Initiation of the System Authorization Process

The information system authorization process comprises a number of steps, such as categorizing the security requirements, performing an initial risk estimate, determining appropriate security controls, and documenting the selected controls. Publications that provide useful guidance in performing the system authorization function include Federal Information Processing Standard (FIPS)-199, “Standard for Security Categorization of Federal Information and Information Systems”; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, “Recommended Security Controls for Federal Information Systems”; NIST SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”; and NIST SP 800-30, “Risk Management Guide for Information Technology Systems.”

The policies and guidance for information assurance in U.S. defense organizations are given in DoD Directive 8500.1, “Information Assurance (IA),” October 4, 2002. Additional support and implementation guidance is also provided by DoD Directive 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003; DoD 5025.1-M, “DoD Directives System Procedures,” current edition; and DoD Directive 8000.1, “Management of DoD Information Resources and Information Technology,” February 27, 2002.

This chapter details the principal elements of system authorization, namely security categorization, initial risk estimation, selection of security controls, and documentation of security controls.

Security Categorization

In order to increase the security of Federal information systems, the Federal Information Security Management Act (FISMA), which is Title III of the E-Government Act of December 2002 (Public Law 107-347), was passed. FISMA was enacted to:

  1. “Provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets”
  2. “Recognize the highly networked nature of the current Federal computing environment and provide effective government-wide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities”
  3. “Provide for development and maintenance of minimum controls required to protect Federal information and information systems”
  4. “Provide a mechanism for improved oversight of Federal agency information security programs”

FISMA, the Paperwork Reduction Act (PRA) of 1980 as amended by the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35), and the ClingerCohen Act (also known as the Information Technology Management Reform Act of 1996) (P.L. 104-106, Division E) promote a risk-based policy for cost effective security. The Clinger-Cohen Act supplements the information resources management policies contained in the PRA by establishing a comprehensive approach for executive agencies to improve the acquisition and management of their information resources. FISMA also specifies that national security classified information should be handled in accordance with the appropriate national security directives as provided by DoD and NSA.

FISMA charges the Director of the Office of Management and Budget (OMB) with the responsibility of overseeing the security polices and practices of all agencies of the executive branch of the Federal government, including “coordinating the development of standards and guidelines between NIST and the NSA and other agencies with responsibility for national security systems.” Agencies of the executive branch of the U.S. government are defined as:

OMB Circular A-130, Appendix III, “Security of Federal Automated Information Resources,” specifies that Federal government agencies perform the following functions:

OMB Circular A-130, Appendix III, also requires that each agency perform security accreditation, which is considered “a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs.”

The actions that FISMA requires each government agency to perform in developing and implementing an agencywide information security program are specified in NIST Special Publication 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” Second Public Draft, June 2003. FISMA specifies that the program must include:

  1. Periodic assessments of risk, including the magnitude of harm that can result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency
  2. Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each agency information system
  3. Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate
  4. Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the agency) of the information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks
  5. Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually
  6. A process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency
  7. Procedures for detecting, reporting, and responding to security incidents
  8. Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency

Identification of Information Types

FISMA assigned to NIST the responsibility for developing the following information system–related standards and guidelines:

  1. Standards to be used by all Federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels
  2. Guidelines recommending the types of information and information systems to be included in each category
  3. Minimum information security requirements (i.e., management, operational, and technical controls)

In order to satisfy item 1, NIST developed FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems.” FIPS 199 and the recently developed FIPS 200 standard, entitled “Minimum Security Requirements for Federal Information and Federal Information Systems,” are two mandatory standards specified in the FISMA legislation.

FIPS 199 is used to identify and categorize information and information systems and, as cited in the standard, should be used “To provide a common framework and understanding for expressing security that, for the Federal government promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices.”

The FIPS 199 standard is applicable to:

Potential Harmful Impact Levels

FIPS 199 addresses and defines categories for both information and information systems in the context of the potential harmful impact that may result from the occurrence of different attack scenarios. These categories are to be applied with the corresponding threat and vulnerability characteristics of the information or information system. Information is identified according to its type. FIPS 199 describes an information type as “a specific category of information defined by an organization or in some instances, by a specific law, executive order, directive, policy, or regulation.” Typical information types include:

The security objective stated by FISMA is the standard preservation of confidentiality, integrity, and availability. These three terms are defined by FISMA as follows:

Assignment of Impact Level Scores

FIPS Publication 199 defines three levels of potential impact to the compromise of confidentiality, integrity, and availability. These levels are summarized in Table 12-1, taken from the publication.

