RMF Step 1: Cateogrize Flashcards
Task 1-1
Categorize the information and information system
Task 1-2
Describe the information system (including the system boundary)
Task 1-3
Register - let organizational authority know what the system is used for, why it exists
Sensitivity
how important the information is denotes the need for protection
information may have more sensitivity when combined,
Criticality
measure of the degree to which an organization needs the system for success of mission or business function
information may be more critical at a point in time
Data Classification
Inventory and classification approach, what needs to be
- public
- internal use
- restricted
Security Objective
CIA -
Confidentiality
Integrity
Availability
The docs used are
FIPs 199 and NIST 800-60
NIST 800-60 Volume 1 and 2 (both rev 1)
Volume 1, rev 1 - guide for mapping types of information and information systems to security categories
Volume 2, rev 1 - appendices to the guide for mapping types of information and information systems to security categories
*Recommended levels for each security objective (CIA)
Categorization Process
1) Identify the Information System
2) Identify the Information Type
3) Select Provisional Impact Levels
4) Review Provisional Impact Levels
5) Adjust/Finalize Impact Levels
6) Assign System Security Cateogry
7) Security Categorization (FIPs 199)
8) FIPs 200 (control selection)
Three types of information types
1) Mission-Based Information Types
2) Services Delivery Support Information Types
3) Government Resource Mgmt Information Types