Job_Aid_Security_Poster, NIST_SP_800_60v2r1 Data Categorization, InfoSec_Fundamentals,...

1
Print Date: 11/12/2015 http://www.linkedin.com/jderienzo Page 1 of 1 Apply security controls to improve the strength of security attributes inherent in information system components Information System Components Computed High Water Mark for IS: Current = MODERATE; Proposed = MODERATE Enter <------- MMMMMM Information Types C I A * C I A C I A Appendix C: Management & Support Information & Information Systems Impact Levels * 1 Confidentiality A system should ensure that only authorized users access information. X Rationale and Factors for Services Delivery Support Information * 2 Integrity A system should ensure completeness, accuracy and absence of unauthorized modifications in all its components. X X X X X X Controls and Oversight * 3 Availability A system should ensure that all system’s components are available and operational when they are required by authorized users. X X X X X X Corrective Action Information Type L L L 4 Accountability An ability of a system to hold users responsible for their actions (e.g. misuse of information). X Program Evaluation Information Type L L L 5 Auditability An ability of a system to conduct persistent, non-bypassable monitoring of all actions performed by humans or machines within the system. X Program Monitoring Information Type (3) L (3) L L 6 Authenticity/ Trustworthiness An ability of a system to verify identity and establish trust in a third party and in information it provides. X X X X X X Regulatory Development * 7 Non-repudiation An ability of a system to prove (with legal validity) occurrence/non-occurrence of an event or participation/non-participation of a party in an event. X X Policy and Guidance Development Information Type L L L 8 Privacy A system should obey privacy legislation and it should enable individuals to control, where feasible, their personal information (user-involvement). X X Public Comment Tracking Information Type L L L Regulatory Creation Information Type L L L Rule Publication Information Type L L L Planning and Budgeting * Note: Continuously monitor assets with a catastrophic impact potential for any increase in likelihood. Budget Formulation Information Type L L L Capital Planning Information Type L L L Enterprise Architecture Information Type L L L Strategic Planning Information Type L L L Information System High Water Mark = MODERATE Budget Execution Information Type L L L Information System High Water Mark = MODERATE Workforce Planning Information Type L L L Management Improvement Information Type L L L Budget and Performance Integration Information Type L L L Tax and Fiscal Policy Information Type L L L Note: Continuously monitor assets with a severe impact potential for any increase in likelihood. Internal Risk Management and Mitigation * Contingency Planning Information Type M M M M M M M M M Continuity of Operations Information Type M M M Service Recovery Information Type L L L Revenue Collection * Debt Collection Information Type M L L User Fee Collection Information Type L L M Federal Asset Sales Information Type L M L Public Affairs * Customer Services Information Type L L L Official Information Dissemination Information Type L L L Product Outreach Information Type L L L Public Relations Information Type L L L Legislative Relations * Legislation Tracking Information Type L L L Legislation Testimony Information Type L L L Proposal Development Information Type M L L Congressional Liaison Operations Information Type M L L General Government * Central Fiscal Operations Information Type (4) M L L Legislative Functions Information Type L L L Natural Resources * * Executive Functions Information Type (5) L L L Water Resource Management Information Type L L L L M L Central Property Management Information Type L (6) L L (7) Conservation, Marine and Land Management Information Type L L L L L L Central Personnel Management Information Type L L L Recreational Resource Management and Tourism Information Type L L L L L L Taxation Management Information Type M L L Agricultural Innovation and Services Information Type L L L L L L Central Records and Statistics Management Information Type M L L Energy * * Income Information Information Type (8) M M M Energy Supply Information Type L (25) M (26) M (26) M M L Personal Identity and Authentication Information Information Type (8) M M M Energy Conservation and Preparedness Information Type L L L L L L Entitlement Event Information Information Type (8) M M M Energy Resource Management Information Type M L L L L L Representative Payee Information Information Type (8) M M M Energy Production Information Type L L L * General Information Information Type (9) L L L Environmental Management * L L L Notification of Finding Report Information (General Information Information Type - [9]) L L L Environmental Monitoring and Forecasting Information Type L M L L L L Memoranda and Guidelines (General Information Information Type - [9]) L L L Environmental Remediation Information Type M L L L L L Presidential Directives & Executive Orders (General Information Information Type - [9]) L L L Pollution Prevention and Control Information Type L L L L L L Other Executive Office of the President Guidance (General Information Information Type - [9]) L L L Economic Development * * Rationale and Factors for Government Resource Management Information * Business and Industry Development