PresenterPresentation Notes 2016 Maze & AssociatesRevision 10 (April 2016)

Images from Microsoft Clipart unless otherwise noted, Other Sources: NIST and Donald E. Hester

Picture: Muir Beach, North of San Francisco, CA, Photo by Donald E. Hester all rights reserved

Categorize

Select

Implement

Assess

Authorize

Monitor

PresenterPresentation NotesSystem Categorization and Definition

Assessing Data Sensitivity and Criticality

Picture: Route 66, AZ; Photo by Donald E. Hester all rights reserved

Categorize

Select

Implement

Assess

Authorize

Monitor

PresenterPresentation NotesRMF Step 1

Security CategorizationInformation System DescriptionInformation System Registration

PresenterPresentation NotesRMF Step 1 Security Categorization

Categorize the information system and document the results of the security categorization in the security planThis guides the selection of controlsMay influence the determination of system boundariesDetermine potential adverse impacts to Organizational operationsOrganizational assetsIndividualsOther organizationsThe Nation

NIST SP 800-37 Rev 1FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-59, 800-60; CNSS Instruction 1253.

PresenterPresentation NotesConOps

Concept of OperationsDescribes: The system in detailIntentFunctionHow the system supports the mission and objectivesWill be documented and consistent with the System Security Plan (SSP)General Description/Purpose section of the SSPSystem Identification Profile (SIP) System characteristics required to register an information system with the governing DoD Component IA program

The Concept of Operations (ConOps) is a user-oriented document that describes the characteristics for a proposed automated system or an information technology (IT) situation from the viewpoint of any individual or organization who will use the proposed automated system or situation in their daily work activities or who will operate or interact directly with the automated system or situation.Source: http://www3.cms.gov/SystemLifecycleFramework/Downloads/ConOps.pdf

PresenterPresentation NotesKey Terms

Information SystemA discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of informationFederal Information SystemAn information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.National Security SystemA system that is classified in the interest of national defense or foreign policyA system that is used for intelligence activitiesA system that is used for command and control of military forces

40 U.S.C., Sec. 11331; OMB Circular A-130 Appendix III; 44 USC Sec. 3502

PresenterPresentation NotesKey Terms

ApplicationInformation resources used to satisfy a specific set of user requirementsMajor ApplicationAn application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access or modification of the information in the applicationMinor ApplicationRequires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access or modification of the information in the application and is generally apart of the GSS

40 U.S.C., Sec. 11331; OMB Circular A-130 Appendix III; 44 USC Sec. 3502; NIST SP 800-37

PresenterPresentation NotesKey Terms

SubsystemA major subdivision or component of an information system consisting of information, information technology, and personnel that perform one or more specific functionsGeneral Support SystemAn interconnected set of information resources under the same direct management control that shares common functionalityNormally includes hardware, software, information, data, applications, communications and people

40 U.S.C., Sec. 11331; OMB Circular A-130 Appendix III; 44 USC Sec. 3502; NIST SP 800-18 Rev 1

PresenterPresentation NotesPicture: Ferry in San Diego Bay, CA; Photo by Donald E. Hester all rights reservedRead: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 2

Criticality: A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

Sensitivity: Used in this guideline to mean a measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.

- NIST SP 800-60

PresenterPresentation NotesSensitivity and Criticality

Criticality: A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. Sensitivity: Used in this guideline to mean a measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.- NIST SP 800-60

Some use the terms interchangeably

Some use the terms as followsSensitivity of that dataCriticality of the system

PresenterPresentation NotesFour-step Security Categorization Process

NIST SP 800-60 Vol. I Rev. 1

PresenterPresentation NotesDefining Security Categorization

The data is what dictates the sensitivity of the systemNot the value of the hardwareNot the value of the softwareBased on the following factorConfidentialityAvailability IntegrityNot all data needs the same level of protectionDifferent requirements based on factorsNational defense confidentialityLife safety availabilityFinancial integrity

