Unit 1 - FIPS PUB 199 Flashcards
What is the purpose of FIPS Publication 199?
To develop standards for categorizing information and information systems based on security objectives and risk levels.
Under which acts was FIPS Publication 199 established?
E-Government Act of 2002 and Federal Information Security Management Act of 2002.
What are the three security objectives defined by FISMA?
- Confidentiality
- Integrity
- Availability
What does a loss of confidentiality entail?
The unauthorized disclosure of information.
What does a loss of integrity refer to?
The unauthorized modification or destruction of information.
Define availability in the context of information security.
Ensuring timely and reliable access to and use of information.
What is considered a LOW potential impact on organizations?
Limited adverse effect on organizational operations, assets, or individuals.
What constitutes a HIGH potential impact as defined in FIPS Publication 199?
Severe or catastrophic adverse effect on organizational operations, assets, or individuals.
Fill in the blank: The potential impact is ______ if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect.
MODERATE
What is the significance of security categorization for information types?
It determines the potential impact for each security objective associated with the information type.
How is the security category of an information type expressed?
SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
What is the acceptable values for potential impact in information systems?
- LOW
- MODERATE
- HIGH
True or False: The value of not applicable can be assigned to any security objective for an information system.
False
What must be considered when determining the security category of an information system?
The security categories of all information types resident on the information system.
What does the term ‘high water mark’ refer to in security categorization?
The highest values assigned to the respective security objectives from among the security categories for each type of information.
What is an example of a security category for public information?
SC public information = {(confidentiality, NA), (integrity, MODERATE), (availability, MODERATE)}
What is the role of NIST in relation to FIPS Publications?
To provide leadership, technical guidance, and coordination in the development of standards and guidelines.
Fill in the blank: These standards are effective upon approval by the _______.
Secretary of Commerce
What types of organizations may consider using FIPS standards?
- State governments
- Local governments
- Tribal governments
- Private sector organizations
What defines an information type?
A specific category of information defined by an organization or law.
How does FIPS Publication 199 categorize information systems?
Based on the potential impact on confidentiality, integrity, and availability.
What is the purpose of the security categorization standards?
To promote effective management and oversight of information security programs.
What does the term ‘potential impact’ refer to?
The expected effect on an organization from a breach of security.
True or False: The security categorization framework is only applicable to federal information systems.
False
What is the potential impact of a loss of availability?
Disruption of access to or use of information or an information system.
What is the purpose of FIPS Publication 199?
Standards for Security Categorization of Federal Information and Information Systems
What does SCADA stand for?
Supervisory Control and Data Acquisition
What are the potential impacts assessed for SCADA system sensor data?
Confidentiality: NA, Integrity: HIGH, Availability: HIGH
What are the potential impacts assessed for SCADA system administrative information?
Confidentiality: LOW, Integrity: LOW, Availability: LOW
What is the initial security category for the SCADA system?
Confidentiality: LOW, Integrity: HIGH, Availability: HIGH
What change did management make to the confidentiality impact of the SCADA system?
Increased from LOW to MODERATE
What is the final security category of the SCADA system after management’s adjustment?
Confidentiality: MODERATE, Integrity: HIGH, Availability: HIGH
Define the potential impact of confidentiality at ‘LOW.’
The unauthorized disclosure of information could be expected to have a limited adverse effect
Define the potential impact of integrity at ‘HIGH.’
The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect
What does availability ensure?
Timely and reliable access to and use of information
What is the definition of information security?
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
Fill in the blank: The term _______ refers to a specific category of information.
Information Type
True or False: The National Security System includes information systems not involved in intelligence activities.
False
What is the definition of security category?
The characterization of information or an information system based on an assessment of the potential impact
List the three security objectives.
- Confidentiality
- Integrity
- Availability
What are security controls?
The management, operational, and technical controls prescribed for an information system
What does the term ‘information technology’ encompass?
Any equipment or interconnected system or subsystem of equipment used in data management
What is the significance of the term ‘executive agency’?
Refers to departments specified in U.S. law responsible for various governmental functions