Information Type L L L L L L Administrative Management * Intellectual Property Protection Information Type L L L L L L Facilities, Fleet, and Equipment Management Information Type L (6) L (7) L (7) Financial Sector Oversight Information Type M L L L L L Help Desk Services Information Type L L L Industry Sector Income Stabilization Information Type M L L M L L Security Management Information Type M M L Community and Social Services * * Travel Information Type L L L Homeownership Promotion Information Type L L L L L L Workplace Policy Development and Management Information Type (Intra-Agency Only) L L L Community and Regional Development Information Type L L L L L L Financial Management * Social Services Information Type L L L L L L Assets and Liability Management Information Type L L L Postal Services Information Type L M M * Reporting and Information Information Type L M L Transportation * L L L Funds Control Information Type M M L Ground Transportation Information Type L L L L L L Accounting Information Type L M L Water Transportation Information Type L L L L L L Payments Information Type L M L Air Transportation Information Type L L L L L L Collections and Receivables Information Type L M L Space Operations Information Type L H H * Cost Accounting/ Performance Measurement Information Type L M L Education * N/A N/A N/A Human Resource Management * Elementary, Secondary, and Vocational Education Information Type L L L N/A N/A N/A HR Strategy Information Type L L L Higher Education Information Type L L L * Staff Acquisition Information Type L L L Cultural and Historic Preservation Information Type L L L * Organization & Position Management Information Type L L L Cultural and Historic Exhibition Information Type L L L * Compensation Management Information Type L L L Workforce Management * * Benefits Management Information Type L L L Training and Employment Information Type L L L * Employee Performance Management Information Type L L L Labor Rights Management Information Type L L L * Employee Relations Information Type L L L Worker Safety Information Type L L L * Labor Relations Information Type L L L Health * Separation Management Information Type L L L Access to Care Information Type L M L Human Resources Development Information Type L L L Population Health Management and Consumer Safety Information Type L M L Supply Chain Management * Health Care Administration Information Type L M L Goods Acquisition Information Type L L L Health Care Delivery Services Information Type L H L Inventory Control Information Type L L L Health Care Research and Practitioner Education Information Type L M L Logistics Management Information Type L L L Income Security * Services Acquisition Information Type L L L General Retirement and Disability Information Type M M M Information and Technology Management * Unemployment Compensation Information Type L L L System Development Information Type L M L Housing Assistance Information Type L L L Lifecycle/Change Management Information Type L M L Food and Nutrition Assistance Information Type L L L System Maintenance Information Type L M L Survivor Compensation Information Type L L L IT Infrastructure Maintenance Information Type (10) L L L Law Enforcement * Information Security Information Type L M L Criminal Apprehension Information Type L L M Record Retention Information Type L L L Criminal Investigation and Surveillance Information Type M M M Information Management Information Type (11) L M L Citizen Protection Information Type M M M System and Network Monitoring Information Type M M L Leadership Protection Information Type M L L Information Sharing Information Type N/A N/A N/A Property Protection Information Type L L L Appendix D: Impact Determination for Mission-Based Information & Infomation Systems * Substance Control Information Type M M M Defense and National Security (N/S) N/S N/S N/S * Crime Prevention Information Type L L L Homeland Security * Trade Law Enforcement Information Type (27) M M M Border and Transportation Security Information Type M M M Litigation and Judicial Activities * Key Asset and Critical Infrastructure Protection Information Type H H H Judicial Hearings Information Type M L L Catastrophic Defense Information Type H H H Legal Defense Information Type M H L Executive Functions of the Executive Office of the President (EOP) Information Type (23) H M H Legal Investigation Information Type M M M Intelligence Operations (24) N/S N/S N/S * Legal Prosecution and Litigation Information Type L M L Disaster Management * Resolution Facilitation Information Type M L L Disaster Monitoring and Prediction Information Type L H H Federal Correctional Activities * Disaster Preparedness and Planning Information Type L L L Criminal Incarceration Information Type L M L Disaster Repair and Restoration Information Type L L L Criminal Rehabilitation Information Type L L L Emergency Response Information Type L H H * General Sciences and Innovation * International Affairs and Commerce * Scientific and Technological Research and Innovation Information Type L M L Foreign Affairs Information Type H H M Space Exploration and Innovation Information Type L M L International Development and Humanitarian Aid Information Type M L L Global Trade Information Type H H H Proposed FIPS 199 Subsidies Information Type Tax Credits Information Type Credit and Insurance Permits and Licensing Information Type Public Goods Creation and Management Manufacturing Information Type Provisional Impact Values Current FIPS 199 HIGH Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organization assets, or individuals. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. LIKELIHOOD The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 1 Rare 1 RISK MATRIX SCORING RANGE = 1 to 9 3 Almost Certain 3 2 Possible 2 Likely to occur at some time in normal circumstances. Medium 40-80% Serious adverse effect on organizational operations, organization assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 1 Threshold Value Low Risk (1-3) Moderate (4-6) High Risk (7-9) Moderate Risk (4-6) High Risk (7-9) NIST FIPS 199, Table 1 3 x 3 Risk Matrix IMPACT Security Objective POTENTIAL IMPACT 1 Limited 2 Serious 3 Severe Is unlikely to occur in normal circumstances, but could occur at some time. Low <40% Limited adverse effect on organizational operations, organizational assets, or individuals. 6 MODERATE Limited Loss of <33% of benefits. Very Low <20% Insignificant damage or harm to service users/public. Littl or no loss of front line service. No reputation impact. Negligible Loss of <25% of benefits. 5x5 RISK MATRIX SCORING RANGE = 0 to 0 3x3 Risk Matrix Likelihood Definitions and Impact Descriptors 1 25 Score Likelihood Definition Impact Descriptor 3 Is highly likely to occur at some time in normal circumstances. High >80% Severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Severe/Catastrophic All potential benefits lost. 1 May only occur in exceptional circumstances, highly unlikely. Serious Loss of 33-66% of benefits. 3x3 RISK MATRIX SCORING RANGE = 0 to 0 1 1 High 60-80% Major damage or harm to services users/public. High reputation impact - national press and TV coverage. Minor regulatory enforcement. Major financial impact. Critical Loss of 80-100% of benefits. 3 Likely to occur at some circumstances or at some time. Medium 40-60% Noticeable damage or ahrm to service users/public. Extensive reputation impact due to press covereage. External criticism likely. High financial impact. Significant Loss of 50-80% of benefits. 2 Is unlikely to occur in normal circumstances, but could occur at some time. Low 20-40% Minor damage or harm to service users/public. Minor reputation impact. Moderate financial loss. Marginal Loss of 25-50% of benefits. 4 Likely to occur at some time in normal circumstances. The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. 2 3 Max. Risk Tolerance LEGEND: Risk Tolerance Threshold Line 1 2 2 3 4 4 5 5 6 7 7 8 8 9 2 3 4 5 6 12 Availability Ensuring timely and reliable access to and use of information. The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. 7 8 9 Integrity Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. LOW Moderate Risk (6-14) High Risk (15-25) 6 9 4 6 Low Risk (1-3) Convert to Low Risk (1-5) 2 Provisional Impact Values Current FIPS 199 4 5 6 8 9 10 Military Operations Information Type (28) Civilian Operations Information Type (28) Legislative Mandates Executive Mandates Office of Management and Budget Memoranda and Guidelines Presidential Directives and Executive Orders Other EOP Guidance OMB and Case Law Interpretations APPENDIX E: Legislative & Executive & Executive Sources Establishing Sensitivity/Criticality Construction Information Type Public Resources, Facility and Infrastructure Management Information Type Information Infrastructure Management Information Type Federal Financial Assistance Federal Grants (Non-State) Information Type Direct Transfers to Individuals Information Type 3 4 5 25 20 15 5 Catastrophic The goal of Information Security is to protect and defend valuable information assets from motivated threat actors or agents---where the source of an attack can be internal or external, intentional or unintentional, environmental or man-made. Information Assurance (IA) Professionals recommend security controls to safeguard information system components---Information, People, Processes, Hardware, Software, Network---from harm, loss, misconfiguration, misuse or exploitation. An IA Professional determines the Sensitivity Level of an information system by assigning an impact level of LOW, MODERATE or HIGH to each of the three security attributes associated with "Information" (red X's above) stored or processed on the information system. NIST SP 800-60 V2R1 Appendices C, D and E divide Information into Information Types, and the process for determining sensitivity level is repeated for each Information Type. An IA Professional determines the minimum set of baseline security controls using the high water mark method based on the highest sensitivity level for all information types stored or processed on the information system. For example, if the impact value associated with the confidentiality security attribute of an information type is HIGH, then the IA Professional selects a HIGH set of minimum baseline controls from the NIST SP 800-53 Revision 4 Security Control Catalog. The "Data" information system component aligns with a broader set of security attributes as well, including Authenticity/Trustworthiness, Non- repudiation and Privacy (see table above). For instance, systems that store Personally Identifiable Information (PII) must contain security controls that protect against the loss of PII. NIST SP 800-53 Rev. 4 Appendix J contains a set of Privacy security controls. 