Table 12-1: Potential Impact Definitions for Security Objectives

Open table as spreadsheet

SECURITY OBJECTIVE

LOW

POTENTIAL IMPACT MODERATE

HIGH

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information [44 U.S.C. § 3542]

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Integrity

Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. [44 U.S.C. § 3542]

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Availability

Ensuring timely and reliable access to and use of information. [44 U.S.C. § 3542]

The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

FIPS 199 establishes security categories for an information type and information systems. A security category is a function of the potential impact on information or information systems as a result of threat realized exploiting a system vulnerability. The security category, SC, of an information type is given by the formula:

SCinformation type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE as defined in Table 12.1.

The formula for the SC of an information system is given as:

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, or HIGH. (A value of NOT APPLICABLE cannot be applied to the impact level of an information system.)

Assignment of System Impact Level

Examples of SCs for different applications will serve to clarify the use of the formulas.

The research department of a large pharmaceutical company has developed a novel antiviral medicine. The company has invested millions of dollars in its development, and sales of the medication could yield a very large return on its investment and make the company a leader in the marketplace. The research director has determined that, for the information on the medication, there would be a high potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a moderate potential impact from a loss of availability. Thus, the security category, SC, of this information type would be:

SCresearch information = {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)}

Now, assume that the benefits department of the same pharmaceutical company determines that, for the employees’ benefits information, there would be a moderate potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a moderate potential impact from a loss of availability. Thus, the security category, SC, of this information type would be:

SCbenefits information = {(confidentiality, MODERATE), (integrity, HIGH), (availability, MODERATE)}

In order to determine the SC for an information system, the potential impact values assigned to the security objectives of confidential, integrity, and availability must be the maximum (worst-case) values assigned among the security categories that have been assigned to the different types of information residing on the system.

In the pharmaceutical company example, if the information system comprises only the research and benefits databases, the impact values in the information system SC formula would be the highest values assigned to the security objectives in the research information and benefits information SC formulas.

Thus, the security category of the pharmaceutical information system would comprise of the highest values of the two information categories resident on the system. Therefore,

SCpharmaceutical information system = {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)}

Initial Risk Estimation

NIST SP 800-30, “Risk Management Guide for Information Technology Systems,” addresses risk assessment for Federal agencies. SP 800-30 defines risk as “a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.” A threat-source is “either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.”

Impact refers to “the magnitude of harm that could be caused by a threat’s exercise of a vulnerability.” A threat is “the potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”

Threats to an information system have to be categorized and analyzed along with the system vulnerabilities in order to determine the potential impact on the system. SP 800-30 characterizes risk assessment by means of the following nine components:

  1. System Characterization
  2. Threat Identification
  3. Vulnerability Identification
  4. Control Analysis
  5. Likelihood Determination
  6. Impact Analysis
  7. Risk Determination
  8. Control Recommendations
  9. Results Documentation

In particular, threat identification and the threat likelihood of occurrence are critical to the certification and accreditation process.

Threat Source Identification

As part of certification and accreditation of an IT system, threat-sources must be identified that have the potential of exploiting vulnerabilities in that system. Threat-sources can be environmental, natural, or the result of human actions.

Environmental Threat-Sources

The following are examples of environmental threat sources:

Natural Threat-Sources

Natural threat-sources include:

Human Threat-Sources

Examples of human threats are:

Table 12-2, taken from NIST SP 800-30, summarizes the most common threat-sources along with motivations and methods for the corresponding attacks.

Table 12-2: Threat-Sources, Motivations, and Attacks

Open table as spreadsheet

THREAT SOURCE

MOTIVATION

THREAT ACTIONS

Hacker, cracker

Challenge

  • Hacking
  • Social engineering
  • System intrusion, break-ins
  • Unauthorized system access

Ego

Rebellion

Computer criminal

Destruction of information

  • Computer crime (e.g., cyber stalking)
  • Fraudulent act (e.g., replay, impersonation, interception)
  • Information bribery
  • Spoofing
  • System intrusion

Illegal information disclosure

Monetary gain

Unauthorized data alteration

Terrorist

Blackmail

  • Bomb/terrorism
  • Information warfare
  • System attack (e.g., distributed denial of service)
  • System penetration
  • System tampering

Destruction

Exploitation

Revenge

Industrial espionage (companies, foreign governments, other government interests)

Competitive advantage

  • Economic exploitation
  • Information theft
  • Intrusion on personal privacy
  • Social engineering
  • System penetration
  • Unauthorized system access (access to classified, proprietary, and/or technology-related information)

Economic espionage

Insiders (poorly trained, disgruntled, malicious, negligent, dishonest, or terminated employees)

Curiosity

  • Assault on employee
  • Blackmail
  • Browsing of proprietary information
  • Computer abuse
  • Fraud and theft
  • Information bribery
  • Input of falsified, corrupted data
  • Interception
  • Malicious code (e.g., virus, logic bomb, Trojan horse)
  • Sale of personal information
  • System bugs
  • System intrusion
  • System sabotage
  • Unauthorized system access

Ego

Intelligence

Monetary gain

Revenge

Unintentional errors and omissions (e.g., data entry error, programming error)

Threat Likelihood of Occurrence

The likelihood of a threat occurring is a function of the threat-source, potential IT system vulnerabilities, and any security controls that have been put into place.

