INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docxdirkrplav
<INSERT AGENCY LOGO>
<INSERT SYSTEM NAME>
System Security Plan (SSP)
<Organization Name>
Prepared By
_______________________
(
Information System Security Plan Template
Produced by
GTA-Office of Information Security
Nov
2012
)
Document Change History
Version Number
Date
Author(s)
Description
Executive Summary
State of Georgia agencies are required to identify each information system that contains, processes, and transmits state data and information and to prepare and implement a plan for the security and privacy of these systems. The objective of system security planning is to improve protection of information technology (IT) resources. All State of Georgia systems have some level of sensitivity, and require protection as part of best management practices. The protection of a system must be documented in a system security plan.
The security plan is viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It reflects input from management responsible for the system, including information owners, the system operator, the system security manager, and system administrators. The system security plan delineates responsibilities and expected behavior of all individuals who access the system.
The purpose of this security plan is to provide an overview of the security of the [System Name] and describe the controls and critical elements in place or planned for, based on NIST Special Publication (SP) 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems. Each applicable security control has been identified as either in place or planned. This SSP follows guidance contained in NIST Special Publication (SP) 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems, February 2006.
This System Security Plan (SSP) provides an overview of the security requirements for [System Name] and describes the controls in place or planned for implementation to provide a level of security appropriate for the information processed as of the date indicated in the approval page.
Note: The SSP is a living document that will be updated periodically to incorporate new and/or modified security controls. The plan will be revised as the changes occur to the system, the data or the technical environment in which the system operates.
1. Information System Name/Title:
• Unique identifier and name given to the system.
System Name
2. Information System Categorization:
• Identify the appropriate FIPS 199 categorization based on the types of information handled by this system
<Complete the table for each “type” of information processed by this system. Refer to NIST SP800-60 for guidance on Information Type. Examples of information types are – privacy, medical, propriety, financial, investigative, contractor sensitive, security management, administrative, etc.>
Confidentiality
(HIGH/MOD/LOW)
Integrity
(HIGH/MOD/.
TrustedAgent GRC streamlines the complexity of obtaining security authorization from FedRAMP for cloud IaaS, PaaS, and SaaS services and applications. From tracking evidence and key control implementation to create key deliverables like security plans and managing continuous monitoring for ongoing compliance. TrustedAgent significantly reduces the amount of work to be done manually including managing vulnerabilities from ongoing compliance. Download and contact us to learn more how TrustedAgent GRC can create opportunities for your cloud offerings in the Federal Government.
Network Security & Assured Networks: TechNet Augusta 2015AFCEA International
August 24, 2015
Bob Kimball, Ciena
The purpose of this talk will be to review the network security guidelines as outlined in NIAP and FISMA as they apply to modern high performance networks.
The risk of cyber threat is high for organizations that manage sensitive data. Therefore, a need to have a robust security and compliance program. By doing so, protects the information system resources from a wide range of threats and brings the company into compliance with regulatory regulatory requirements.
As meeting industry standard does not guarantee protection from data breaches, the security & compliance program should start by identifying and analyzing organizational security needs rather than solely meeting compliance requirements. Following risk management approach is, therefore, a best practice instead of relying on checklists. By following this method, organizations avoid unnecessary compliance effort and cost on insignificant threats and will have sustainable security and compliance program.
Accordingly, the program should identify, analyze and prioritize risks. Consequently, selecting a comprehensive set of appropriate security controls by referencing from established frameworks such as National Institution of Standards and Technologies (NIST) risk assessment framework. NIST is a prescriptive guideline for implementing security controls. However, an organization should first develop a risk assessment methodology/framework that is tailored to its environment.
When following a risk-based approach the security and compliance program has to align with the business objectives of the organization. Risk needs to be identified and prioritized not only from an information system perspective but also from a business perspective. By doing so, the program will ensure information security risk identified, analyzed and prioritized from input across the organization. This will provide clear justification and assurance on the information security investments. It will also increase a sense of ownership for information security efforts among all stakeholder.
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docxdirkrplav
<INSERT AGENCY LOGO>
<INSERT SYSTEM NAME>
System Security Plan (SSP)
<Organization Name>
Prepared By
_______________________
(
Information System Security Plan Template
Produced by
GTA-Office of Information Security
Nov
2012
)
Document Change History
Version Number
Date
Author(s)
Description
Executive Summary
State of Georgia agencies are required to identify each information system that contains, processes, and transmits state data and information and to prepare and implement a plan for the security and privacy of these systems. The objective of system security planning is to improve protection of information technology (IT) resources. All State of Georgia systems have some level of sensitivity, and require protection as part of best management practices. The protection of a system must be documented in a system security plan.