16 4 Likely 3 Possible 2 Unlikely 12 10 15 20 2 4 8 12 16 6 9 12 Max. Risk Tolerance LEGEND: Risk Tolerance Threshold Line 20 Threshold Value 2 3 1 Rare 5 Definition Information (Data) People Processes Hardware Software Network (Communications) INFORMATION SECURITY FUNDAMENTALS 15 1 Insignificant 2 Minor 3 Moderate 4 Major 5 x 5 Risk Matrix 4 3 IMPACT (IF BREACH WERE TO OCCUR) 5 Almost Certain (THREAT) LIKELIHOOD 1 2 6 8 10 # IMPACT ASSESSMENT (to Determine the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information, namely, Confidentiality, Integrity & Availability.) Data Filter Column System Name Current FIPS 199 Impact Values System Name Proposed FIPS 199 Impact Values Provisional SP 800-60v2r1 Impact Values System Name Security Attribute 5x5 Risk Matrix Likelihood Definitions and Impact Descriptors Score Likelihood Definition Impact Descriptor 5 Is highly likely to occur at some time in normal circumstances. Very High >80% Critical long term damage or harm to service users/public. Critical reputation impact. Intervention by other agencies. Huge financial impact. Catastrophic All potential benefits lost. Proposed FIPS 199 Knowledge Creation and Management Research and Development Information Type General Purpose Data and Statistics Information Type Advising and Consulting Information Type Knowledge Dissemination Information Type Regulatory Compliance and Enforcement Inspections and Auditing Information Type Standards Setting/Reporting Guideline Development Information Type Direct Loans Information Type Loan Guarantees Information Type General Insurance Information Type Transfers to State/Local Governments Formula Grants Information Type Project/Competitive Grants Information Type Earmarked Grants Information Type State Loans Information Type Direct Services for Citizens Instructions: Decrease INHERENT RISK by applying SAFEGUARDS to minimize the LIKELIHOOD that a THREAT will compromise a VULNERABILITY in an information system, security policy, or internal control; so that the RESIDUAL RISK falls below the Risk Tolerance Threshold Line. Examples of mitigating controls or COUNTERMEASURES include: 1). Top 20 Critical Security Controls; 2). NIST SP-800 53 Revision 4 Security Controls; 3). Tailor NIST SP-800 53 Revision 4 Security Controls by applying Security Control Enhancements and hardening organizationally-defined values and selections; 5). Increase the Maximum Risk Tolerance Threshold value. 3 The confidentiality impact assigned to the Program Monitoring Information Type may necessitate the highest confidentiality impact of the information types processed by the system. 4 Tax-related functions are associated with the Taxation Management information type. 5 The OMB Business Reference Model “Executive Function has been expanded to include general agency executive functions as well as Executive Office of the President (EOP) functions. Strictly EOP executive functions are treated in Appendix D, Examples of Impact Determination for Mission- Based Information and Information Systems. 6 High where safety of major critical infrastructure components or key national assets is at stake. 7 Moderate or High in emergency situations where time-critical processes affecting human safety or major assets are involved. 8 The identified information types are not a derivative of OMB’s Business Reference Model and were added to address privacy information. 9 The OMB Business Reference Model does not include a General Information information type. This information type was added as a catch-all information type. As such, agencies may use this to identify additional information types not defined in the BRM and assign impact levels. 10 The confidentiality impact assigned to the IT Infrastructure Maintenance Information Type may necessitate the highest confidentiality impact of the information types processed by the system. 11 The confidentiality impact assigned to the Information Management Information Type may necessitate the highest confidentiality impact of the information types processed by the system. 20 Impact level is usually moderate to high in emergency situations where time-critical processes affecting human safety or major assets are involved. 21 A loss of confidentiality that causes a significant degradation in mission capability, places the agency at a significant disadvantage, or results in major damage to assets, requiring extensive corrective actions or repairs. 23 The identified information types are not a derivative of OMB’s Business Reference Model and were added to address functions of the Executive Office of the President (EOP). 24 Where foreign intelligence information is involved, the information and information systems are categorized as national security information or systems and are outside the scope of this guideline. 25 High where safety of radioactive materials, highly flammable fuels, or transmission channels or control processes at risk. 26 Usually Moderate or High where mission-critical procedures are involved. 27 The identified information types are not a derivative of OMB’s Business Reference Model and were added to address trade law enforcement. 28 As mode of delivery of mission-based services, the security categorization of Direct Services to Citizens sub-functions Military Operations and Civilian Operation is dependent on the mission services delivered to the citizens [e.g., Health Care; Emergency Response, Environmental Remediation] should be categorized in accordance with the mission-based information type.

