FIPS 199
The FIPS 199 document defines how to determine if a system should be categorized as low, moderate or high risk.
There are three categories to judge this by
- Confidentiality
- Integrity
- Availability
For each of these you need to determine if it is a low risk, moderate risk or a high risk. Once you have done that for each category, you choose the highest one of the three and that is the risk level for the system.
To sum it up
Category | Risk Level | Risk Level | Risk Level | Risk Level | Risk Level | Risk Level |
---|---|---|---|---|---|---|
Confidentiality | Low | Low | Low | Low | Moderate | High |
Integrity | Low | Moderate | Low | Moderate | Low | Low |
Availability | Low | Low | Moderate | High | Low | Moderate |
Overall Risk | Low | Moderate | Moderate | High | Moderate | High |
and so on.
Federal Guidelines
The FIPS document (on the Z: drive) says this
The FISMA defines three security objectives for information and information systems
- CONFIDENTIALITY
- “Preserving authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec.
3542]
- A loss of confidentiality is the unauthorized disclosure of information.
- “Preserving authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec.
3542]
- INTEGRITY
- “Guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542]
- A loss of integrity is the unauthorized modification or destruction of information.
- “Guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542]
- AVAILABILITY
- “Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC.
3542]
- A loss of availability is the disruption of access to or use of information or an information system.
- “Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC.
3542]
Potential Impact on Organizations and Individuals
FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest.
- The potential impact is LOW if—
- The loss of confidentiality, integrity, or availability could be expected to have
a limited adverse effect on organizational operations, organizational assets, or individuals.2
- AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.
- The loss of confidentiality, integrity, or availability could be expected to have
a limited adverse effect on organizational operations, organizational assets, or individuals.2
- The potential impact is MODERATE if—
- The loss of confidentiality, integrity, or availability could be expected to have
a serious adverse effect on organizational operations, organizational assets, or individuals.
- AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries
- The loss of confidentiality, integrity, or availability could be expected to have
a serious adverse effect on organizational operations, organizational assets, or individuals.
- The potential impact is HIGH if—
- The loss of confidentiality, integrity, or availability could be expected to have
a severe or catastrophic adverse effect on organizational operations, organizational
assets, or individuals.
- AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
- The loss of confidentiality, integrity, or availability could be expected to have
a severe or catastrophic adverse effect on organizational operations, organizational
assets, or individuals.
CSU Definitions
While the categories of Availability, Confidentiality and Integrity sound logical and are easy to apply, reading the Potential Impact shows that something developed for the US Army, NSA, CIA, FBI, FAA, etc... does not scale well to a University environment.
For Clayton State, we need to make our own definition of LOW, MODERATE, and HIGH impact that match up better with our goals.
- LOW impact
- The loss of confidentiality, integrity, or availability could be expected to have
a limited or negligible adverse effect on CSU operations, organizational assets, or
individuals.
- AMPLIFICATION: For CSU - the loss of a server which has redundancy or is not a production server. Confidentiality would be a server that hosts public record information, and a loss of this is the same as what we give out anyway (DNS for example). Low Integrity would be a server which has redundancy built in, easily recoverable and not something that a change of data would easily result in additional breaches, or dire consequences.
- The loss of confidentiality, integrity, or availability could be expected to have
a limited or negligible adverse effect on CSU operations, organizational assets, or
individuals.
- MODERATE impact
- The loss of confidentiality, integrity, or availability could be expected to have
an impact on CSU operations, organizational assets, or individuals. This impact would
be an inconvenience noticed by the campus, but something that could be worked around
for a short time. Nothing personally identifiable has been modified or leaked.
- AMPLIFICATION: For CSU - the loss of a server which has minimal (non-automatic) redundancy/failover. SWAN would be a good example - while inconvenient, there are other ways to get at the same information, and continue business. Confidentiality would be information which is somewhat protected, but not private information - more of a hassle than anything, such as a student getting a hold of a test beforehand. Integrity would be similar, in that it could be potentially embarrassing (ie. our web site says odd things) but does not result in dire situations (ie. every student gets a $500 refund check).
- The loss of confidentiality, integrity, or availability could be expected to have
an impact on CSU operations, organizational assets, or individuals. This impact would
be an inconvenience noticed by the campus, but something that could be worked around
for a short time. Nothing personally identifiable has been modified or leaked.
- HIGH impact
- The loss of confidentiality, integrity, or availability could be expected to have
an major impact on CSU operations, organizational assets, or individuals. This impact
would be an interruption of how we intend to perform day-by-day duties, a loss of
personally identifiable information or result in an untrustworthy data source.
- AMPLIFICATION: For CSU - the catastrophic loss of a system and backups, such as the failure of both routers, both SAN's etc... The confidentiality would be the loss of information which has personal data such as SSN, DoB's, etc... (ie. a breach of Banner). The integrity would be a situation where we could no longer make use of the data we have because it can't be trusted for business operations (ie. as above, all of a sudden everyone overpaid $500)
- The loss of confidentiality, integrity, or availability could be expected to have
an major impact on CSU operations, organizational assets, or individuals. This impact
would be an interruption of how we intend to perform day-by-day duties, a loss of
personally identifiable information or result in an untrustworthy data source.