The security plan is viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It reflects input from management responsible for the system, including information owners, the system operator, the system security manager, and system administrators. The system security plan delineates responsibilities and expected behavior of all individuals who access the system.
The purpose of this security plan is to provide an overview of the security of the [System Name] and describe the controls and critical elements in place or planned for, based on NIST Special Publication (SP) 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems. Each applicable security control has been identified as either in place or planned. This SSP follows guidance contained in NIST Special Publication (SP) 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems, February 2006.
This System Security Plan (SSP) provides an overview of the security requirements for [System Name] and describes the controls in place or planned for implementation to provide a level of security appropriate for the information processed as of the date indicated in the approval page.
Note: The SSP is a living document that will be updated periodically to incorporate new and/or modified security controls. The plan will be revised as the changes occur to the system, the data or the technical environment in which the system operates.
1. Information System Name/Title:
• Unique identifier and name given to the system.
System Name
2. Information System Categorization:
• Identify the appropriate FIPS 199 categorization based on the types of information handled by this system
<Complete the table for each “type” of information processed by this system. Refer to NIST SP800-60 for guidance on Information Type. Examples of information types are – privacy, medical, propriety, financial, investigative, contractor sensitive, security management, administrative, etc.>
Confidentiality
(HIGH/MOD/LOW)
Integrity
(HIGH/MOD/.
TrustedAgent GRC streamlines the complexity of obtaining security authorization from FedRAMP for cloud IaaS, PaaS, and SaaS services and applications. From tracking evidence and key control implementation to create key deliverables like security plans and managing continuous monitoring for ongoing compliance. TrustedAgent significantly reduces the amount of work to be done manually including managing vulnerabilities from ongoing compliance. Download and contact us to learn more how TrustedAgent GRC can create opportunities for your cloud offerings in the Federal Government.
Network Security & Assured Networks: TechNet Augusta 2015AFCEA International
August 24, 2015
Bob Kimball, Ciena
The purpose of this talk will be to review the network security guidelines as outlined in NIAP and FISMA as they apply to modern high performance networks.
The risk of cyber threat is high for organizations that manage sensitive data. Therefore, a need to have a robust security and compliance program. By doing so, protects the information system resources from a wide range of threats and brings the company into compliance with regulatory regulatory requirements.
As meeting industry standard does not guarantee protection from data breaches, the security & compliance program should start by identifying and analyzing organizational security needs rather than solely meeting compliance requirements. Following risk management approach is, therefore, a best practice instead of relying on checklists. By following this method, organizations avoid unnecessary compliance effort and cost on insignificant threats and will have sustainable security and compliance program.
Accordingly, the program should identify, analyze and prioritize risks. Consequently, selecting a comprehensive set of appropriate security controls by referencing from established frameworks such as National Institution of Standards and Technologies (NIST) risk assessment framework. NIST is a prescriptive guideline for implementing security controls. However, an organization should first develop a risk assessment methodology/framework that is tailored to its environment.
When following a risk-based approach the security and compliance program has to align with the business objectives of the organization. Risk needs to be identified and prioritized not only from an information system perspective but also from a business perspective. By doing so, the program will ensure information security risk identified, analyzed and prioritized from input across the organization. This will provide clear justification and assurance on the information security investments. It will also increase a sense of ownership for information security efforts among all stakeholder.
Because the biggest impact of cyber breach is data loss, data protection should be architected into the DNA of your cyber security solution. This means focusing security efforts around data from the very beginning, from initial risk assessment, to control design, to implementation and auditing.
Most cyber security solutions protect infrastructure, assuming that data stored within containers will be protected. This white paper explains why this assumption is no longer valid and outlines an approach to designing a cyber security solution directly around data.
Compliance Officers, Risk Managers, Security Professionals, and IT Leaders will understand
the goals and steps of data-centric solution design, as well as its potential benefits.