Transcript of Job_Aid_Security_Poster, NIST_SP_800_60v2r1 Data Categorization, InfoSec_Fundamentals,...

Page 1: Job_Aid_Security_Poster, NIST_SP_800_60v2r1 Data Categorization, InfoSec_Fundamentals, Risk_Threat_Matrix, 20151112

Print Date: 11/12/2015http://www.linkedin.com/jderienzoPage 1 of 1

Apply security controls to improve the strength of security attributes inherent in information system components Information System Components

Computed High Water Mark for IS: Current = MODERATE; Proposed = MODERATE Enter<------- M M M M M M

Information Types C I A * C I A C I A

Appendix C: Management & Support Information & Information Systems Impact Levels *1 Confidentiality A system should ensure that only authorized users access information. X

Rationale and Factors for Services Delivery Support Information *2 Integrity A system should ensure completeness, accuracy and absence of unauthorized modifications in all its

components.X X X X X X

Controls and Oversight *3 Availability A system should ensure that all system’s components are available and operational when they are

required by authorized users.X X X X X X

Corrective Action Information Type L L L4 Accountability An ability of a system to hold users responsible for their actions (e.g. misuse of information). X

Program Evaluation Information Type L L L5 Auditability An ability of a system to conduct persistent, non-bypassable monitoring of all actions performed by

humans or machines within the system.X

Program Monitoring Information Type (3) L (3) L L6 Authenticity/

TrustworthinessAn ability of a system to verify identity and establish trust in a third party and in information it provides.

X X X X X X

Regulatory Development *7 Non-repudiation An ability of a system to prove (with legal validity) occurrence/non-occurrence of an event or

participation/non-participation of a party in an event.X X

Policy and Guidance Development Information Type L L L8 Privacy A system should obey privacy legislation and it should enable individuals to control, where feasible,

their personal information (user-involvement).X X

Public Comment Tracking Information Type L L L

Regulatory Creation Information Type L L L

Rule Publication Information Type L L L

Planning and Budgeting * Note: Continuously monitor assets with a catastrophic impact potential for any increase in likelihood.

Budget Formulation Information Type L L L

Capital Planning Information Type L L L

Enterprise Architecture Information Type L L L

Strategic Planning Information Type L L L Information System High Water Mark = MODERATE

Budget Execution Information Type L L L Information System High Water Mark = MODERATE

Workforce Planning Information Type L L L

Management Improvement Information Type L L L

Budget and Performance Integration Information Type L L L

Tax and Fiscal Policy Information Type L L L Note: Continuously monitor assets with a severe impact potential for any increase in likelihood.

Internal Risk Management and Mitigation *

Contingency Planning Information Type M M M M M M M M M

Continuity of Operations Information Type M M M

Service Recovery Information Type L L L

Revenue Collection *

Debt Collection Information Type M L L

User Fee Collection Information Type L L M

Federal Asset Sales Information Type L M L

Public Affairs *

Customer Services Information Type L L L

Official Information Dissemination Information Type L L L

Product Outreach Information Type L L L

Public Relations Information Type L L L

Legislative Relations *

Legislation Tracking Information Type L L L

Legislation Testimony Information Type L L L

Proposal Development Information Type M L L

Congressional Liaison Operations Information Type M L LGeneral Government *

Central Fiscal Operations Information Type (4) M L LLegislative Functions Information Type L L L Natural Resources * *Executive Functions Information Type (5) L L L Water Resource Management Information Type L L L L M LCentral Property Management Information Type L (6) L L (7) Conservation, Marine and Land Management Information Type L L L L L LCentral Personnel Management Information Type L L L Recreational Resource Management and Tourism Information Type L L L L L LTaxation Management Information Type M L L Agricultural Innovation and Services Information Type L L L L L LCentral Records and Statistics Management Information Type M L L Energy * *Income Information Information Type (8) M M M Energy Supply Information Type L(25) M(26) M(26) M M LPersonal Identity and Authentication Information Information Type (8) M M M Energy Conservation and Preparedness Information Type L L L L L LEntitlement Event Information Information Type (8) M M M Energy Resource Management Information Type M L L L L LRepresentative Payee Information Information Type (8) M M M Energy Production Information Type L L L *General Information Information Type (9) L L L Environmental Management * L L LNotification of Finding Report Information (General Information Information Type - [9]) L L L Environmental Monitoring and Forecasting Information Type L M L L L LMemoranda and Guidelines (General Information Information Type - [9]) L L L Environmental Remediation Information Type M L L L L LPresidential Directives & Executive Orders (General Information Information Type - [9]) L L L Pollution Prevention and Control Information Type L L L L L LOther Executive Office of the President Guidance (General Information Information Type - [9]) L L L Economic Development * *

Rationale and Factors for Government Resource Management Information * Business and Industry Development Information Type L L L L L LAdministrative Management * Intellectual Property Protection Information Type L L L L L L

Facilities, Fleet, and Equipment Management Information Type L (6) L (7) L (7) Financial Sector Oversight Information Type M L L L L LHelp Desk Services Information Type L L L Industry Sector Income Stabilization Information Type M L L M L LSecurity Management Information Type M M L Community and Social Services * *Travel Information Type L L L Homeownership Promotion Information Type L L L L L LWorkplace Policy Development and Management Information Type (Intra-Agency Only) L L L Community and Regional Development Information Type L L L L L L

