for protecting

client condentiality.

NIST has identied another way to conduct an impact analysis: Security

Categorization.

Security Categorization Process

In an attempt to provide a checklist process to help organizations identify what

level of protection a system requires, NIST produced the Security Categorization

process and supporting tables to do an initial assessment based on the system

information types and the mission supported. is process is called Security

Categorization (SECCAT). e process is documented in FIPS 199, Standards

Enterprise Security Management Practices ◾ 17

for Security Categorization of Federal Information and Information Systems. By

issuing the process in the NIST FIPS series, the process is mandatory for all U.S.

government systems.

SECCAT uses basic tables located in NIST SP 800-60, “Guide for Mapping

Types of Information and Information Systems to Security Categories,” and NIST

SP 800-53, “Recommended Security Controls for Federal Information Systems.”

ese documents are used to equate the system’s types of information and operations

supported, both internally and externally, to the three security Availability, Integrity,

and Condentiality (AIC) properties to provide an overall system impact rating of

High, Moderate, or Low for each property for each information type and operation

supported. With this impact rating, NIST 800-53 tables are used to provide rec-

ommendations on the types of controls to be used to secure the system. Figure1.2

provides a visual presentation of the process. Following are the basic steps:

System Information and Supported Operations: Identify the types of infor-

mation and operations supported by the system—this data was collected dur-

ing the review of the business processes supported by the system, discussed in

the section on Group Business Processes.

LowModerateHighType Info B

N/ALowModerateType Info C

LowModerateHighType Ops 2

LowLowLowType Ops 1

N/AModerateLowType Info A

ConﬁdentialityIntegrityAvailabilityType

Business

Analysis

List of system information types and operations supported

Overall Impact Rating

ConﬁdentialityIntegrityAvailability

HighLowModerateHigh

Control

Description

Low Moderate High

Control Baselines

Control A No Yes Yes

Control B Yes

Control C No

Control D Yes

Control E No

Yes Yes

No Yes

No No

AIC High-Water Marks

AIC Impact Determination

Overall Impact High-Water Mark

Identiﬁcation

of System’s

Minimum

Control

Baseline

Tables in

NIST SP

800-60

Table in

NIST SP

800-53

Figure 1.2 Security categorization process.

18 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

Recommended AIC Impacts: Using the tables in the NIST SP 800-60 series,

determine the impact levels (Low, Moderate, or High) for each type of infor-

mation and operation supported.

Overall System AIC Impact: Consolidate all the AIC impacts determined in

the last step by identifying the “high-water mark” for each AIC property

and, by nding the “high-water mark” with those three impacts, identify the

overall system SECCAT as Low-Impact, Moderate-Impact, or High-Impact.

Figure1.2 provides a simplistic view of this consolidation process.

Recommended Baseline Security Controls: Using the system SECCAT, refer-

ence the table in NIST SP 800-53, Appendix D, Minimum Security Control–

Summary, and select the column related to the category providing the min i mum

security controls required for the system.

e security controls are from the 17 control families in the management, oper-

ational, and technical classes of controls described in NIST SP 800-53. Table1.4

provides a list of these security control classes and families.

Minimal controls for each impact level are 100 controls for Low-Impact

Systems, 212 controls for Moderate-Impact Systems, and 277 controls for High-

Impact Systems.

Caution must be exercised when using this process, because the “minimal con-

trols” may not all apply. Remember, the overall system impact is a “high-water

measurement of impact.” For example, take a High-Impact System in which the

individual overall AIC ratings were Availability impact High, Integrity impact

Moderate, and Condentiality impact was Not Applicable. Many of the controls

that support only condentiality requirements may not be required and some of the

integrity controls may be overkill for the system. ese must be reviewed, the risks

assessed, and justications documented to support security reviews.

Of course the opposite is also true; the organization may add additional con-

trols because management wants the system to have fewer security risks or for busi-

ness or management reasons. An example of the latter is when all the systems in the

organization are using two-factor authentication devices and it is more economical

to deploy the devices on all systems, even those that only require passwords.

Information Classiﬁcation

Information classication establishes a formal process for identifying what infor-

mation needs to be protected and labeling the information in a uniform manner

so individuals and systems can provide the level of protection they require. An

accurate and clear information classication system is critical for identifying what

information needs to be protected, the level of protection required, and setting

resource priorities.

Enterprise Security Management Practices ◾ 19

ere are several concepts related to information classication that need to be

understood: level of impact, “need to know,” classication, and compartmentation.

Basically, the rst two are the basis for establishing the latter two concepts.

Level of Impact: e level of impact is the negative result on the success of the

mission or business if the information is not available, is modied without

authorization, or is disclosed to unauthorized people. As discussed in the last

section, the impact can be on operations, assets, or individuals.

Need to Know: e concept of “need to know” is based on what individuals

or processes need the information to support their actions. Least privilege

ensures that only those people or processes with access to the information

have that access in order to do their work.

Table1.4 Controls

Control Class Control Family Identiﬁer

Management Certiﬁcation, Accreditation, and

Security Assessments

Planning PL

Risk Assessment RA

System and Services Acquisition SA

Operational Awareness and Training AT

Conﬁguration Management CM

Contingency Planning CP

Incident Response IR

Maintenance MA

Media Protection MP

Physical and Environmental Protection PE

Personnel Security PS

System and Information Integrity SI

Technical Access Control AC

Audit and Accountability AU

Identiﬁcation and Authentication IA

System and Communications Protection SC

20 ◾ Ofﬁcial (ISC)

® Guide to the ISSMP® CBK®

e ISSMP needs to determine which individuals and processes require what

information. is is derived from the business processes review mentioned in the

last section. From that review, the ISSMP will be able to identify what information

is “required” and what information is “desired.” Good security is about minimal

access, so the ISSMP needs to reduce the availability to what is required, what the

individual or role truly “needs to know.”

Classication is a label used to identify the sensitivity level of the information

based on impact. ere can be several classications, but keeping them to a mini-

mum makes it easier to document and manage, and for the employees to under-

stand. Organizations use a lot of dierent labels for identifying the various levels of

sensitivity. Below are some examples:

Sensitive Corporate Condential

Private Proprietary Information

Public Product Sensitive

Restricted For Company Use Only

Trade Secret Personnel Information

Each organization uses labels that are meant to be understandable by its

employees and relate to the sensitivity level of the information. One of the most

well-known information classication systems is the one used by the U.S. govern-

ment, which denes three levels of security classication as follows:

Top Secret: “shall be applied to information, the unauthorized disclosure of

which reasonably could be expected to cause exceptionally grave damage

to the national security that the original classication authority is able to

identify or describe.”

Secret: “shall be applied to information, the unauthorized disclosure of which

reasonably could be expected to cause serious damage to the national secu-

rity that the original classication authority is able to identify or describe.”

Condential: “shall be applied to information, the unauthorized disclosure of

which reasonably could be expected to cause damage to the national security

that the original classication authority is able to identify or describe.” (Source:

Executive Order 12958, as Amended, Classied National Security Information,

http://www.archives.gov/isoo/policy-documents/eo-12958-amendment.html)

Notice that each level is based on the expected damage (impact) if the informa-

tion is disclosed. Restricting information to only those trusted individuals who

have authorized access reduces the potential for disclosure of that information and

the risk of the damage occurring. Using the concept of compartmentation, this

risk can be further lowered. Compartmentation is dened as the establishment and

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 1: Enterprise Security Management Practices (4/15)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 1: Enterprise Security Management Practices (4/15)