Security categorization



Security categorizationAccording to the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standard (FIPS) Publication 199, security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals (NIST, 2004). Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization (NIST, 2004).Purpose for security categorizationThe overall purpose for security categorization falls within a greater context of Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA). FISMA recognized the importance of information security to the economic and national security interests of the United States (NIST, 2004). In alignment with the standards and guidelines established by NIST, the intended purpose of the security categorizations is to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels (NIST, 2004).categorization of company laptopsWhile company-issued laptops provide benefits like mobility and greater work productivity/efficiency while working away from the office, there are many risks associated with these devices moving around and establishing connections to enterprise assets from virtually anywhere in the world. Aligning these risks, and their corresponding remediation efforts, with the appropriate risk management frameworks (RMF) will allow the organization to take a standardized approach toward identifying our areas of risk and adopting recommended standards and guidelines toward prioritizing gap remediation, risk mitigation, and overall program performance measurement.As it relates to company-issued laptops, we will recommend establishing risk categorizations in alignment with FIPS 199 and NIST Special Publication (SP) 800-60, and as outlined by the NIST-provided table summarizing the potential impact for the security objectives of confidentiality, integrity, and availability (below): (NIST, 2014). FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems. Retrieved from the current culture of user and company information stored, at times, locally on laptops and other devices, the impact of a breach leading to the disclosure of information key to the success of the organization, or even information containing Personally Identifiable Information (PII), could have a catastrophic impact on the organization’s operational readiness, The potential impact to the Organization’s reputation, from an Information Security standpoint, if PII or other sensitive information were disclosed and found to be on a laptop would be extremely impactful and a real threat to our ability to attract new opportunities and/or maintain those relationships we already have.IntegrityHighThe impact of a breach leading to the manipulation of data, applications, or any other information relying upon accuracy and authenticity would, at the very least, subject to questioning a limited scope of data/transactions from a given entity…in a worst-case scenario, information assurance reliant up the accuracy of data impacted by a breached laptop could have an irrecoverable catastrophic impact to the organization’s brand reputation and credibility with clients and business partners.AvailabilityLowBecause of the ubiquity of laptops and other mobile devices within the enterprise boundaries of our corporate enterprise, the impact to losing a laptop from hardware failure, software failure, or any other type(s) of disaster would be limited…given the mitigation efforts recommended to remove all company-related data from mobile devices. As this data makes its way to the cloud (classification-dependent), there will be more availability from a greater number of devices, and even less reliance on a given laptop for our user community, and road warriors, in particular, to perform their duties. References1. NIST BIBLIOGRAPHY (2014). Standards for Security Categorization of Federal Information and Information Systems. Retrieved July 22, 2019 from . ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download