* Security is not a battle with windmills *

In previous articles I have already described in some detail about the publication of NIST SP 800-53. The division of controls into families, a detailed description of the structure of security controls, the risk management process across the organization and even a brief FIPS 200 publication were successfully covered.
Due to the release of Geektimes, we had to linger a little, but we continue to move on, and today we will talk about basic sets of security controls and about determining the criticality of information systems.
And of course, bundled authentic American safety posters.

Links to previous articles:
IB in American. Part 1. What is NIST 800-53 and what do security controls look like?
IB in American. Part 2. Is it possible to learn more about NIST 800-53 and where does risk management go?
IB in American. Part 3. What is a basic set of controls and how to determine the criticality of systems?
IB in American. Part 4. We deal with the "fit" and "overlap" and complete this review.

')

Basic control sets

We talked about the structure of families of security controls and the device of a single control (including its “gain” - “control enhancements”) in the first part. Now is the time to understand what to do with these controls. How to choose from several hundreds of different measures, what to follow when determining the need for implementation and in what order to carry out this process.
So, the organization needs to adequately compensate for information security risks arising during the operation and execution of business tasks. A serious problem for an organization is to determine the most appropriate financially advantageous set of controls, which after implementation will also be effective.

Since it’s still necessary to start with something, and grabbing at everything is not very productive, and indeed it would be good to provide everyone and at once with a single reliable basis for further research, NIST developed three basic sets of security controls, which are the starting point for the further process of “fitting” (free translation of the term “tailoring”, in the context of the document, meaning optimization or adaptation). Sets differ among themselves in such a parameter as the criticality of the information system to which they will be applied and which, in fact, must be protected. A specific starter kit is selected based on the security category of an individual IP (or group of IP), defined in accordance with the publication FIPS Publication 199 (you may remember that this is the first step discussed in the second part of the Risk Management Framework). More on the categorization process will be taken a little further.

Naturally, it would be naive to assume that it is possible to develop at least one universal set of information security measures (not to mention three) that can provide an adequate level of security for an indefinite number of systems. Moreover, NIST positions its document as an extremely universal tool, suitable for both large organizations and government structures, and almost for private use. Therefore, the essence of the basic sets lies in their name - this is the starting point from which you can and should start. Especially for those who do not know from which end grab a stick, but it would be better if the gingerbread of information security.

So, there are three basic sets designed for systems with low, medium and high criticality. To give the reader a rough idea of ​​the volume of measures contained in the sets (and, consequently, of persistence, although the relationship between the number of controls and the resulting level of information security is absolutely not linear), the following statistics can be given:

• The basic set of the LOW level contains about 110 safety controls and about 10 “gains” of controls.
• The MODERATE level set contains about 150 controls and several dozen “gains”.
• The coolest level set HIGH contains almost 170 controls and the number of “amplifications” approaching a hundred.

It is definitely worth noting that even the HIGH level set is a far from complete list of various security measures presented in NIST SP 800-53. These are only starting points implying a further “fit”, i.e. work on the optimization of these lists for the needs of a particular organization, the subtleties of the device of individual IP and features of the environment of operation


* About her secrets Mona Lisa only smiles silently. Smile and you *

Determining the criticality of IP

In the process of preparing for the selection of a suitable basic set of security controls for an organization’s IP and its functioning environment, first of all, it is necessary to determine the criticality of the information that will be processed, stored or transmitted by these IS. This process in NIST documents is called IP categorization and is described in the FIPS Publication 199 document Standards for Security Categorization of Federal Information and Information Systems. The title of the document in translation does not need, everything to the ugliness is simple and similar to the names of the publications mentioned earlier. The categorization is based on an assessment of the possible negative impact on IP. The results of this process allow you to select the necessary security controls for adequate IP protection by selecting the appropriate basic set. In general, there are no new ideas here, this is a principle that has been worked out for a long time, just correctly formulated and recorded in an official document in a uniform form for all. Let's run over it briefly.

FIPS 199 technique

Of the entire document, I selected only a substantial part for the reader and tried to arrange it in the form of a small method. I consider it necessary to bring it here, since it is a necessary step with which the construction of a system for ensuring information security begins. It will be especially useful for those who are just starting their acquaintance with information security.