System Security Plans are part of the required documentation for certification and accreditation package. Documenting your SSP can be a daunting task, so how can you make it easy? This overview session covers; who is responsible for the SSP, plan contents, overview of implementation detail for selected controls, flexibility of the SSP, plan maintenance issues, and what a SSP is not
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Doug Landoll, CEO, Lantego
Four Deadly Traps in Using Information Security Frameworks
Frameworks can be used to effectively build or assess information security programs, but applied incorrectly and they effectively mask major program gaps. During this talk, Mr. Landoll will explain the four framework traps and how to avoid them and how to effectively utilize a framework to build or assess an information security program. Mr. Landoll will focus on the NIST 800-53 framework as an example.
3M Management Consultants is a well-established Consultancy and Business Advisory firm based out in Mohali, India. It provides Consultancy & Advisory Services for ISO Certifications, Product Certifications, Registrations and Regulatory Audits. More than 300 client and corporate have benefited by technical and business advisory services of 3M Management Consultants since its establishment.
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance FrameworkAmazon Web Services
Are you a member of the Department of Defense (DoD) and want to simplify the process to cloud deployment? Learn how you can adopt AWS's utility-based cloud services to process, store, and transmit DoD data.
This presentation is a step-by-step guide from AWS on how to navigate the DoD compliance framework. The guide outlines the planning, deployment, accreditation, and continuous monitoring phases to get you to the cloud.
AWS enables military organizations and their business associates to leverage the secure AWS environment through our attainment of a provisional authority to operate (P-ATO) from the Defense Information Systems Agency (DISA).
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
Module 02 Performance Risk-based Analytics
With all the advancements in technology and encryption levels, some methods are faster or slower than others. In most cases a cybersecurity professional must weigh cost, performance, and security. Risk is a powerful tool used by all cybersecurity professionals to assist in making these decisions, and in influencing appropriate stakeholders by providing appropriate information with regard to these three elements.
Risk analysis or risk base analytics helps determine the level of risk to an organization. The first step in this process is to determine the sensitivity of the data being processed. The example below is a common data classification for many organizations; however, depending on how the data will be used, these data fields may vary due to classification levels.
· Public: Data available to the general public and approved for distribution outside the organization.
· Examples: press releases, directory information (not subject to a government regulations or blocks), product catalogs, application and request forms, and other general information that is openly shared. The type of information an organization would choose to post on its website offers a good example of Public data.
· Internal: Data necessary for the operation of the business and generally available to all internal users, users of that particular customer, and potentially interested third-parties if appropriate and when authorized.
· Examples: Some memos, correspondence, and meeting minutes; contact lists that contain information that is not publicly available; and procedural documentation that should remain internal.
· Confidential: Data generally not made available outside the organization and the unauthorized access, use, disclosure, duplication, modification, or destruction of which could adversely impact the organization and/or customers. All confidential information is sensitive in nature and must be restricted to those with a legitimate business need to know.
· Examples:
· Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.
· Personally identifiable information entrusted to the organization’s care that is not restricted use data, such as information regarding applicants, donors, potential donors, or competitive marketing research data.
· Information covered by the Gramm-Leach-Bliley Act (GLB), which requires protection of certain financial records.
· Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
· Legally privileged information.
· Information that is the subject of a confidentiality agreement.
· Restricted: Data that MUST be specifically protected via various access, confidentiality, integrity and/or non-repudiation controls in order to comply with legislative, regulatory, con ...
Because the biggest impact of cyber breach is data loss, data protection should be architected into the DNA of your cyber security solution. This means focusing security efforts around data from the very beginning, from initial risk assessment, to control design, to implementation and auditing.
Most cyber security solutions protect infrastructure, assuming that data stored within containers will be protected. This white paper explains why this assumption is no longer valid and outlines an approach to designing a cyber security solution directly around data.
Compliance Officers, Risk Managers, Security Professionals, and IT Leaders will understand
the goals and steps of data-centric solution design, as well as its potential benefits.
System Security Plans are part of the required documentation for certification and accreditation package. Documenting your SSP can be a daunting task, so how can you make it easy? This overview session covers; who is responsible for the SSP, plan contents, overview of implementation detail for selected controls, flexibility of the SSP, plan maintenance issues, and what a SSP is not
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Doug Landoll, CEO, Lantego
Four Deadly Traps in Using Information Security Frameworks
Frameworks can be used to effectively build or assess information security programs, but applied incorrectly and they effectively mask major program gaps. During this talk, Mr. Landoll will explain the four framework traps and how to avoid them and how to effectively utilize a framework to build or assess an information security program. Mr. Landoll will focus on the NIST 800-53 framework as an example.
