The document discusses the categorization process for information systems which includes documenting system characteristics, identifying information types, selecting provisional impact levels, reviewing and finalizing impact levels, assigning a system security category, reviewing and approving the security categorization, developing a system security plan, and maintaining the categorization over the system lifecycle. The purpose is to inform risk management by determining the adverse impacts of loss of confidentiality, integrity and availability.
The document discusses the categorization process for information systems which includes documenting system characteristics, identifying information types, selecting provisional impact levels, reviewing and finalizing impact levels, assigning a system security category, reviewing and approving the security categorization, developing a system security plan, and maintaining the categorization over the system lifecycle. The purpose is to inform risk management by determining the adverse impacts of loss of confidentiality, integrity and availability.
The document discusses the categorization process for information systems which includes documenting system characteristics, identifying information types, selecting provisional impact levels, reviewing and finalizing impact levels, assigning a system security category, reviewing and approving the security categorization, developing a system security plan, and maintaining the categorization over the system lifecycle. The purpose is to inform risk management by determining the adverse impacts of loss of confidentiality, integrity and availability.
The document discusses the categorization process for information systems which includes documenting system characteristics, identifying information types, selecting provisional impact levels, reviewing and finalizing impact levels, assigning a system security category, reviewing and approving the security categorization, developing a system security plan, and maintaining the categorization over the system lifecycle. The purpose is to inform risk management by determining the adverse impacts of loss of confidentiality, integrity and availability.
Download as PPTX, PDF, TXT or read online from Scribd
Download as pptx, pdf, or txt
You are on page 1of 22
CATEGORIZATION
CATEGORIZE THE INFORMATION SYSTEM
PURPOSE The purpose of the Categorize step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems. SYSTEM DESCRIPTION • TASK C-1 Document the characteristics of the system. • Primary Responsibility: Information System owner • SDLC: Initiation • References: SP 800-18 Discussion • A description of the system characteristics is documented in the security and privacy plans, included in attachments to the plans, or referenced in other standard sources for the information generated as part of the SDLC. • The level of detail in the security and privacy plans is determined by the organization and is commensurate with the security categorization and the security and privacy risk assessments of the system. Information may be added to or updated in the system description as it becomes available during the system life cycle, during the execution of the RMF steps, and as any system characteristics change. Discussion Con’t Examples of different types of descriptive information that organizations can include in security and privacy plans include: Full descriptive name of the information system including any associated acronym Unique information system identifier Hardware and firmware devices included within the information system Location of the information system and environment in which the system operates System version or release number; Manufacturer and supplier information; Individual responsible for the system; System contact information etc. Security Categorization TASK C-2: Categorize the system and document the security categorization results. Primary Responsibility: System Owner; Information Owner or Steward. SDLC Phase: New – Initiation (concept/requirements definition). Existing – Operations/Maintenance. References: FIPS 199; FIPS 200; SP 800-30; SP 800-60 v1; SP 800-60 v2 Categorization Process Con’t • Sensitivity- Measures the importance assigned to information by its owner for the purpose of denoting its need for protection. It is related to the data that resides within an information system • Criticality: Measures the degree to which an organization depends on the information or information system for the success of a mission or of a business function. It is related to the entire information system Categorization Process Step 1 (Identify Information Types) Identify Information Types Step 1 NIST SP 800-60 Vol. 1&2 • The first step in the security categorization process is identify the types of information the system will receive. store, process or disseminate. • This is the primary responsibility of the information owners and the system owner. • It is very important to have a thorough understanding of the purpose and intended use of the information system. E.g. Mission Critical System, Sensitive data, Financial data, Health or administrative data etc. Identifying Information type Step 3: Select Provisional Impact level • Select the security impact levels for the identified information types. • Determine the security category (SC) for each information type: SC information type ={(confidentiality, impact), (integrity, impact), (availability, impact)} • Document the provisional impact level of confidentiality, integrity, and