Tuesday, December 06, 2011

System Authorization Process Initiation

The information system authorization process comprises a number of steps, such as categorizing the security requirements, performing an initial risk estimate, determining appropriate security controls, and documenting the selected controls. Publications that provide useful guidance in performing the system authorization function include Federal Information Processing Standard (FIPS)-199, “Standard for Security Categorization of Federal Information and Information Systems”; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, “Recommended Security Controls for Federal Information Systems”; NIST SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”; and NIST SP 800-30, “Risk Management Guide for Information Technology Systems.”

 

The policies and guidance for information assurance in U.S. defense organizations are given in DoD Directive 8500.1, “Information Assurance (IA),” October 4, 2002. Additional support and implementation guidance is also provided by DoD Directive 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003; DoD 5025.1-M, “DoD Directives System Procedures,” current edition; and DoD Directive 8000.1, “Management of DoD Information Resources and Information Technology,” February 27, 2002.

This chapter details the principal elements of system authorization, namely security categorization, initial risk estimation, selection of security controls, and documentation of security controls.

Security Categorization


In order to increase the security of Federal information systems, the Federal Information Security Management Act (FISMA), which is Title III of the E-Government Act of December 2002 (Public Law 107-347), was passed. FISMA was enacted to:

1.      “Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets”

 

2.      “Recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities”

 

3.      “Provide for development and maintenance of minimum controls required to protect Federal information and information systems”

 

4.      “Provide a mechanism for improved oversight of Federal agency information security programs”

 

FISMA, the Paperwork Reduction Act (PRA) of 1980 as amended by the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35), and the ClingerCohen Act (also known as the Information Technology Management Reform Act of 1996) (P.L. 104-106, Division E) promote a risk-based policy for cost effective security. The Clinger-Cohen Act supplements the information resources management policies contained in the PRA by establishing a comprehensive approach for executive agencies to improve the acquisition and management of their information resources. FISMA also specifies that national security classified information should be handled in accordance with the appropriate national security directives as provided by DoD and NSA.

FISMA charges the Director of the Office of Management and Budget (OMB) with the responsibility of overseeing the security polices and practices of all agencies of the executive branch of the Federal government, including “coordinating the development of standards and guidelines between NIST and the NSA and other agencies with responsibility for national security systems.” Agencies of the executive branch of the U.S. government are defined as:

·         An Executive Department specified in 5 U.S.C. § 101

 

·         Within the Executive Office of the President, only OMB and the Office of Administration

 

·         A Military Department specified in 5 U.S.C. § 102

 

·         An independent establishment as defined in 5 U.S.C. § 104(1)

 

·         A wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91

 

OMB Circular A-130, Appendix III, “Security of Federal Automated Information Resources,” specifies that Federal government agencies perform the following functions:

·         Plan for security

 

·         Ensure that appropriate officials are assigned security responsibility

 

·         Review the security controls in their information systems

 

·         Authorize system processing prior to operations and periodically thereafter

 

OMB Circular A-130, Appendix III, also requires that each agency perform security accreditation, which is considered “a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs.”

The actions that FISMA requires each government agency to perform in developing and implementing an agencywide information security program are specified in NIST Special Publication 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” Second Public Draft, June 2003. FISMA specifies that the program must include:

1.      Periodic assessments of risk, including the magnitude of harm that can result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency

 

2.      Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each agency information system

 

3.      Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate

 

4.      Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the agency) of the information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks

 

5.      Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually

 

6.      A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency

 

7.      Procedures for detecting, reporting, and responding to security incidents

 

8.      Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency

 

Identification of Information Types


FISMA assigned to NIST the responsibility for developing the following information system–related standards and guidelines:

 

1.      Standards to be used by all Federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels

 

2.      Guidelines recommending the types of information and information systems to be included in each category

 

3.      Minimum information security requirements (i.e., management, operational, and technical controls)

 

In order to satisfy item 1, NIST developed FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems.” FIPS 199 and the recently developed FIPS 200 standard, entitled “Minimum Security Requirements for Federal Information and Federal Information Systems,” are two mandatory standards specified in the FISMA legislation.

FIPS 199 is used to identify and categorize information and information systems and, as cited in the standard, should be used “To provide a common framework and understanding for expressing security that, for the Federal government promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices.”