3M Management Consultants is a well-established Consultancy and Business Advisory firm based out in Mohali, India. It provides Consultancy & Advisory Services for ISO Certifications, Product Certifications, Registrations and Regulatory Audits. More than 300 client and corporate have benefited by technical and business advisory services of 3M Management Consultants since its establishment.
From Zero to ATO: A Step-by-Step Guide on the DoD Compliance FrameworkAmazon Web Services
Are you a member of the Department of Defense (DoD) and want to simplify the process to cloud deployment? Learn how you can adopt AWS's utility-based cloud services to process, store, and transmit DoD data.
This presentation is a step-by-step guide from AWS on how to navigate the DoD compliance framework. The guide outlines the planning, deployment, accreditation, and continuous monitoring phases to get you to the cloud.
AWS enables military organizations and their business associates to leverage the secure AWS environment through our attainment of a provisional authority to operate (P-ATO) from the Defense Information Systems Agency (DISA).
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
Module 02 Performance Risk-based Analytics
With all the advancements in technology and encryption levels, some methods are faster or slower than others. In most cases a cybersecurity professional must weigh cost, performance, and security. Risk is a powerful tool used by all cybersecurity professionals to assist in making these decisions, and in influencing appropriate stakeholders by providing appropriate information with regard to these three elements.
Risk analysis or risk base analytics helps determine the level of risk to an organization. The first step in this process is to determine the sensitivity of the data being processed. The example below is a common data classification for many organizations; however, depending on how the data will be used, these data fields may vary due to classification levels.
· Public: Data available to the general public and approved for distribution outside the organization.
· Examples: press releases, directory information (not subject to a government regulations or blocks), product catalogs, application and request forms, and other general information that is openly shared. The type of information an organization would choose to post on its website offers a good example of Public data.
· Internal: Data necessary for the operation of the business and generally available to all internal users, users of that particular customer, and potentially interested third-parties if appropriate and when authorized.
· Examples: Some memos, correspondence, and meeting minutes; contact lists that contain information that is not publicly available; and procedural documentation that should remain internal.
· Confidential: Data generally not made available outside the organization and the unauthorized access, use, disclosure, duplication, modification, or destruction of which could adversely impact the organization and/or customers. All confidential information is sensitive in nature and must be restricted to those with a legitimate business need to know.
· Examples:
· Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.
· Personally identifiable information entrusted to the organization’s care that is not restricted use data, such as information regarding applicants, donors, potential donors, or competitive marketing research data.
· Information covered by the Gramm-Leach-Bliley Act (GLB), which requires protection of certain financial records.
· Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.
· Legally privileged information.
· Information that is the subject of a confidentiality agreement.
· Restricted: Data that MUST be specifically protected via various access, confidentiality, integrity and/or non-repudiation controls in order to comply with legislative, regulatory, con ...
Presentation by Jared Jageler, David Adler, Noelia Duchovny, and Evan Herrnstadt, analysts in CBO’s Microeconomic Studies and Health Analysis Divisions, at the Association of Environmental and Resource Economists Summer Conference.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Russian anarchist and anti-war movement in the third year of full-scale warAntti Rautiainen
Anarchist group ANA Regensburg hosted my online-presentation on 16th of May 2024, in which I discussed tactics of anti-war activism in Russia, and reasons why the anti-war movement has not been able to make an impact to change the course of events yet. Cases of anarchists repressed for anti-war activities are presented, as well as strategies of support for political prisoners, and modest successes in supporting their struggles.
Thumbnail picture is by MediaZona, you may read their report on anti-war arson attacks in Russia here: https://en.zona.media/article/2022/10/13/burn-map
Links:
Autonomous Action
http://Avtonom.org
Anarchist Black Cross Moscow
http://Avtonom.org/abc
Solidarity Zone
https://t.me/solidarity_zone
Memorial
https://memopzk.org/, https://t.me/pzk_memorial
OVD-Info
https://en.ovdinfo.org/antiwar-ovd-info-guide
RosUznik
https://rosuznik.org/
Uznik Online
http://uznikonline.tilda.ws/
Russian Reader
https://therussianreader.com/
ABC Irkutsk
https://abc38.noblogs.org/
Send mail to prisoners from abroad:
http://Prisonmail.online
YouTube: https://youtu.be/c5nSOdU48O8
Spotify: https://podcasters.spotify.com/pod/show/libertarianlifecoach/episodes/Russian-anarchist-and-anti-war-movement-in-the-third-year-of-full-scale-war-e2k8ai4
A process server is a authorized person for delivering legal documents, such as summons, complaints, subpoenas, and other court papers, to peoples involved in legal proceedings.