PresenterPresentation NotesData sensitivity and system sensitivity

Sensitivity of the system is dictated by the data sensitivityData that is storedData that is processedData that is transmittedMost systems have data at multiple levelsDocument all data typesThe categorization is the worst case scenario (Impact)

PresenterPresentation NotesData sensitivity and system sensitivity

ConfidentialityRisk of disclosureNation defense dataPrivacy dataIntegrity Intentional or unintentional modification or alterationFinancial dataAvailabilityRisk of destruction or denial of useLife safety data

NIACAP uses 5 goals for security; availability, integrity, authentication, confidentiality and nonrepudiation

Confidentiality: The property that data or information is not made available or disclosed to unauthorized persons or processes.Integrity: The property that data or information have not been altered or destroyed in an unauthorized manner.Availability: The property that data or information is accessible and usable upon demand by an authorized person.[45 C.F.R. Sec. 164.304]

CONFIDENTIALITYPreserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information [44 U.S.C., Sec. 3542]A loss of confidentiality is the unauthorized disclosure of information.INTEGRITYGuarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity [44 U.S.C., Sec. 3542]A loss of integrity is the unauthorized modification or destruction of information.AVAILABILITYEnsuring timely and reliable access to and use of information [44 U.S.C., SEC. 3542]A loss of availability is the disruption of access to or use of information or an information system.Source FIPS 199

PresenterPresentation NotesData classification approaches

FIPS 199Based on potential impact on organizations or individualsConfidentiality, Integrity, and AvailabilityLow, Moderate or HighDIACAPMission Assurance Categories (MAC) and Confidentiality Levels (CL)Another ExamplePublic available to the massesInternal Use available within the organizationRestricted information that needs to be safe-guarded

According to Department of Defense Directive 8500.01e, Information Assurance (IA), the mission assurance category (MAC) reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission.

According to Department of Defense Initiative (DoDI) 8500.2, Information Assurance (IA) Implementation, the confidentiality level is primarily used to establish acceptable access factors, such as requirements for individual security clearances or background investigations, access approvals, and need-to-know determinations; interconnection controls and approvals; and acceptable methods by which users may access the system (e.g., intranet, Internet, wireless).

Source: www.disa.mil

PresenterPresentation NotesFIPS 199

Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 2 Table 2.2

availability and integrity

confidentiality

PresenterPresentation NotesDoD Categorization

Mission Assurance Category (MAC)The mission assurance category reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. Mission assurance categories are primarily used to determine the requirements for availability and integrity.Confidentiality Level (CL)The other major component in forming the baseline set of IA controls for every information system is determined by selecting the appropriate confidentiality level based on the sensitivity of the information associated with the information system.

Source: https://www.mpm.osd.mil/documents/OUID051606_IACategory.pdf

PresenterPresentation NotesMission Assurance Category (MAC)

Source: https://www.mpm.osd.mil/documents/OUID051606_IACategory.pdf

PresenterPresentation NotesConfidentiality Level (CL)

Source: https://www.mpm.osd.mil/documents/OUID051606_IACategory.pdf

PresenterPresentation NotesResponsibility for data sensitivity assessment

Information System Owners often make the decisionMust rely on the judgment of the Data or Information OwnerClose coordination between partiesEnsure proper safeguards (controls, countermeasures)Remember that the Data or Information Owner has statutory responsibility for the data

PresenterPresentation NotesRanking data sensitivity

Need to determine levels of sensitivity for each factor and document itNIST ExampleLowModerate HighAnother ExampleGreen YellowRed

PresenterPresentation NotesCriticality

Criticality is not the same as sensitivityUsed to determine the controls, like sensitivityCriticality is based on the whole systemImportance of the system to the organizationOften based on the amount of time an organization can withstandNot solely based on availability

PresenterPresentation NotesCriticality assessment

How important is the system to the organization?How would it affect the ability of the organization to complete its mission?Mission CriticalNational security systemInterest of national defense or foreign policyDebilitating impact to the mission of the organizationNon-Mission CriticalDoes not meet the above 3 criteriaMay impact efficiencyCan be done manually