Methods for analyzing vulnerabilities are addressed in NIST SP 800-30 and NIST SP 800-42, “Guideline on Network Security Testing.”

Analyzing for Vulnerabilities

In order to determine the existing and potential vulnerabilities in an information system, a combination of approaches should be employed, including using sources of compiled vulnerability information such as http://icat.nist.gov/icat.cfm, www.securityfocus.com/, and http://cve.mitre.org/.

Vulnerabilities can be determined during the different stages of the IT system life cycle, as illustrated in Table 12-3.

Table 12-3: Vulnerability Determination Corresponding to Different IT Life Cycle Stages

Open table as spreadsheet

STAGE

VULNERABILITY DETERMINATION

Pre-design

Requirements documents, developers’ analysis documents, organizational security policy, proposed security methods, vendors’ documentation and studies

Implementation

Security design documents, testing results, certification data, defined security controls

Operational

Analysis of security procedures, features and controls, testing, patch handling

Additional sources of vulnerability information include:

Another NIST document, SP 800-26, “Security Self-Assessment Guide for Information Technology Systems,” provides a questionnaire and checklist through which systems can be evaluated for compliance against specific control objectives. This approach is useful in identifying potential vulnerabilities.

A related technique is to develop a security requirements checklist, in which the system design and implementation are evaluated to determine how effectively they meet the system security requirements in management, technical, and operational areas.

Testing is also extremely useful in determining a system’s vulnerabilities and should be conducted at appropriate portions of the system development life cycle (SDLC). A typical SDLC consists of the following stages:

  1. Initiation - The system, mission, purpose, and configuration are described.
  2. Development and Acquisition - The system is developed and built according to requirements.
  3. Implementation and Installation - The system is installed and integrated.
  4. Operational and Maintenance - The system is operated and maintained according to its mission.
  5. Disposal - The system is deactivated and removed from active use.

Security testing is usually conducted in the Implementation and Operational stages of the SDLC. Security testing approaches include penetration testing, security test and evaluation (ST&E), and using automated vulnerability-scanning software.

Penetration testing (discussed in Chapter 2) examines an IT system’s information security measures and is used to determine the vulnerabilities of the system. Penetration testing, also known as ethical hacking, attempts to evaluate the resistance of an information system to a determined hacker. Some of the areas scrutinized by a penetration test are:

Penetration tests can attempt to exploit a vulnerability to determine it existence. Some of the areas that can be exploited include:

There are a number of categories of penetration tests. These categories are a function of the amount of information available to the tester and are summarized in Table 12-4.

Table 12-4: Categories of Penetration Tests

Open table as spreadsheet

CATEGORY

CHARACTERISTICS

Open-box

Testers have access to internal system code. This mode is especially suited to Unix or Linux.

Closed-box

Testers do not have access to internal code. This mode is well suited to closed systems.

Zero-knowledge test

Testers are not supplied with information concerning the IT system and have to acquire information from scratch.

Partial-knowledge test

Testers possess knowledge that may be applicable to a specific type of attack and potential associated vulnerabilities.

Full-knowledge test

Testers have extensive knowledge concerning the information system to be evaluated, similar to that possessed by an employee familiar with the system.

Security test and evaluation (ST&E) is another component of risk assessment that is useful in discovering system vulnerabilities. According to NIST SP 800-42, “Guideline on Network Security Testing,” ST&E is used to:

ST&E involves the examination and analysis of the safeguards required to protect an IT system in an operational environment. Proper execution of ST&E requires developing a test plan, executing the plan, and generating a report. The report is a key component of the final security certification material and is the certification agent’s statement regarding the security posture of the information system. The report includes:

A third type of test uses vulnerability-scanning tools, which scan networks or hosts for services that exhibit known potential vulnerabilities. These tools compare scanned services, operating systems, and applications against vulnerability databases to identify potential system vulnerabilities.

System Accreditation Boundary

NIST SP 800-37 defines the accreditation boundary as:

All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. Synonymous with the term security perimeter defined in the Committee on National Security Systems (CNSS) Instruction 4009 and Department of Central Intelligence Directive (DCID) 6/3.

CNSS 4009 defines an accreditation boundary/security perimeter as:

All components/devices of an information system (IS) to be accredited. Separately accredited components generally are not included within the perimeter.