What is the point of small housing associations.pptxPaul Smith
Given the small scale of housing associations and their relative high cost per home what is the point of them and how do we justify their continued existance
ZGB - The Role of Generative AI in Government transformation.pdfSaeed Al Dhaheri
This keynote was presented during the the 7th edition of the UAE Hackathon 2024. It highlights the role of AI and Generative AI in addressing government transformation to achieve zero government bureaucracy
This session provides a comprehensive overview of the latest updates to the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (commonly known as the Uniform Guidance) outlined in the 2 CFR 200.
With a focus on the 2024 revisions issued by the Office of Management and Budget (OMB), participants will gain insight into the key changes affecting federal grant recipients. The session will delve into critical regulatory updates, providing attendees with the knowledge and tools necessary to navigate and comply with the evolving landscape of federal grant management.
Learning Objectives:
- Understand the rationale behind the 2024 updates to the Uniform Guidance outlined in 2 CFR 200, and their implications for federal grant recipients.
- Identify the key changes and revisions introduced by the Office of Management and Budget (OMB) in the 2024 edition of 2 CFR 200.
- Gain proficiency in applying the updated regulations to ensure compliance with federal grant requirements and avoid potential audit findings.
- Develop strategies for effectively implementing the new guidelines within the grant management processes of their respective organizations, fostering efficiency and accountability in federal grant administration.
Understanding the Challenges of Street ChildrenSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
MHM Roundtable Slide Deck WHA Side-event May 28 2024.pptx
L3 RMF Phase 2 Categorize.pptx
1. Authorization
Boundaries
Authorization boundary for a system is
established during the RMF Prepare
Task – System level, Task P-11
Organizations have flexibility in
determining what constitutes the
authorization boundary for a system.
System Elements
Servers
Network
2. Authorization Boundary
Determination
• Support the same mission or business functions;
• Have similar operating characteristics and security and privacy requirements;
• Process, store, and transmit similar types of information (e.g., categorized at
the same impact level); or
• Reside in the same environment of operation (or in the case of a distributed
system, reside in various locations with similar operating environments).
Revisited during Continuous monitoring
3.
4. Authorization Boundaries
• The authorization boundary establishes the scope of protection for an information system (i.e.,
what the organization agrees to protect under its direct management or within the scope of its
responsibilities).
• Includes the people, processes, and information technologies (i.e., system elements) that are
part of each system supporting the organization’s missions and business functions.
• Authorization boundaries that are too expansive (i.e., include too many system elements or
components) make the risk management process unnecessarily complex.
• Conversely, authorization boundaries that are too limited (i.e., include too few system
elements or components) increase the number of systems that must be separately managed
and therefore, may unnecessarily inflate the information security and privacy costs for the
organization.
5. Boundaries
How to define a boundary
◦ Same direct management
◦ Controlled under the same budget
◦ Supports the same mission
◦ Same operating environment
Types
◦ General Support System (GSS)
◦ Major Application (MA)
◦ Minor Integrated Application (MIA)
6. Boundaries
Examples
◦ GSS
◦ Wider Area Network
◦ Servers
◦ Network Equipment
◦ Workstations
◦ Major Application
◦ Application Infrastructure
◦ MIA – Web Applications
7. Boundaries
Software Applications (MIA)
◦ Hosted on a GSS or MA
◦ MIAs depend on the resources provided by the hosting system
◦ Leverages the security controls of the hosting system
◦ MIA would be part of the hosting SSP
◦ Assessed when the hosting system is C&A
◦ When added during the C&A cycle the application is reviewed prior to being put into production
9. Boundaries
Complex System (GSS)
◦ More complex
◦ Consider breaking down into subsystems
◦ Firebird Example
◦ Common Controls
◦ Inheritance
◦ Specific Categorization for each subsystem
◦ Different security categorizations
◦ Examine the flow of information
12. SYSTEM DESCRIPTION
Task C-1: Document the characteristics of the system.
◦ Potential Inputs: System design and requirements documentation; authorization boundary information; list of security and privacy
requirements allocated to the system, system elements, and the environment of operation; physical or other processes controlled by
system elements; system element information; system component inventory; system element supply chain information, including
inventory and supplier information; security categorization; data map of the information life cycle for information types processed,
stored, and transmitted by the system; information on system use, users, and roles.