PresenterPresentation NotesNational Security Systems

National Security Systems must use NIACAP standardsThe Committee of National Security Systems (CNSS) is responsible for those standardsA number of requirements are found under Policy, Directives, Instructions Advisory Memoranda and TSG StandardsIn process to more closely align/integrate NIACAP with NIST RMF is ongoingCNSSI 1253 uses NIST SP 800-53 Rev3 controls with additional guidance (such as required organization defined parameters) http://www.cnss.gov

PresenterPresentation NotesCriticality in the view of the system owner

System owners may overrate their systemsEvery system is not high criticality or mission criticalIt is a matter of perspectiveMust be balanced

PresenterPresentation NotesRanking criticality

What would be the financial impact to the organization?Generally a dollar amountWhat would be the effect on the operational effectiveness of the organization?Is there a life safety impact of the system?What is the effect based upon the breadth/scope of the system?Based on the fact that it is used widely in the organizationRankHigh, moderate, lowCritical, noncritical

Data TypeData

Description Data Sensitivity

PresenterPresentation NotesExample from NIST SP 800-60

PresenterPresentation NotesData Explanation (NIST SP 800-60)

Data Type Confidentiality Integrity AvailabilityPersonal Identity and Authentication Moderate Moderate Moderate Help Desk Services Low Low LowBudget & Finance Moderate Moderate LowAccounting Low Moderate LowSpace Operations Low High High

PresenterPresentation NotesDocument All Data Forms

Also see: Official (ISC)2 Guide to CAP CBK Second Edition, Chapter 2 Table 2.3 pg 124

PresenterPresentation NotesChanges in criticality and sensitivity

Systems are not staticSystems are dynamicA change in the system may change criticalityA change in the data that is processed, stored or transmitted on the systemReview regularly at least annuallyReview triggered when inventory changesReview triggered by change managementIf criticality changes, your controls will need to be reevaluated

PresenterPresentation NotesSSI

Sensitive Security InformationInformation obtained or developed in the conduct of security activities, the disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the organizational mission

Falls under Controlled Unclassified Information

PresenterPresentation NotesPrivacy Impact Assessment

The loss of certain information such as a persons social security number has an impact on individualsThe E-Government Act of 2002 mandates an assessment of the privacy impact of any substantially revised or new Information Technology System. The document that results from these mandated assessments is called a Privacy Impact Assessment (PIA)PIA should be done before the information is put into the system or collecting the information

Source: www.DHS.gov; OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002

PresenterPresentation NotesRequirements for Agencies

Conduct privacy impact assessments for electronic information systems and collections and, in general, make them publicly available Post privacy policies on agency websites used by the publicTranslate privacy policies into a standardized machine-readable formatReport annually to OMB on compliance with section 208 of the E-Government Act of 2002Train employees on handling privacy related information

PresenterPresentation NotesInformation in Identifiable Form

Information in an IT system or online collection: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors)Sometimes referred to as PII or Personally Identifiable Information

Source: OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf. NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).

PresenterPresentation NotesHealth Related Information

Individually Identifiable Health Information (IIHI)Protected Health Information (PHI)Electronic Protected Health Information (EPHI)The HIPAA Security Rule specifically focuses on the safeguarding of EPHIHealth Insurance Portability and Accountability ActHIPAA Security Rule (Public Law 104-191)NIST SP 800-66 Rev 1Provides organizations with guidance with implementing the HIPAA Security Rule

NIST SP 800-66 Rev 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rulehttp://www.cms.gov/HIPAAGenInfo/

Individually Identifiable Health Information (IIHI): Information that is a subset of health information, including demographic information collected from an individual, and:(1) Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and(i) That identifies the individual; or(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI): Individually identifiable health information:(1) Except as provided in paragraph (2) of this definition, that is:(i) Transmitted by electronic media;(ii) Maintained in electronic media; or(iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information in:(i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and(iii) Employment records held by a covered entity in its role as employer.