The FIPS 199 standard is applicable to:

·         “All information within the Federal government other than that in-formation that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status

 

·         All Federal information systems other than those information systems designated as national security systems as defined in 44 United States Code Section 3542(b)(2). National security systems are information systems operated by the U.S. Government, its contractors, or agents that contain classified information or that:

 

o        Involve intelligence activities

 

o        Involve cryptographic activities related to national security

 

o        Involve command and control of military forces

 

o        Involve equipment that is an integral part of a weapon or weapons systems

 

o        Are critical to the direct fulfillment of military or intelligence missions, not including routine administrative and business applications

 

·         Agency officials shall use the security categorizations described in FIPS 199 whenever there is a Federal requirement to provide such a categorization of information or information systems.”

 

Potential Harmful Impact Levels


FIPS 199 addresses and defines categories for both information and information systems in the context of the potential harmful impact that may result from the occurrence of different attack scenarios. These categories are to be applied with the corresponding threat and vulnerability characteristics of the information or information system. Information is identified according to its type. FIPS 199 describes an information type as “a specific category of information defined by an organization or in some instances, by a specific law, executive order, directive, policy, or regulation.” Typical information types include:

 

·         Financial

 

·         Investigative

 

·         Medical

 

·         Personal

 

·         Legal

 

·         Sensitive

 

The security objective stated by FISMA is the standard preservation of confidentiality, integrity, and availability. These three terms are defined by FISMA as follows:

·         Confidentiality - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information [44 U.S.C. § 3542]. A loss of confidentiality is the unauthorized disclosure of information.

 

·         Integrity - Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity [44 U.S.C. § 3542]. A loss of integrity is the unauthorized modification or destruction of information.

 

·         Availability - Ensuring timely and reliable access to and use of information [44 U.S.C., § 3542]. A loss of availability is the disruption of access to or use of information or an information system.

 

Assignment of Impact Level Scores


FIPS Publication 199 defines three levels of potential impact to the compromise of confidentiality, integrity, and availability. These levels are summarized in Table, taken from the publication.

 
































Table: Potential Impact Definitions for Security Objectives
Open table as spreadsheet

SECURITY OBJECTIVE  LOW  POTENTIAL IMPACT MODERATE  HIGH  
Confidentiality 

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information [44 U.S.C. § 3542] 
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 
Integrity 

Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. [44 U.S.C. § 3542] 
The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 
Availability 

Ensuring timely and reliable access to and use of information. [44 U.S.C. § 3542] 
The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 

FIPS 199 establishes security categories for an information type and information systems. A security category is a function of the potential impact on information or information systems as a result of threat realized exploiting a system vulnerability. The security category, SC, of an information type is given by the formula:

SCinformation type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE as defined in Table 12 above.

 

The formula for the SC of an information system is given as:

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, or HIGH. (A value of NOT APPLICABLE cannot be applied to the impact level of an information system.)

 

Assignment of System Impact Level


Examples of SCs for different applications will serve to clarify the use of the formulas.

 

The research department of a large pharmaceutical company has developed a novel antiviral medicine. The company has invested millions of dollars in its development, and sales of the medication could yield a very large return on its investment and make the company a leader in the marketplace. The research director has determined that, for the information on the medication, there would be a high potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a moderate potential impact from a loss of availability. Thus, the security category, SC, of this information type would be:

SCresearch information = {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)}

 

Now, assume that the benefits department of the same pharmaceutical company determines that, for the employees’ benefits information, there would be a moderate potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a moderate potential impact from a loss of availability. Thus, the security category, SC, of this information type would be:

SCbenefits information = {(confidentiality, MODERATE), (integrity, HIGH), (availability, MODERATE)}

 

In order to determine the SC for an information system, the potential impact values assigned to the security objectives of confidential, integrity, and availability must be the maximum (worst-case) values assigned among the security categories that have been assigned to the different types of information residing on the system.

In the pharmaceutical company example, if the information system comprises only the research and benefits databases, the impact values in the information system SC formula would be the highest values assigned to the security objectives in the research information and benefits information SC formulas.

Thus, the security category of the pharmaceutical information system would comprise of the highest values of the two information categories resident on the system. Therefore,

SCpharmaceutical information system = {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)}

No comments:

Hasleo Data Recovery FreeV3.2 - Free as in Freeware - Permanently from Hasleo Software

https://www.hasleo.com/win-data-recovery/free-data-recovery.html "Hasleo Data Recovery FreeV3.2 100% Free Data Recovery Software...