In order to perform accreditation, the components to be included in the accreditation process have to be identified. This accreditation boundary has to be determined in order to develop an information security plan and conduct a risk assessment. There are trade-offs in determining the elements to include in the accreditation effort. If too many components are included, the certification and accreditation process will increase in complexity, but the number of accreditations that have to be performed and, generally, the corresponding costs will be reduced. Conversely, if a small number of items are included in the certification and accreditation tasks, the process will be simpler, but more accreditations will have to be performed and the costs will usually increase. These trade-offs are shown in Figure 12-1.

Figure 12-1: Accreditation trade-offs.

If an information system is unduly large and comprises many varied elements that may be physically and logically distributed, it should be partitioned into manageable subsystems that can be the objects of the accreditation process.

An important criterion that is useful in establishing an accreditation boundary is the organizational structure encompassing an information system. In particular, the information system and its associated resources should be under the same direct management control. Direct management control of an information system can be characterized as follows:

The security categories defined in FIPS 199 also provide a basis for determining accreditation boundaries. The boundaries can be assigned according to the impact on the information system resulting from a compromise of confidentiality, integrity, or availability.

Additional considerations for assigning the accreditation boundary of an information system are:

Legal and Regulatory Requirements

OMB Circular A-130, revised, lists legal and regulatory requirements of Federal agencies in managing their information resources. Section 8, “Policy,” of Circular A-130 states that agencies must “consider the effects of their actions on the privacy rights of individuals, and ensure that appropriate legal and technical safeguards are implemented” throughout the information management planning life cycle. Section 9 requires that agencies restrict the amount of individually identifiable information that they use or share to that which is legally necessary and authorized for an agency to carry out its mission and to ensure the confidentiality of that information. It also charges agencies with implementing the regulations, standards, and guidelines specified by OMB.

In general, risk management has to consider legal liability issues resulting from the following events:

Risk management is defined by NIST SP 800-30 as:

The total process of identifying, controlling, and mitigating information system related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.

FISMA also promotes a government-wide risk-based approach to information security and accountability through a comprehensive evaluation of agency information security systems. FISMA does not require a single simultaneous evaluation of all information systems in an agency but requires thorough annual tests of selected systems.

The information systems should be reviewed at different frequencies as a function of information criticality, information sensitivity, and risk levels. However, the combination of the reviews conducted by the agency should result in a comprehensive evaluation of an agency’s security posture.

Selection of Security Controls

NIST Special Publication 800-53 provides guidance in the selection and configuration of security controls for Federal information systems. It replaces controls discussed in NIST SP 800-18 and NIST SP 800-26. SP 800-53 defines minimum security controls in accordance with low, moderate, and high impact categories of FIPS 199. These controls should be used as part of the risk assessment process and their implementation should address the stated system security objectives. FIPS 200 provides links to SP 800-53, which addresses security controls that can meet the minimum security requirements of FIPS 200. The minimum security requirements of FIPS 200 cover the following seventeen areas:

The security controls in SP 800-53 are organized into three different classes - Management, Operational, and Technical - with families falling under these classes. The controls are summarized in a security control catalog, which is Appendix F of SP 800-53. This Appendix is reproduced in this text as Appendix F, also. Table 12-5, taken from SP 800-53, lists the classes and families of controls, including a two character identifier for each family.

Table 12-5: Security Controls Classes, Families, and Identifiers

Open table as spreadsheet

CLASS

FAMILY

IDENTIFIER

Management

Risk assessment

RA

Management

Planning

PL

Management

System and services acquisition

SA

Management

Certification, accreditation, and security assessments

CA

Operational

Personnel security

PS

Operational

Physical and environmental protection

PE

Operational

Contingency planning

CP

Operational

Configuration management

CM

Operational

Maintenance

MA

Operational

System and informational integrity

SI

Operational

Media protection

MP

Operational

Incident response

IR

Operational

Awareness and training

AT

Technical

Identification and authentication

IA

Technical

Access control

AC

Technical

Audit and accountability

AU

Technical

System and communications protection

SC

Thus, as shown in the table, the risk assessment family of controls is part of the Management class and is identified as RA. Further, a number is attached to a family to identify a particular control in the family. For example, RA-2 would designate Security Categorization, the second control in the risk assessment family. Appendix F of SP 800-53 provides the details of RA-2 as follows:

RA-2 SECURITY CATEGORIZATION

Control: The organization categorizes the information system and the information processed, stored, or transmitted by the system in accordance with FIPS 199 and documents the results (including supporting rationale) in the system security plan. Designated senior-level officials within the organization review and approve the security categorizations. Supplemental Guidance: NIST Special Publication 800-60 provides guidance on determining the security categories of the information types resident on the information system. The organization conducts security categorizations as an organization-wide activity with the involvement of the chief information officer, senior agency information security officer, information system owners, and information owners.