Electronic Protected Health Information (electronic PHI, or EPHI): Information that comes within paragraphs (1)(i) or (1)(ii) of the definition of protected health information.[45 C.F.R. Sec.160.103]

Source: 45 C.F.R. Sec. 160.103

PresenterPresentation NotesIndividually Identifiable Health Information

Information that is a subset of health information, including demographic information collected from an individual, and:(1) Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse; and(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual; and(i) That identifies the individual; or(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Source: 45 C.F.R. Sec. 160.103

PresenterPresentation NotesDOJ Data

Criminal Justice Information (CJI)Criminal Justice Information is the abstract term used to refer to all of the FBI CJIS provided data necessary for law enforcement agencies to perform their mission and enforce the laws, including but not limited to: biometric, identity history, person, organization, property, and case/incident history data. In addition, CJI refers to the FBI CJIS-provided data necessary for civil agencies to perform their mission; including, but not limited to data used to make hiring decisions.

Criminal Justice Information Services (CJIS) Security Policy, version 5.1, pg A-3

PresenterPresentation NotesDOJ Data

Criminal History Record Information (CHRI)Criminal History Record Information is a subset of CJI and is defined by Title 28, Part 20, Code of Federal Regulations (CFR). Criminal History Record Information means information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, informations, or other formal criminal charges, and any disposition arising therefrom, including acquittal, sentencing, correctional supervision, and release. The term does not include identification information such as fingerprint records if such information does not indicate the individual's involvement with the criminal justice system.

US Government Printing Office: http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=83e0442d28c95ca4b3ed4a5f32907b84&rgn=div8&view=text&node=28:1.0.1.1.21.1.4.3&idno=28

PresenterPresentation NotesSummary

Criticality of the systemSensitivity of the dataBoth based on the importance to the organizationThe criticality of the system and sensitivity of the data helps us determine what controls will be usedDefines requirements

PresenterPresentation NotesClass Discussion: Sensitivity & Criticality

After a system has completed authorization it is found out that a new data type has been added to the system. The sensitivity of the new data type has now changed the criticality of the system. How would you solve this problem so that it does not happen again?Why expend different levels of effort in protecting systems? Why not treat all systems the same?You need to determine the criticality of a new system. Who would you meet with to determine the criticality of the system?

System Inventory Process

PresenterPresentation NotesPicture: Golden Gate Bridge, San Francisco, CA; Photo by Donald E. Hester all rights reserved

NIST SP 800-37 Rev 1, 2.3Read: Official (ISC)2 Guide to CAP CBK Second Edition Chapter 1 pg 90-105

PresenterPresentation NotesRMF Step 1 Information System Description

Describe the information system and document the description in the security planDocument in the system identification portion of the system security planLevel of detail should be commensurate with the categorization of the systemInclude purpose, function and capabilitiesInclude system boundary and subsystem boundariesInclude information or data flow pathsSoftware, hardware, network etc

PresenterPresentation NotesInformation Systems Boundaries

One of the most challenging problems for RMF process is identifying appropriate boundaries for information systemsThe purpose of authorization boundaries (accreditation boundaries) is to establish the scope of protection for organizational information systemsIn scope of responsibilitiesProtect under direct management controlOrganizations have flexibility in determining what constitutes an information systemGenerally under the same direct management controlStart with an inventory of information technology

1

Identify General Support Systems and Applications Identify Business Functions Identify automated information resources & categorize as GSS or application

2

Classify GSS and applications Determine information sensitivity Determine mission criticality

3

Determine what applications qualify as major applications Determine major applications support systems Non-major application become GSS

4

Submit to CIO for review Business unit executive review Publish inventory

PresenterPresentation NotesInventory Project Work Plan

Identify General Support Systems and ApplicationsIdentify Business FunctionsIdentify automated information resources & categorize as GSS or application

Classify GSS and applicationsDetermine information sensitivityDetermine mission criticality

Determine what applications qualify as major applicationsDetermine major applications support systemsNon-major application become GSS