availability associated with the system’s information type Identifying Information type Step 3: Review Provisional Impact Levels and Adjust/Finalize Information Type Impact Levels • Review the appropriateness of the provisional impact levels based on the organization, environment, mission, use, and data sharing • Adjust the impact levels as necessary based on the following considerations: - - Confidentiality, integrity, and availability factors - Situational and operational drivers (timing, lifecycle, etc.) - Legal or statutory reasons • Document all adjustments to the impact levels and provide the rationale or justification for the adjustments Identifying Information type Step 4: Assign System Security Category • Review identified security categorizations for the aggregate of information types. • Determine the system security categorization by identifying the security impact level high water mark for each of the security objectives (confidentiality, integrity, availability) • Adjust the security impact level high water mark for each system security objective, as necessary • Assign the overall information system impact level based on the highest impact level for the system security objectives (confidentiality, integrity, availability) • Follow the agency’s oversight process for reviewing, approving, and documenting all determinations or decisions Example 1 Information Type: An organization managing public information on its web server determines that there is no potential impact from a loss of confidentiality, a moderate potential impact from the loss of integrity, and a moderate potential impact from a loss of availability. The resulting security category, SC, of this information type is expressed as SC-public information= {(confidentiality, L), (integrity, M), (availability, M)) Example 2 Information Type A law enforcement organization managing extremely sensitive investigation information determines that the potential impact from a loss of confidentiality is high, the potential impact from the loss of integrity is moderate, and the potential impact from the loss of availability is moderate. The resulting security category, SC, of this information type is expressed as SC-public information= {(confidentiality, H), (integrity, M), (availability, M)) SECURITY CATEGORIZATION REVIEW AND APPROVAL TASK C-3 Review and approve the security categorization results and decision. Primary Responsibility: Authorizing Official or Authorizing Official Designated Representative; Senior Agency Official for Privacy. SDLC Phase: New – Initiation (concept/requirements definition). References: FIPS 199; SP 800-30; SP 800-39 Discussion • For information systems that process PII, the senior agency official for privacy reviews and approves the security categorization results and decision prior to the authorizing official’s review. • Security categorization results and decisions are reviewed by the authorizing official or a designated representative to ensure that the security category selected for the information system is consistent with the mission and business functions of the organization and the need to adequately protect those missions and functions. System Security Plan; NIST SP 800-18
The main purpose of the SSP is to fully describe the
security posture of an information system, including providing a comprehensive listing of all controls selected for the system, i.e., describe the controls in place or planned for meeting security requirements for the information system. SSP Con’t • The System Owner is responsible for the plan, but it can be delegated to the ISSO. • SSP Contents: - System Description – Categorization - Description of Controls - System Security Roles and Responsibilities - System Operational Status and System Types - System Environment - System Interconnection and Sharing - Rules of Behavior - Completion and Approval Dates System Security Plan Cont’d • Plan Approval - The System Owner constructs and approve the initial system security plan for the system and sends for independent review. - The plan is reviewed and approved independently through the Approving Official or Designated Representative. - The final SSP is approved by the Approving Official or Designated Representative. - This normally a collaborative back-and forth relationship where controls are negotiated System Security Plan Cont’d • Plan Maintenance - The SSP is a living document and should be kept up to date - It should be reviewed annually at a minimum - It should be aligned with organization policy revision and change management processes - Since the SSP document the security specification of the system, the plan should be safeguarded and give the appropriate classification. Categorize Process Review The categorize process includes the following tasks -Document the characteristics of the system. - Identify the system’s information types - Select the impact value for each information type - Adjust the information type’s impact value - Adjust the system’s security category - Determine the information system’s security impact level - Obtain approval for the system security category and impact level - Maintain system security category and impact level Categorize Process Review • Input Include - System description, including system boundary - Enterprise architecture - Information types from 800-60, Vol. 1 & 2 Output Includes - Security category for each information type - Information system security category and high-water mark - Reasoning for any adjustments