Supplemental guidance: None

Control enhancements: None.

LOW RA-2 MOD RA-2 HIGH RA-2

As can be seen in the RA-2 example, there are three parts to the control structure:

At the end of the particular control section, the minimum security controls are specified for the low, moderate, and high impact baselines.

The Control Section

The control section describes information security actions that have to be taken by the organization to protect the information system. Some aspects of these activities are left to the organization through the application of assignment and selection operations within the main body of the control. Examples of such operations would be specifying the frequency of performing a certain test, the number of times per day backups are performed, and so on. Also, selection statements may constrain choices by providing a list of acceptable values from which to choose.

The Supplemental Guidance Section

This section provides additional information and guidance that organizations can use in their application of security controls to information systems. Sources of supplemental guidance include NIST Special Publications, legislation, executive orders, OMB circulars, directives, standards, and regulations.

The Control Enhancements Section

Control enhancements listed in this section are aimed at either adding to the functionality or increasing the strength of a basic control. These additional capabilities can provide increased protection for information systems over the protection available from the basic control. Control enhancements are identified by sequential numbering that can be added to the basic control. The Control section, Supplemental Guidance section, and Control Enhancements section are illustrated in another example from Appendix F of NIST SP 800-53, the 17th control of the Access Control Family (AC-17).

AC-17 REMOTE ACCESS

Control: The organization documents, monitors, and controls all methods of remote access (e.g., dial-up, Internet) to the information system including remote access for privileged functions. Appropriate organization officials authorize each remote access method for the information system and authorize only the necessary users for each access method.

Supplemental Guidance: Remote access controls are applicable to information systems other than public web servers or systems specifically designed for public access. The organization restricts access achieved through dial-up connections (e.g., limiting dial-up access based upon source of request) or protects against unauthorized connections or subversion of authorized connections (e.g., using virtual private network technology). The organization permits remote access for privileged functions only for compelling operational needs. NIST Special Publication 800-63 provides guidance on remote electronic authentication.

Control Enhancements:

  1. The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods.
  2. The organization uses encryption to protect the confidentiality of remote access sessions.
  3. The organization controls all remote accesses through a managed access control point.

LOW AC-17 MOD AC-17 (1) (2) (3) HIGH AC-17 (1) (2) (3)

The previous example shows the security control baselines and enhancements to the baselines for low-impact, moderate-impact, and high-impact information systems, based on FIPS 199. For a low-impact information system, security control AC-17 is listed. For moderate- and high-impact information systems, control AC-17 augmented with enhancements (1), (2), and (3) is specified. The table in Appendix G of this text, taken from NIST SP 800-53, summarizes the security controls and enhancements to the baselines. A control that is not used is indicated in the table with the term “not selected.”

Assurance

Assurance is defined in SP 800-53 as “the grounds for confidence that the security controls implemented within an information system are effective in their application.” The minimum assurance requirements for low, moderate, and high baseline controls are given in Table 12-6.

Table 12-6: Minimum Assurance Requirements

Open table as spreadsheet

SECURITY CONTROL BASELINE

MINIMUM ASSURANCE REQUIREMENTS

Low

Control in place

 

No obvious errors

 

As flaws are discovered, they are addressed in a timely manner.

Moderate

Emphasis on correctness of control

 

As flaws are discovered, they are addressed in a timely manner.

 

Specific capabilities are incorporated to ensure that the control meets in function or purpose.

High

Capability to protect against threats from motivated and skilled threat agents

Common and System Specific Security Controls

In many instances, a set of security controls is applicable to more than one of the information systems in an organization. These controls are called common security controls and are applicable to the certification and accreditation process. For example, physical security controls, security awareness training controls, and contingency planning controls are good candidates for common security controls, because they are applicable across the enterprise. Controls that are not defined as common security controls are considered system-specific controls. A third category of control is the hybrid control, in which one portion of the control is system-specific and the other is common. For example, the policy segment of a control can be common to the enterprise while the implementation procedures are system-specific.

Considerable time and resource savings can be achieved during the certification and accreditation process by assessing the common controls once and applying the results across the corresponding information systems.

Security Controls and the Management of Organizational Risk

Organizational risk is the risk associated with the operation of an information system. The selection and application of appropriate security controls are key elements of managing organizational risk. The risk management process is outlined in Figure 12-2.

Figure 12-2: Organizational risk management process.