Submit to CIO for reviewBusiness unit executive reviewPublish inventory

PresenterPresentation NotesResponsibility

Inventory roles should be defined in writingSystem Owners are the primary contact of the inventory processCISO is the owner of the inventory processNeed to appoint an ISSO for each systemInformation technology security manager actual countInventory is a function of the security processIt is also an accounting process

The term information system means a discrete set of information resources organized for the collection, processing, maintenance, transmission and dissemination of information in accordance with defined procedures, whether automated or manual. OMB Circular A-130

PresenterPresentation NotesSystem identification

System owner is the primary role for the initial system identificationAssisted by others, such as the CIO and CISO

The term information system means a discrete set of information resources organized for the collection, processing, maintenance, transmission and dissemination of information in accordance with defined procedures, whether automated or manual. OMB Circular A-130

A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. CNSS instruction No. 4009

General Support SystemAn interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people. OMB Circular A-130

Major ApplicationAn application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. OMB Circular A-130

PresenterPresentation NotesGeneral Support System v. Major Application

General Support SystemAn interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people. OMB Circular A-130

Major ApplicationAn application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. OMB Circular A-130

PresenterPresentation NotesInventory information

Capture only the needed informationIf you dont need it for the RMF program, dont collect itThe additional information may be needed for a different purposeMay already exist, for maintenance purposesYou just need to know the name of the system, what it is doing to what type of data, what applications are involvedTypically 3 or 4 sentences

PresenterPresentation NotesInventory tools

Inventory FormInventory Change FormSummary reportsGenerally this is best done with a database or website

PresenterPresentation NotesUsing the inventory

Funding may be tied to the InventoryDisputes and disagreements will naturally ariseThe CISO should handle these disagreementsInventory can be used to solve these issues

PresenterPresentation NotesSmall systems

Generally are supported by the GSSFor exampleDatabaseSpreadsheetsEtc.Technical security controls usually not a part of the small systemUnlike major applications that have security control designed inNormally addressed under the GSS system

PresenterPresentation NotesLarge systems

Difficult to define because they are large and complexMay contain subsystemsMay contain multiple processesMay have different managers for different partsFor exampleERP systemMay be best to manage subsystems

PresenterPresentation NotesThe processInventoryGSSMajor ApplicationsIdentify business functionIdentify supporting information technologyCategorize into types of systemsClassified by need for protectionDisclosureModificationDestructionDenial

PresenterPresentation NotesAuthorization / Accreditation Boundaries

Everything (System, application, hardware) must be in the RMF programThe idea of a system boundary is to establish responsibilityWhere to draw the lineBusiness processSecurity perimeterOwnershipMake the boundaries as small as you can with sensitive systemsFlexibility is required

NIST SP 800-100It is also possible for multiple information systems to be considered as independent subsystems. A subsystem is a major subdivision of an information system consisting of information, information technology, and personnel that perform one or more specific functions. - NIST SP 800-37 Rev 1

System 1Subsystem A

Subsystem B

Subsystem C

PresenterPresentation NotesSystem of Systems

It is also possible for multiple information systems to be considered as independent subsystems. A subsystem is a major subdivision of an information system consisting of information, information technology, and personnel that perform one or more specific functions. - NIST SP 800-37 Rev 1

While subsystems within complex information systems may exist as complete systems, the subsystems are, in most cases, not treated as independent entities because they are typically interdependent and interconnected. - NIST SP 800-37 Rev 1

PresenterPresentation NotesSubsystem can be labeled Component or Element

PresenterPresentation NotesCombining systems

A possible way to streamline the RMF processGroup similar systems together (support the same mission, business or function)You can only group them if they will have the same ownerAlso need to be in the same operating environmentMust be protected within a common security perimeterEven if all the systems are in the same datacenter, hat does not mean they will be in the same system

PresenterPresentation NotesDynamic Subsystems

A subsystem that is not present at all stages of the life cycleCome and go as neededGenerally do not impact the external boundary of an information systemControls are typically setup for such systemsIt will impact the subsystems that exist within the boundary at any given pointMay or may not be under direct control of the organizationThey can be dynamically added and removed from the system as long as they conform to the identified constrains and assumptions documented in the system security planDuring the continuous monitoring phase dynamic subsystems should be assessed to ensure they conform

