introduction

THE NEED TO PROTECT INFORMATION AND INFORMATION SYSTEMS

T

he selection and implementation of security controls for information systems[1]</sup> and organizations are important tasks that can have major implications on the operations[2]</sup> and assets of organizations[3]</sup> as well as the welfare of individuals and the Nation. Security controls are the safeguards/countermeasures prescribed for information systems or organizations that are designed to: (i) protect the confidentiality, integrity, and availability of information that is processed, stored, and transmitted by those systems/organizations; and (ii) satisfy a set of defined security requirements.[4]</sup> There are several key questions that should be answered by organizations when addressing the information security considerations for information systems:

  • What security controls are needed to satisfy the security requirements and to adequately mitigate risk incurred by using information and information systems in the execution of organizational missions and business functions?
  • Have the security controls been implemented, or is there an implementation plan in place?
  • What is the desired or required level of assurance that the selected security controls, as implemented, are effectivein their application? [5]</sup>

The answers to these questions are not given in isolation but rather in the context of an effective risk management process for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks[6]</sup> arising from its information and information systems. NIST Special Publication 800-39 provides guidance on managing information security risk at three distinct tiers—the organization level, mission/business process level, and information system level. The security controls defined in this publication and recommended for use by organizations to satisfy their information security requirements should be employed as part of a well-defined risk management process that supports organizational information security programs.[7]</sup>

It is of paramount importance that responsible officials understand the risks and other factors that could adversely affect organizational operations and assets, individuals, other organizations, and the Nation.[8]</sup> These officials must also understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that mitigate risks to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the organization and accomplish the organization’s stated missions and business functions with what the OMB Circular A-130 defines as adequate security, or security commensurate with risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.

1. An information system is a discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems such as industrial/process controls systems, telephone switching/private branch exchange (PBX) systems, and environmental control systems.
2. Organizational operations include mission, functions, image, and reputation.
3. The term organization describes an entity of any size, complexity, or positioning within an organizational structure (e.g., a federal agency or, as appropriate, any of its operational elements).
4. Security requirements are derived from mission/business needs, laws, Executive Orders, directives, regulations, policies, instructions, standards, guidance, and/or procedures to ensure the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by organizational information systems.
5. Security control effectiveness addresses the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system in its operational environment or enforcing/mediating established security policies.
6. Information security-related risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and consider the potential adverse impacts to organizational operations and assets, individuals, other organizations, and the Nation.
7. The program management controls (Appendix G) complement the security controls for an information system (Appendix F) by focusing on the organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs.
8. This includes risk to critical infrastructure/key resources described in Homeland Security Presidential Directive 7.

results matching ""

    No results matching ""