Managing organizational risk is an important component of a successful information security activity for both new and existing systems. Additional functions that support managing organizational risk detailed in SP 800-53 include:

Documenting Security Controls in the System Security Plan

It is important that the management of an agency has the latest and accurate documentation on the security status of its information systems. This information is necessary to support the accreditation decision. Recall that the security certification and accreditation process comprises the following phases:

These phases incorporate security documentation as follows:

The system security plan is developed by the owner of the information system and approved by the authorizing official. The plan is part of the security accreditation package and outlines the information system security requirements and associated planned and existing controls. It can also reference incident response plans, contingency plans, configuration management plans, risk assessments, and security configuration checklists. Figure 12-3, taken from NIST SP 800-37, summarizes the security accreditation package.

Figure 12-3: The Security Accreditation Package.

In addition to ensuring that the security controls for an information system are documented in the system security plan, agency management must have business continuity or contingency plans in place. NIST SP 800-53 specifies a family of contingency planning controls denoted by CP in the Operational class. Table 12-7, with data from NIST SP 800-53, summarizes the CP control baselines according to the categories of FIPS 199.

Table 12-7: Contingency Planning Security Controls

Open table as spreadsheet

CONTROL

CONTROL BASELINES

NO.

NAME

LOW

MOD

HIGH

CONTINGENCY PLANNING

CP-1

Contingency Planning Policy and Procedures

CP-1

CP-1

CP-1

CP-2

Contingency Plan

CP-2

CP-2 (1)

CP-2 (1)

CP-3

Contingency Training

Not Selected

CP-3

CP-3 (1)

CP-4

Contingency Plan Testing

Not Selected

CP-4 (1)

CP-4 (1) (2)

CP-5

Contingency Plan Update

CP-5

CP-5

CP-5

CP-6

Alternate Storage Sites

Not Selected

CP-6 (1)

CP-6 (1) (2) (3)

CP-7

Alternate Processing Sites

Not Selected

CP-7 (1) (2) (3)

CP-7 (1) (2) (3) (4)

CP-8

Telecommunications Services

Not Selected

CP-8 (1) (2)

CP-8 (1) (2) (3) (4)

CP-9

Information System Backup

CP-9

CP-9 (1)

CP-9 (1) (2) (3)

CP-10

Information System Recovery and Reconstitution

CP-10

CP-10

CP-10 (1)

The Control sections of CP-1 and CP-2 summarize the basic management obligations for contingency planning as follows:

CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES

Control: The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, contingency planning policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.

CP-2 CONTINGENCY PLAN

Control: The organization develops and implements a contingency plan for the information system addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or failure. Designated officials within the organization review and approve the contingency plan and distribute copies of the plan to key contingency personnel.

Assessment Questions

You can find the answers to the following questions in Appendix A.

1. 

Which one of the following documents requires the development and maintenance of minimum controls to protect Federal information and information systems?

  1. NIST SP 800-30, “Risk Management Guide for Information Technology Systems”
  2. SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”
  3. The Federal Information Security Management Act (FISMA)
  4. FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

2. 

FISMA charges which one of the following agencies with the responsibility of overseeing the security policies and practices of all agencies of the executive branch of the Federal government?

  1. Office of Management and Budget (OMB)
  2. National Institute of Standards and Technology (NIST)
  3. National Security Agency (NSA)
  4. Department of Justice

3. 

NIST Special Publication (SP) 800-53, “Recommended Security Controls for Federal Information Systems,” defines the term assurance as:

  1. The requirement that information and programs are changed only in a specified and authorized manner
  2. The measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information
  3. The grounds for confidence that the security controls implemented within an information system are effective in their application
  4. The requirement that private or confidential information not be disclosed to unauthorized individuals

4. 

Which one of the following publications requires Federal agencies to review the security controls in their information systems and perform security accreditation?

  1. FIPS –199, “Standard for Security Categorization of Federal Information and Information Systems”
  2. OMB Circular A-130, Appendix III
  3. NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”
  4. NIST SP 800-30, “Risk Management Guide for Information Technology Systems”

5. 

Which one of the following publications provides direction for each government agency in developing and implementing an agencywide information security program according to the FISMA requirements?

  1. NIST SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”
  2. NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”
  3. NIST SP 800-30, “Risk Management Guide for Information Technology Systems”
  4. DoD Directive 8500.2, “Information Assurance (IA) Implementation,” February 6, 2003

6. 

FISMA assigned the responsibility for developing standards to be used by all Federal agencies to categorize all information and information systems to which one of the following organizations?

  1. OMB
  2. NIST
  3. NSA
  4. DoD

7. 

Which publication categorizes information and information systems as part of the FISMA mandate?

  1. OMB Circular A-130, Appendix III
  2. NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”
  3. NIST SP 800-30 “Risk Management Guide for Information Technology Systems”
  4. FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

8. 