PresenterPresentation NotesExternal Subsystems

Examples: Cloud Computing, SaaS, service oriented architectures (SOA)Outside of the direct control of the organizationMust follow same security requirementsTo complicate the use of subsystemsHow will you verify security stance of 3rd partyHow will you gage your confidence and trustWill you limit how the service is used If your level of trust in the 3rd party is low you can:Use compensating controlsAccept greater riskNot use the service

FISMA and OMB policy require external providers handling federal information or operating information systems on behalf of the federal government to meet the same security requirements as federal agencies. - NIST SP 800-37 Rev 1

PresenterPresentation NotesValidation

Time for a sanity checkDoes the system boundary make sense?Is the system properly classified based on risk not what the system owner wantsDont rush the process and miss critical issues

PresenterPresentation NotesMaintenance

Need to have a formalized (meaning documented and supported) InventoryAnnual review (required)Timely update as it changesAutomated systemCan help trigger an evaluation of recertificationClosely tied to risk-managementClosely tied to business continuityTypically, obtaining an up-to-date inventory is a challengeRevise authorization boundary periodically as part of continuous monitoring process

PresenterPresentation NotesRMF Step 1 Information System Registration

Register the information system with appropriate organizational program/management officesOnce the system is documented it can be logged into the agencys overall tracking systemTypically this is some sort of tracking database for all systems within an organization

PresenterPresentation NotesSummary

Need to have a sound process for Create inventoryClassification of systems inventoryUpdate systems inventoryReview systems inventoryGoalTo provide assurance that systems that need protection are identifiedNeed to be able to understand where one systems starts and where it ends

Changed to create

PresenterPresentation NotesInventory Is Central

PresenterPresentation NotesClass Discussion: Inventory

Due to timing restraints you have been asked to complete the RMF for a system without a complete inventory. What can you do?What are the risks of an inaccurate and out-of-date inventory?It is a challenge to keep an accurate and up-to-date inventory. How would you ensure an accurate and up-to-date inventory?What other processes suffer from an inaccurate and out-of-date inventory?

Understanding FISMA &(ISC)2 CAP Certified Authorization ProfessionalModule 6: Categorize The Six Steps in the RMFSystem Categorization and DefinitionRMF Step 1Step 1 TasksStep 1 TasksStep 1 TasksRMF Step 1 Security CategorizationConOpsKey TermsKey TermsKey TermsSecurity CategorizationSensitivity and CriticalityFour-step Security Categorization ProcessDefining Security CategorizationData Sensitivity and System SensitivitySensitivity Assessment ProcessData Classification ApproachesSlide Number 20DoD CategorizationMission Assurance Category (MAC)Confidentiality Level (CL)Responsibility for Data Sensitivity AssessmentRanking Data SensitivityCriticalityCriticality AssessmentNational Security SystemsCriticality in the View of the System OwnerRanking CriticalityNIST SP 800-60Data Explanation (NIST SP 800-60)Document All Data FormsChanges in Criticality and SensitivitySSIPrivacy Impact AssessmentRequirements for AgenciesInformation in Identifiable FormHealth Related InformationIndividually Identifiable Health InformationDOJ DataDOJ DataSummaryClass Discussion: Sensitivity & Criticality Information Systems BoundariesRMF Step 1 Information System DescriptionInformation Systems BoundariesInventory Project Work PlanResponsibilitySystem IdentificationGeneral Support System v. Major ApplicationInventory InformationInventory ToolsUsing the InventorySmall SystemsLarge SystemsThe ProcessAuthorization / Accreditation BoundariesSystem of SystemsSlide Number 60Combining SystemsDynamic SubsystemsExternal SubsystemsValidationMaintenanceRMF Step 1 Information System RegistrationSummaryInventory Is CentralClass Discussion: Inventory