Security Objects

The objects of security (my free translation. Since these terms appear only a few times and only within the framework of this document, I did not consider it necessary to put a strong emphasis on compact definition and convenience of further applicability) are three basic characteristics of information: Confidentiality, Integrity and Accessibility ( I assume that the presentation does not need). Further, the loss of each of these three security facilities, i.e. explained, for example, what is loss of integrity.

Potential Impact Levels

There are three levels of potential impact of the loss of the security object on the organization and individuals: low, medium and high. The application of the potential impact levels listed below must be assessed and carried out specifically for each organization based on its individual characteristics. Next, I will try to fit three definitions in one:
Potential impact is low / medium / high if -
loss of confidentiality, integrity, availability can lead to a limited / significant / critical negative impact on the activities of the organization, its assets and individuals.

The description of the three levels of negative influence is also presented in the document, but, in fact, are only general formulations. As an example, I will give a description only for critical influence. To describe the remaining levels, you can simply replace the word “Critical” with the appropriate adjectives, correct the description in the direction of easing the consequences, and remove human sacrifices.

A critical negative impact means that, for example, a loss of confidentiality, integrity or availability can lead to: a serious limitation of the ability to perform business tasks to such an extent that the organization is unable to perform one or more of its main functions; severe damage to the assets of the organization; to large financial losses; to serious or critical harm to individuals, human victims, or serious life-threatening injuries.


* Compliance with the check mode applies to all *

Security Information Categories

The security category of the information type can be associated directly with both user and system information and can be used for information presented in both electronic and non-electronic form (after all, many information systems are beyond the scope of digital media at least at the connection point of the printer cable). ). The security categories of information types can then be used to determine the security category of the respective information systems in which they are presented. Assigning a type of information to a certain security category essentially requires an assessment of the potential impact of the loss of each of the three security objects (confidentiality, integrity, availability) relating to this type of information.
The security category of the type of information is as follows:

KB type of information = {( confidentiality , impact), ( integrity , impact), ( availability , impact)},

where the potential impact may take the following values: LOW, MEDIUM, HIGH, NO. The value NONE is applicable only for confidentiality (it is considered that there is information that can be provided to anyone without worrying about confidentiality. However, even the minimum requirements for integrity and availability should apply to such information).

It should be noted that this is not a formula, but a vector (hi to Matan and linear algebra). In this case, braces mean a combination of three characteristics. More in the example below.

Security categories of information systems

The definition of the security category of an information system should take into account the security categories of all types of information presented in this system. For an information system, the potential impact of the loss of each of the three security objects (confidentiality, integrity, availability) is determined by the highest value of the potential impact of the loss of the corresponding security objects among the security categories of all types of information represented in the information system.
The security category of an information system is as follows:

KB information system = {( confidentiality , impact), ( integrity , impact), ( accessibility , impact)},

where the potential impact may take the following values: LOW, MEDIUM, HIGH. In the case of information systems, the value DOES NOT apply even to the potential impact of loss of confidentiality due to the need to ensure minimum security of systems and system information.

Critical Information Types and Information Systems

The criticality of the type of information and information system is defined as the highest value of the potential impact among all three security objects represented in the security category.


* There is nothing old-fashioned in security *

Example

So that out of all these terrible formulations and vectors there is an understanding of the reality of a not very complicated and logical principle, consider the following example.
There is an information system used in the main business processes of the organization, containing both critical business data on contracts and customers, as well as regular system information. The management of the organization decided that: for information on contracts and customers, the potential impact of loss of confidentiality is medium, loss of integrity is medium, loss of accessibility is low; for system information, the potential impact of loss of confidentiality is low, integrity - low, availability - low. As a result, the security categories of information types are as follows:

KB contract and customer information = {( confidentiality , MEDIUM ), ( integrity , MEDIUM ), ( availability , LOW )},
KB system information = {( confidentiality , LOW ), ( integrity , LOW ), ( availability , LOW )}.

The security category of the evaluated information system takes the following values:

KB estimated system = {( confidentiality , MEDIUM ), ( integrity , MEDIUM ), ( availability , LOW )}.

For easier digestion of understanding, we will present this information in a single Table 1, although it would be more appropriate to break down the security categories of information and information systems into different tables. As we can see here everything is pretty easy and simple. As a result, we are interested in the result, namely - the criticality of IP, located in the lower right cell.

Table 1. Categories of safety and criticality of information and information systems

	Confidentiality	Integrity	Availability	Criticality
Contract Information	The average	The average	Low
System information	Low	Low	Low
Estimated system	The average	The average	Low	The average