FIPS Publication 199 defines three levels of potential impact to the compromise of confidentiality, integrity, and availability. These levels are:

  1. Minimum, Normal, Maximum
  2. Low, Moderate, High
  3. Unclassified, Confidential, Secret
  4. Confidential, Secret, Top Secret

9. 

Which one of the following best describes FIPS 199 security categories?

  1. A function of the potential strength of an information system when proper information assurance controls are applied
  2. A function of the potential weakness of an information system when proper information assurance controls are applied
  3. A function of the potential flexibility of an information system when different IT operations are performed
  4. A function of the potential impact on information or information systems as a result of threat realized exploiting a system vulnerability.

10. 

The general formula for categorization of an information type developed in FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems,” is which one of the following?

  1. SC information type = {(confidentiality, risk), (integrity, risk), (availability, risk)}
  2. SC information type = {(confidentiality, controls), (integrity, controls), (availability, controls)}
  3. SC information type = {(assurance, impact), (integrity, impact), (authentication, impact)}
  4. SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}

11. 

In order to determine the security category (SC) for an information system, the potential impact values assigned to the security objectives of confidential, integrity, and availability must be which one of the following?

  1. The maximum values assigned among the security categories that have been assigned to the different types of information residing on the system
  2. The minimum values assigned among the security categories that have been assigned to the different types of information residing on the system
  3. The average of the values assigned among the security categories that have been assigned to the different types of information residing on the system
  4. None of the above

12. 

NIST SP 800-30, “Risk Management Guide for Information Technology Systems,” defines a term as “either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.” Which one of the following items is the term in the definition?

  1. Risk
  2. Impact
  3. Threat source
  4. Assurance

13. 

Impact is defined by NIST SP 800-30 as which one of the following?

  1. The magnitude of the vulnerability
  2. The magnitude of harm that could be caused by a threat’s exercise of vulnerability
  3. The magnitude of the risk
  4. The quality of the security controls on the system

14. 

NIST SP 800-30 includes threat identification, control analysis, likelihood determination, impact analysis, and control recommendations as components of which one of the following activities?

  1. Penetration testing
  2. Intrusion detection
  3. Risk assessment
  4. Vulnerability assessment

15. 

Hackers, computer criminals, terrorists, floods, tornadoes, and strikes are examples of:

  1. Threat-sources
  2. Vulnerabilities
  3. Risks
  4. Intrusions

16. 

What NIST document provides a questionnaire and checklist through which systems can be evaluated for compliance against specific control objectives?

  1. SP 800-30, “Risk Management Guide for Information Technology Systems”
  2. SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”
  3. SP 800-26, “Security Self-Assessment Guide for Information Technology Systems”
  4. FIPS Publication 199, “Standards for Security Categorization of Federal Information and Information Systems”

17. 

Initiation, development and acquisition, implementation and installation, operational maintenance, and disposal are components of what activity?

  1. The system development life cycle (SDLC)
  2. The system engineering life cycle
  3. The capability maturity model (CMM)
  4. Risk management life cycle

18. 

The term ST&E stands for:

  1. System test and evaluation
  2. Security, timing, and evaluation
  3. Security, test, and evaluation
  4. System timing and evaluation

19. 

Which one of the following lists describes different types of penetration tests?

  1. Zero-knowledge test, partial-knowledge test, full-knowledge test
  2. Hard test, soft test, moderate test
  3. Complete test, partial test, minimal test
  4. Technical test, cursory test, partial-knowledge test

20. 

FIPS Publication 199 defines three levels of potential impact to the compromise of confidentiality, integrity, and availability. Which one of the following statements taken from FIPS 199 describes a moderate level of impact on confidentiality?

  1. The unauthorized disclosure of information could be expected to have a serious adverse affect on organizational operations, organizational assets, or individuals.
  2. The unauthorized modification or destruction of information could be expected to have a limited adverse affect on organizational operations, organizational assets, or individuals.
  3. The disruption of access to or the use of information or an information system could be expected to have a serious adverse affect on organizational operations, organizational assets, or individuals.
  4. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse affect on organizational operations, organizational assets, or individuals.

21. 

The definition “All components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected” taken from NIST SP 800-37 refers to which one of the following terms?

  1. Assurance boundary
  2. Assurance perimeter
  3. Testing perimeter
  4. Accreditation boundary

22. 

Which activity referred to in OMB Circular A-130 has to consider legal liability issues resulting from omissions and errors, failure to exercise due care in the operation of an information system, and unauthorized disclosure, modification, or destruction of data?

  1. Risk avoidance
  2. Risk management
  3. Testing
  4. Dry run

23. 

What NIST Special Publication provides guidance in the selection and configuration of security controls for Federal information systems?

  1. NIST SP 800-42
  2. NIST SP 800-30
  3. NIST SP 800-53
  4. NIST SP 800-57

24. 