◦ Expected Outputs: Documented system description.
Discussion
◦ Description of the system characteristics
◦ Version/Release
◦ System Architecture – Network Diagram
◦ Hardware/Software
13. SECURITY CATEGORIZATION
Task C-2: Categorize the system and document the security categorization
results.
◦ Potential Inputs: Risk management strategy; organizational risk tolerance; authorization boundary (i.e., system) information;
organization- and system-level risk assessment results; information types processed, stored, or transmitted by the system; list of
security and privacy requirements allocated to the system, system elements, and environment of operation; organizational authority
or purpose for operating the system; business impact analyses or criticality analyses; information about missions, business functions,
and mission/business processes supported by the system.
◦ Expected Outputs: Impact levels determined for each information type and for each security objective (confidentiality, integrity,
availability); security categorization based on high-water mark of information type impact levels.
Discussion
◦ Operational Impact – Loss of CIA
◦ Minimum Security Control Baseline
14. Security Categorization
Information Types
◦ SP800-60 Volume I & II
◦ FIPS -199
◦ The standard used by federal agencies to categorize information and information systems based on the objectives
of providing appropriate levels of information security according to a range of risk levels
◦ Information systems are categorized as either Low, Moderate, or High Risk Systems based on the Confidentiality,
Integrity, and Availability security requirements necessary to protect the data/information processed, stored, or
transmitted by the information system.
15. Security Categorization
FIPS-200
• Provides guidelines recommending the types of information and information systems to be included in
each category of potential security impact.
• Assists agencies to map security impact levels in a consistent manner to types of: (i) information (e.g.,
privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii)
information systems (e.g., mission critical, mission support, administrative).
16. Security Categorization
How much do HHS and American citizens rely on this system? Will HHS be able
to accomplish its mission and meet its objectives if this information is
compromised?
These questions should be asked during the Initiation Phase to help drive
selection of the security categories. The answers will determine the impact on
HHS in the event data is lost or inappropriately accessed or changed.
Assuming the system is not a national security system, a security category for
the system must be assigned using FIPS publication 199 and NIST SP 800-60
Volume 2.
Based on the results of the security categorization, you
assign a Low, Moderate, or High level of security to the three security
objectives: Confidentiality, Availability, and Integrity.
16
18. Security Categorization
Based on FIPS 200, you choose the security controls in NIST SP 800-53 Rev. 5 that correspond to the
“high water mark”— the highest score assigned to any of the objectives.
For example, if the system has a Low confidentiality, a High integrity, and a Moderate availability
categorization, the system will use the High security control guidance.
The new system may also affect the existing infrastructure.
For example, adding a system with High security categorization into an existing network
environment that is currently certified for Low impact systems will require an upgrade to the
network controls. Carefully consider how this system will be deployed to ensure it does not
adversely impact the environment in which it will operate.
18
19. Security Categorization
Example:
◦ Benefits Management Information Type
◦ Benefits management designs, develops, and implements benefit programs that attract, retain and support current and former
agency employees. This sub-function includes: establishing and communicating benefits programs; processing benefits actions; and
interacting as necessary with third party benefits providers. The recommended provisional security categorization for benefits
management information is as follows:
◦ Security Category ={(confidentiality;Low); (integrity;Low); (availability;Low)}
20. Security Categorization
Based on the Low, Moderate, or High security categorization of your system,
you must implement the corresponding prescribed minimum baseline security
controls.
This set of controls represents a starting point for determining the appropriate
safeguards and controls required for HHS systems.
Baseline security controls are initially documented in the preliminary risk
assessment and are meant to be expanded as additional risks are identified.
Security controls commensurate with FIPS 199 and 200 as well as laws and
regulations must be selected and employed for every system.
Such requirements, along with HHS’ commitment to protecting the
confidentiality, integrity, and availability of its information and systems, drive
the development of security controls across all IT programs.
20
22. SECURITY CATEGORIZATION REVIEW AND
APPROVAL
Task C-3: Review and approve the security categorization results and decision.
◦ Potential Inputs: Impact levels determined for each information type and for each security objective (confidentiality, integrity,
availability); security categorization based on high-water mark of information type impact levels; list of high value assets for the
organization.
◦ Expected Outputs: Approval of security categorization for the system.
Discussion
◦ Reviewed by the AO
◦ Consistent with the Mission of the Organization