1.4 organizational responsibilities

Organizations use FIPS Publication 199 to categorize their information and information systems. Security categorization is accomplished as an organization-wide activity[16]</sup> with the involvement of senior-level organizational personnel including, for example, authorizing officials, chief information officers, senior information security officers, information owners and/or stewards, information system owners, and risk executive (function).[17]</sup> Information is categorized at Tier 1 (organization level) and at Tier 2 (mission/business process level). In accordance with FIPS Publication 200, organizations use the security categorization results from Tiers 1 and 2 to designate organizational information systems at Tier 3 (information system level) as low-impact, moderate-impact, or high-impact systems. For each organizational information system at Tier 3, the recommendation for security controls from the baseline controls defined in Appendix D is the starting point for the security control tailoring process. While the security control selection process is generally focused on information systems at Tier 3, the process is generally applicable across all three tiers of risk management.

FIPS Publication 199 security categorization associates information and the operation and use of information systems with the potential worst-case adverse impact on organizational operations and assets, individuals, other organizations, and the Nation.[18]</sup> Organizational assessments of risk, including the use of specific and credible threat information, vulnerability information, and the likelihood of such threats exploiting vulnerabilities to cause adverse impacts, guide and inform the tailoring process and the final selection of security controls.[19]</sup> The final, agreed-upon set of security controls addressing specific organizational mission/business needs and tolerance for risk is documented with appropriate rationale in the security plan for the information system.[20]</sup> The use of security controls from Special Publication 800-53 (including the baseline controls as a starting point in the control selection process), facilitates a more consistent level of security for federal information systems and organizations, while simultaneously preserving the flexibility and agility organizations need to address an increasingly sophisticated and hostile threat space, specific organizational missions/business functions, rapidly changing technologies, and in some cases, unique environments of operation.

Achieving adequate information security for organizations, mission/business processes, and information systems is a multifaceted undertaking that requires:

  • Clearly articulated security requirements and security specifications;
  • Well-designed and well-built information technology products based on state-of-the-practice hardware, firmware, and software development processes;
  • Sound systems/security engineering principles and practices to effectively integrate information technology products into organizational information systems;
  • Sound security practices that are well documented and seamlessly integrated into the training requirements and daily routines of organizational personnel with security responsibilities;
  • Continuous monitoring of organizations and information systems to determine the ongoing effectiveness of deployed security controls, changes in information systems and environments of operation, and compliance with legislation, directives, policies, and standards;[21]</sup> and
  • Information security planning and system development life cycle management.[22]</sup>

From an engineering viewpoint, information security is just one of many required operational capabilities for information systems that support organizational mission/business processes—capabilities that must be funded by organizations throughout the system development life cycle in order to achieve mission/business success. It is important that organizations realistically assess the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from mission/business processes and by placing information systems into operation or continuing operations. Realistic assessment of risk requires an understanding of threats to and vulnerabilities within organizations and the likelihood and potential adverse impacts of successful exploitations of such vulnerabilities by those threats.[23]</sup> Finally, information security requirements must be satisfied with the full knowledge and consideration of the risk management strategy of the organization, in light of the potential cost, schedule, and performance issues associated with the acquisition, deployment, and operation of organizational information systems.[24]</sup>

16. See FIPS Publication 200, Footnote 7.
17. Organizations typically exercise managerial, operational, and financial control over their information systems and the security provided to those systems, including the authority and capability to implement or require the security controls deemed necessary to protect organizational operations and assets, individuals, other organizations, and the Nation.
18. Considerations for potential national-level impacts and impacts to other organizations in categorizing organizational information systems derive from the USA PATRIOT Act and Homeland Security Presidential Directives (HSPDs).
19. Risk assessments can be accomplished in a variety of ways depending on the specific needs of organizations. NIST Special Publication 800-30 provides guidance on the assessment of risk as part of an overall risk management process.
20. Authorizing officials or designated representatives, by accepting the completed security plans, agree to the set of security controls proposed to meet the security requirements for organizations (including mission/business processes) and/or designated information systems.
21. NIST Special Publication 800-137 provides guidance on continuous monitoring of organizational information systems and environments of operation.
22. NIST Special Publication 800-64 provides guidance on the information security considerations in the system development life cycle.
23. NIST Special Publication 800-30 provides guidance on the risk assessment process.
24. In addition to information security requirements, organizations must also address privacy requirements that derive from federal legislation and policies. Organizations can employ the privacy controls in Appendix J in conjunction with the security controls in Appendix F to achieve comprehensive security and privacy protection.

results matching ""

    No results matching ""