Financial Management * Social Services Information Type L L L L L LAssets and Liability Management Information Type L L L Postal Services Information Type L M M *Reporting and Information Information Type L M L Transportation * L L LFunds Control Information Type M M L Ground Transportation Information Type L L L L L LAccounting Information Type L M L Water Transportation Information Type L L L L L LPayments Information Type L M L Air Transportation Information Type L L L L L LCollections and Receivables Information Type L M L Space Operations Information Type L H H *Cost Accounting/ Performance Measurement Information Type L M L Education * N/A N/A N/A

Human Resource Management * Elementary, Secondary, and Vocational Education Information Type L L L N/A N/A N/AHR Strategy Information Type L L L Higher Education Information Type L L L *Staff Acquisition Information Type L L L Cultural and Historic Preservation Information Type L L L *Organization & Position Management Information Type L L L Cultural and Historic Exhibition Information Type L L L *Compensation Management Information Type L L L Workforce Management * *Benefits Management Information Type L L L Training and Employment Information Type L L L *Employee Performance Management Information Type L L L Labor Rights Management Information Type L L L *Employee Relations Information Type L L L Worker Safety Information Type L L L *Labor Relations Information Type L L L Health *Separation Management Information Type L L L Access to Care Information Type L M LHuman Resources Development Information Type L L L Population Health Management and Consumer Safety Information Type L M L

Supply Chain Management * Health Care Administration Information Type L M LGoods Acquisition Information Type L L L Health Care Delivery Services Information Type L H LInventory Control Information Type L L L Health Care Research and Practitioner Education Information Type L M LLogistics Management Information Type L L L Income Security *Services Acquisition Information Type L L L General Retirement and Disability Information Type M M M

Information and Technology Management * Unemployment Compensation Information Type L L LSystem Development Information Type L M L Housing Assistance Information Type L L LLifecycle/Change Management Information Type L M L Food and Nutrition Assistance Information Type L L LSystem Maintenance Information Type L M L Survivor Compensation Information Type L L LIT Infrastructure Maintenance Information Type (10) L L L Law Enforcement *Information Security Information Type L M L Criminal Apprehension Information Type L L MRecord Retention Information Type L L L Criminal Investigation and Surveillance Information Type M M MInformation Management Information Type (11) L M L Citizen Protection Information Type M M MSystem and Network Monitoring Information Type M M L Leadership Protection Information Type M L LInformation Sharing Information Type N/A N/A N/A Property Protection Information Type L L L

Appendix D: Impact Determination for Mission-Based Information & Infomation Systems * Substance Control Information Type M M MDefense and National Security (N/S) N/S N/S N/S * Crime Prevention Information Type L L LHomeland Security * Trade Law Enforcement Information Type (27) M M M

Border and Transportation Security Information Type M M M Litigation and Judicial Activities *Key Asset and Critical Infrastructure Protection Information Type H H H Judicial Hearings Information Type M L LCatastrophic Defense Information Type H H H Legal Defense Information Type M H LExecutive Functions of the Executive Office of the President (EOP) Information Type (23) H M H Legal Investigation Information Type M M M

Intelligence Operations (24) N/S N/S N/S * Legal Prosecution and Litigation Information Type L M LDisaster Management * Resolution Facilitation Information Type M L L

Disaster Monitoring and Prediction Information Type L H H Federal Correctional Activities *Disaster Preparedness and Planning Information Type L L L Criminal Incarceration Information Type L M LDisaster Repair and Restoration Information Type L L L Criminal Rehabilitation Information Type L L LEmergency Response Information Type L H H * General Sciences and Innovation *

International Affairs and Commerce * Scientific and Technological Research and Innovation Information Type L M LForeign Affairs Information Type H H M Space Exploration and Innovation Information Type L M LInternational Development and Humanitarian Aid Information Type M L LGlobal Trade Information Type H H H

ProposedFIPS 199

Subsidies Information TypeTax Credits Information TypeCredit and Insurance

Permits and Licensing Information TypePublic Goods Creation and ManagementManufacturing Information Type

Provisional Impact Values

CurrentFIPS 199

HIGHConfidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organization assets, or individuals.

The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

LIK

EL

IHO

OD

The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

1Rare

1

RISK MATRIX SCORING RANGE = 1 to 9

3Almost Certain

3

2Possible

2

Likely to occur at some time in normal circumstances.

Medium40-80%

Serious adverse effect on organizational operations, organization assets, or individuals.

The disruption of access to or use of information or an information

system could be expected to have a severe or catastrophic adverse

effect on organizational operations, organizational assets, or

individuals.

1Threshold Value

Low Risk (1-3) Moderate (4-6) High Risk (7-9)

Moderate Risk (4-6) High Risk (7-9)

NIST FIPS 199, Table 1

3 x 3 Risk Matrix

IMPACT

Security Objective

POTENTIAL IMPACT

1Limited

2Serious

3Severe

Is unlikely to occur in normal circumstances, but could occur at

some time.

