Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Categorization: Categorize The Information System

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 22

CATEGORIZATION

CATEGORIZE THE INFORMATION SYSTEM


PURPOSE
The purpose of the Categorize step is to inform organizational risk
management processes and tasks by determining the adverse impact to
organizational operations and assets, individuals, other organizations, and
the Nation with respect to the loss of confidentiality, integrity, and
availability of organizational systems and the information processed, stored,
and transmitted by those systems.
SYSTEM DESCRIPTION
• TASK C-1 Document the characteristics of the system.
• Primary Responsibility: Information System owner
• SDLC: Initiation
• References: SP 800-18
Discussion
• A description of the system characteristics is documented in the security and
privacy plans, included in attachments to the plans, or referenced in other
standard sources for the information generated as part of the SDLC.
• The level of detail in the security and privacy plans is determined by the
organization and is commensurate with the security categorization and the
security and privacy risk assessments of the system. Information may be added
to or updated in the system description as it becomes available during the
system life cycle, during the execution of the RMF steps, and as any system
characteristics change.
Discussion Con’t
Examples of different types of descriptive information that organizations can include in security and privacy plans
include:
Full descriptive name of the information system including any associated acronym
Unique information system identifier
Hardware and firmware devices included within the information system
Location of the information system and environment in which the system operates
System version or release number;
Manufacturer and supplier information;
Individual responsible for the system;
System contact information etc.
Security Categorization
TASK C-2: Categorize the system and document the security categorization
results.
Primary Responsibility: System Owner; Information Owner or Steward.
SDLC Phase: New – Initiation (concept/requirements definition). Existing –
Operations/Maintenance.
References: FIPS 199; FIPS 200; SP 800-30; SP 800-60 v1; SP 800-60 v2
Categorization Process Con’t
• Sensitivity- Measures the importance assigned to information by its owner
for the purpose of denoting its need for protection. It is related to the data
that resides within an information system
• Criticality: Measures the degree to which an organization depends on the
information or information system for the success of a mission or of a
business function. It is related to the entire information system
Categorization Process Step 1 (Identify
Information Types)
Identify Information Types Step 1 NIST SP
800-60 Vol. 1&2
• The first step in the security categorization process is identify the types of
information the system will receive. store, process or disseminate.
• This is the primary responsibility of the information owners and the
system owner.
• It is very important to have a thorough understanding of the purpose and
intended use of the information system. E.g. Mission Critical System,
Sensitive data, Financial data, Health or administrative data etc.
Identifying Information type Step 3: Select
Provisional Impact level
• Select the security impact levels for the identified information types.
• Determine the security category (SC) for each information type:
SC information type ={(confidentiality, impact), (integrity, impact),
(availability, impact)}
• Document the provisional impact level of confidentiality, integrity, and
availability associated with the system’s information type
Identifying Information type Step 3: Review
Provisional Impact Levels and Adjust/Finalize
Information Type Impact Levels
• Review the appropriateness of the provisional impact levels based on the
organization, environment, mission, use, and data sharing
• Adjust the impact levels as necessary based on the following considerations: - -
Confidentiality, integrity, and availability factors
- Situational and operational drivers (timing, lifecycle, etc.)
- Legal or statutory reasons
• Document all adjustments to the impact levels and provide the rationale or
justification for the adjustments
Identifying Information type Step 4: Assign
System Security Category
• Review identified security categorizations for the aggregate of information types.
• Determine the system security categorization by identifying the security impact level high
water mark for each of the security objectives (confidentiality, integrity, availability)
• Adjust the security impact level high water mark for each system security objective, as
necessary
• Assign the overall information system impact level based on the highest impact level for the
system security objectives (confidentiality, integrity, availability)
• Follow the agency’s oversight process for reviewing, approving, and documenting all
determinations or decisions
Example 1
Information Type:
An organization managing public information on its web server determines
that there is no potential impact from a loss of confidentiality, a moderate
potential impact from the loss of integrity, and a moderate potential impact
from a loss of availability.
The resulting security category, SC, of this information type is expressed as
SC-public information= {(confidentiality, L), (integrity, M), (availability,
M))
Example 2
Information Type
A law enforcement organization managing extremely sensitive investigation
information determines that the potential impact from a loss of
confidentiality is high, the potential impact from the loss of integrity is
moderate, and the potential impact from the loss of availability is moderate.
The resulting security category, SC, of this information type is expressed as
SC-public information= {(confidentiality, H), (integrity, M), (availability,
M))
SECURITY CATEGORIZATION REVIEW
AND APPROVAL
TASK C-3 Review and approve the security categorization results and
decision.
Primary Responsibility: Authorizing Official or Authorizing Official
Designated Representative; Senior Agency Official for Privacy.
SDLC Phase: New – Initiation (concept/requirements definition).
References: FIPS 199; SP 800-30; SP 800-39
Discussion
• For information systems that process PII, the senior agency official for
privacy reviews and approves the security categorization results and
decision prior to the authorizing official’s review.
• Security categorization results and decisions are reviewed by the
authorizing official or a designated representative to ensure that the
security category selected for the information system is consistent with the
mission and business functions of the organization and the need to
adequately protect those missions and functions.
System Security Plan; NIST SP 800-18

The main purpose of the SSP is to fully describe the


security posture of an information system, including
providing a comprehensive listing of all controls
selected for the system, i.e., describe the controls in
place or planned for meeting security requirements
for the information system.
SSP Con’t
• The System Owner is responsible for the plan, but it can be delegated to the ISSO.
• SSP Contents:
- System Description – Categorization
- Description of Controls
- System Security Roles and Responsibilities
- System Operational Status and System Types
- System Environment
- System Interconnection and Sharing
- Rules of Behavior
- Completion and Approval Dates
System Security Plan Cont’d
• Plan Approval
- The System Owner constructs and approve the initial system security plan for
the system and sends for independent review.
- The plan is reviewed and approved independently through the Approving
Official or Designated Representative.
- The final SSP is approved by the Approving Official or Designated
Representative.
- This normally a collaborative back-and forth relationship where controls are
negotiated
System Security Plan Cont’d
• Plan Maintenance
- The SSP is a living document and should be kept up to date
- It should be reviewed annually at a minimum
- It should be aligned with organization policy revision and change
management processes
- Since the SSP document the security specification of the system, the plan
should be safeguarded and give the appropriate classification.
Categorize Process Review
The categorize process includes the following tasks
-Document the characteristics of the system.
- Identify the system’s information types
- Select the impact value for each information type
- Adjust the information type’s impact value
- Adjust the system’s security category
- Determine the information system’s security impact level
- Obtain approval for the system security category and impact level
- Maintain system security category and impact level
Categorize Process Review
• Input Include
- System description, including system boundary
- Enterprise architecture
- Information types from 800-60, Vol. 1 & 2
Output Includes
- Security category for each information type
- Information system security category and high-water mark
- Reasoning for any adjustments

You might also like