Which one of the following NIST publications links to SP 800-53 and specifies minimum security requirements for information systems, including access control, awareness and training, configuration management, and personnel security?

  1. NIST SP 800-30, “Risk Management Guide for Information Technology Systems”
  2. NIST SP 800-53, “Recommended Security Controls for Federal Information Systems”
  3. NIST SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”
  4. FIPS 200 standard, “Minimum Security Requirements for Federal Information and Federal Information Systems”

25. 

The Security Controls of NIST SP 800-53 are organized into which three classes?

  1. Physical, operational, technical
  2. Management, operational, technical
  3. Personnel, operational, technical
  4. Management, physical, technical

26. 

If AC represents the Access Control family in NIST SP 800-53, what does AC-15 denote?

  1. The 15th control of the Access Control Family
  2. The 15th class of the Access Control Family
  3. The 15th field of the Access Control Family
  4. None of the above

27. 

The control structure in NIST SP 800-53 comprises three parts. Which one of the following is the correct listing of the three parts?

  1. Management section, supplemental guidance section, control enhancements section
  2. Management section, technical section, control enhancements section
  3. Control section, technical section, control enhancements section
  4. Control section, supplemental guidance section, control enhancements section

28. 

A description of one element of the access control family listed in NIST SP 800-53 is LOW AC-17, MOD AC-17 (1) (2) (3), HIGH AC-17 (1) (2) (3) for low-impact, moderate-impact, and high-impact information systems, based on FIPS 199. What do the terms in parentheses represent?

  1. Basic controls implementing access control in the family
  2. Control enhancements adding to the functionality or increasing the strength of a basic control
  3. Basic controls implementing access control in the class
  4. The quality of the security controls on the system

29. 

The security certification and accreditation process comprises which one of the following sets of phases?

  1. Establishment, security certification, security accreditation, and continuous monitoring
  2. Initiation, security certification, security accreditation, and maintenance
  3. Initiation, security certification, security accreditation, and continuous monitoring
  4. Initiation, security certification, security accreditation, and operation

30. 

NIST SP 800-53 defines a term as “the grounds for confidence that the security controls implemented within an information system are effective in their application.” Which one of the following is that term?

  1. Threat source
  2. Vulnerability
  3. Assurance
  4. Evaluation

31. 

A set of security controls that is applicable to a number of information systems in an organization is called:

  1. Common security controls
  2. System-specific security controls
  3. Hybrid security controls
  4. Special security controls

32. 

In the certification and accreditation process, a plan must be developed that outlines the information system security requirements and associated planned and existing controls. This plan is called:

  1. Common security control plan
  2. The general project plan
  3. The system security plan
  4. The special control plan

33. 

The security accreditation package comprises which one of the following sets of items?

  1. The general project plan, security assessment report, plan of action, and milestones
  2. The system security plan, security assessment report, plan of action, and milestones
  3. The special security plan, security assessment report, plan of action, and milestones
  4. System security plan, technical operations report, plan of action, and milestones

Answers

1. 

Answer: c

Development and maintenance of these controls is one of the four prime directives of FISMA, Title III of the E-Government Act of 2002.

2. 

Answer: a

FISMA charges the Director of OMB with those responsibilities.

3. 

Answer: c

Answer c addresses how well security controls function.

4. 

Answer: b

OMB Circular A-130, Appendix III, imposes this requirement.

5. 

Answer: a

NIST SP 800-37 provides this direction.

6. 

Answer: b

The correct answer is b, NIST. FISMA also assigned to NIST the responsibility for developing guidelines recommending the types of information and information systems to be included in each security category and the minimum information security requirements.

7. 

Answer: d

8. 

Answer: b

9. 

Answer: d

10. 

Answer: d

11. 

Answer: a

12. 

Answer: c

13. 

Answer: b

14. 

Answer: c

15. 

Answer: a

16. 

Answer: c

17. 

Answer: a

18. 

Answer: c

19. 

Answer: a

The answer a is correct. The other answers are made-up distracters.

20. 

Answer: a

The answer a is correct. Answer b refers to a low impact on integrity, answer c refers to moderate impact on availability, and answer d refers to a high impact on confidentiality.

21. 

Answer: d

The correct answer is d, accreditation boundary. The other answers are made-up distracters.

22. 

Answer: b

23. 

Answer: c

The correct answer is c, “Recommended Security Controls for Federal Information Systems”

24. 

Answer: d

25. 

Answer: b

26. 

Answer: a

27. 

Answer: d

28. 

Answer: b

29. 

Answer: c

30. 

Answer: c

31. 

Answer: a

The correct answer is a, common security controls. Controls that are not defined as common to a number of information systems are defined as system-specific.

32. 

Answer: c

33. 

Answer: b

Категории