Low<40%

Limited adverse effect on organizational operations, organizational assets, or individuals.

6

MODERATE

LimitedLoss of <33% of

benefits.

Very Low<20%

Insignificant damage or harm to service users/public.Littl or no loss of front line service. No reputation impact.

NegligibleLoss of <25% of

benefits.

5x5 RISK MATRIX SCORING RANGE = 0 to 0

3x3 Risk Matrix Likelihood Definitions and Impact Descriptors1 25

Score Likelihood Definition Impact Descriptor

3 Is highly likely to occur at some time in normal circumstances.

High>80%

Severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Severe/CatastrophicAll potentialbenefits lost.

1 May only occur in exceptional circumstances, highly unlikely.

SeriousLoss of 33-66% of

benefits.

3x3 RISK MATRIX SCORING RANGE = 0 to 0

11

High60-80%

Major damage or harm to services users/public.High reputation impact - national press and TV coverage.Minor regulatory enforcement. Major financial impact.

CriticalLoss of 80-100% of

benefits.

3 Likely to occur at some circumstances or at some time.

Medium40-60%

Noticeable damage or ahrm to service users/public.Extensive reputation impact due to press covereage.

External criticism likely. High financial impact.

SignificantLoss of 50-80% of

benefits.

2 Is unlikely to occur in normal circumstances, but could occur at

some time.

Low20-40%

Minor damage or harm to service users/public.Minor reputation impact. Moderate financial loss.

MarginalLoss of 25-50% of

benefits.

4 Likely to occur at some time in normal circumstances.

The disruption of access to or use of information or an information system could be expected to

have a serious adverse effect on organizational operations, organizational assets, or

individuals.

2 3

Max. Risk Tolerance LEGEND: Risk Tolerance Threshold Line

1 2 2 3 4 4 5 5 6 7 7 8 8 9

2 3 4 5 6

12

AvailabilityEnsuring timely and reliable access to and use of information.

The disruption of access to or use of information or an

information system could be expected to have a limited

adverse effect on organizational operations, organizational assets, or

individuals.

7 8 9

IntegrityGuarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

LOW

Moderate Risk (6-14) High Risk (15-25)

6 9

4 6

Low Risk (1-3)

Convert to

Low Risk (1-5)

2

Provisional Impact Values

CurrentFIPS 199

4 5 6 8 9 10

Military Operations Information Type (28)Civilian Operations Information Type (28)

Legislative MandatesExecutive MandatesOffice of Management and Budget Memoranda and GuidelinesPresidential Directives and Executive OrdersOther EOP GuidanceOMB and Case Law Interpretations

APPENDIX E: Legislative & Executive & Executive Sources Establishing Sensitivity/Criticality

Construction Information TypePublic Resources, Facility and Infrastructure Management Information TypeInformation Infrastructure Management Information TypeFederal Financial AssistanceFederal Grants (Non-State) Information TypeDirect Transfers to Individuals Information Type

3 4 5

25

20

15

5Catastrophic

The goal of Information Security is to protect and defend valuable information assets from motivated threat actors or agents---where the source of an attack can be internal or external, intentional or unintentional, environmental or man-made. Information Assurance (IA) Professionals recommend security controls to safeguard information system components---Information, People, Processes, Hardware, Software, Network---from harm, loss, misconfiguration, misuse or exploitation. An IA Professional determines the Sensitivity Level of an information system by assigning an impact level of LOW, MODERATE or HIGH to each of the three security attributes associated with "Information" (red X's above) stored or processed on the information system. NIST SP 800-60 V2R1 Appendices C, D and E divide Information into Information Types, and the process for determining sensitivity level is repeated for each Information Type. An IA Professional determines the minimum set of baseline security controls using the high water mark method based on the highest sensitivity level for all information types stored or processed on the information system. For example, if the impact value associated with the confidentiality security attribute of an information type is HIGH, then the IA Professional selects a HIGH set of minimum baseline controls from the NIST SP 800-53 Revision 4 Security Control Catalog. The "Data" information system component aligns with a broader set of security attributes as well, including Authenticity/Trustworthiness, Non-repudiation and Privacy (see table above). For instance, systems that store Personally Identifiable Information (PII) must contain security controls that protect against the loss of PII. NIST SP 800-53 Rev. 4 Appendix J contains a set of Privacy security controls.

16

4Likely

3Possible

2Unlikely

12

10 15 20

2 4

8 12 16

6 9 12

Max. Risk Tolerance LEGEND: Risk Tolerance Threshold Line

20Threshold Value

2 3

1Rare

5

Definition Info

rmat

ion

(Dat

a)

Peop

le

Proc

esse

s

Har

dwar

e

Soft

war

e

Net

wor

k(C

omm

unic

atio

ns)

INFORMATION SECURITY FUNDAMENTALS

15

1Insignificant

2Minor

3Moderate

4Major

5 x 5 Risk Matrix

4

3

IMPACT (IF BREACH WERE TO OCCUR)

5Almost Certain

(TH

RE

AT

) L

IKE

LIH

OO

D

1 2

6 8 10

#

IMPACT ASSESSMENT (to Determine the Sensitivity Level of an Information System/Information Type)

Sensitivity Level of Information System (IS)/Information Type(Perceived impact from the loss to the three fundamental security attributes of information, namely, Confidentiality, Integrity & Availability.)

Data Filter

Column

System Name CurrentFIPS 199

Impact Values

System Name ProposedFIPS 199

Impact Values

Provisional SP 800-60v2r1 Impact Values

System Name

Security Attribute

5x5 Risk Matrix Likelihood Definitions and Impact Descriptors

Score Likelihood Definition Impact Descriptor

5 Is highly likely to occur at some time in normal circumstances.

Very High>80%

Critical long term damage or harm to service users/public.Critical reputation impact. Intervention by other agencies.

Huge financial impact.

CatastrophicAll potentialbenefits lost.

ProposedFIPS 199

Knowledge Creation and ManagementResearch and Development Information TypeGeneral Purpose Data and Statistics Information TypeAdvising and Consulting Information TypeKnowledge Dissemination Information TypeRegulatory Compliance and EnforcementInspections and Auditing Information TypeStandards Setting/Reporting Guideline Development Information Type

Direct Loans Information TypeLoan Guarantees Information TypeGeneral Insurance Information TypeTransfers to State/Local GovernmentsFormula Grants Information TypeProject/Competitive Grants Information TypeEarmarked Grants Information TypeState Loans Information TypeDirect Services for Citizens

Instructions: Decrease INHERENT RISK by applying SAFEGUARDS to minimize the LIKELIHOOD that a THREAT will compromise a VULNERABILITY in an information system, security policy, or internal control; so that the RESIDUAL RISK falls below the Risk Tolerance Threshold Line. Examples of mitigating controls or COUNTERMEASURES include: 1). Top 20 Critical Security Controls; 2). NIST SP-800 53 Revision 4 Security Controls; 3). Tailor NIST SP-800 53 Revision 4 Security Controls by applying Security Control Enhancements and hardening organizationally-defined values and selections; 5). Increase the Maximum Risk Tolerance Threshold value.

3 The confidentiality impact assigned to the Program Monitoring Information Type may necessitate the highest confidentiality impact of the information types processed by the system.4 Tax-related functions are associated with the Taxation Management information type.5 The OMB Business Reference Model “Executive Function has been expanded to include general agency executive functions as well as Executive Office of the President (EOP) functions. Strictly EOP executive functions are treated in Appendix D, Examples of Impact Determination for Mission-Based Information and Information Systems.6 High where safety of major critical infrastructure components or key national assets is at stake.7 Moderate or High in emergency situations where time-critical processes affecting human safety

or major assets are involved.8 The identified information types are not a derivative of OMB’s Business Reference Model and were added to address privacy information.9 The OMB Business Reference Model does not include a General Information information type. This information type was added as a catch-all information type. As such, agencies may use this to identify additional information types not defined in the BRM and assign impact levels.10 The confidentiality impact assigned to the IT Infrastructure Maintenance Information Type may necessitate the highest confidentiality impact of the information types processed by the system.11 The confidentiality impact assigned to the Information Management Information Type may necessitate the highest confidentiality impact of the information types processed by the system.20 Impact level is usually moderate to high in emergency situations where time-critical processes affecting human safety or major assets are involved.21 A loss of confidentiality that causes a significant degradation in mission capability, places the agency at a significant disadvantage, or results in major damage to assets, requiring extensive corrective actions or repairs.23 The identified information types are not a derivative of OMB’s Business Reference Model and were added to address functions of the Executive Office of the President (EOP).24 Where foreign intelligence information is involved, the information and information systems are categorized as national security information or systems and are outside the scope of this guideline.25 High where safety of radioactive materials, highly flammable fuels, or transmission channels or control processes at risk.26 Usually Moderate or High where mission-critical procedures are involved.27 The identified information types are not a derivative of OMB’s Business Reference Model and were added to address trade law enforcement.28 As mode of delivery of mission-based services, the security categorization of Direct Services to Citizens sub-functions Military Operations and Civilian Operation is dependent on the mission services delivered to the citizens [e.g., Health Care; Emergency Response, Environmental Remediation] should be categorized in accordance with the mission-based information type.