In order to determine the level at which your information should be certified and accredited, there are seven criteria you should take into consideration:
■   Confidentiality
■   Integrity
■   Availability
■   Interconnection State
■   Processing State
■   Complexity State
■   Mission Criticality

I am going to show you how to assign risk and impact levels to these characteristics in order to determine what level at which to C&A your information system. Some C&A programs may opt to use more than seven criteria and may vary their risk ratings, however all C&A level determinations should take a similar approach.

Confidentiality, Integrity, and Availability

Preserving the Confidentiality, Integrity, and Availability of your information systems is one of the key objectives of FISMA. FIPS 199 helps you understand how to categorize the Confidentiality, Integrity, and Availability of your information systems so you can take that information and determine a C&A level.

Confidentiality

According to FIPS 199, Confidentiality is a legal term defined as:

…preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information…

Legal terms aside, Confidentiality means that people who are not supposed to see sensitive data don’t end up seeing it. Confidentiality can be breached in numerous ways, including shoulder surfing, capturing network packets with a protocol analyzer (sometimes referred to as “sniffing”), capturing keystrokes with a keystroke logger, social engineering, or dumpster diving. Confidentiality can also be breached completely accidentally, for example, if systems administrators accidentally configure an application such that people who are not supposed to see the data have login access to it.
Confidentiality typically is preserved through use of the following techniques:

■   Encryption
■   Roles-based access control (RBAC)
■   Rules-based access controls
■   Classifying data appropriately
■   Proper configuration management
■   Training end-users and systems administrators

Determining the Confidentiality Level

In determining the proper level at which to certify and accredit your information system, you need to determine what impact a breach of Confidentiality of the data would have on your organization. If the impact of disclosure would be of little consequence, the rating of Low should be selected. If the impact of disclosure to the wrong individuals would be disastrous, the rating of High should be selected. If the impact of adverse disclosure would be somewhere between Low and High, the rating of Moderate should be selected.

For example, data that is to be made publicly available on the Web would have a Low Confidentiality rating. Data that should be viewed by only a very small group of people, where disclosure to the unauthorized viewers would have critical consequences, would require a High degree of Confidentiality. Data that should be viewed by an intermediate amount of users, that would have a moderate adverse effect if it were disclosed to the wrong individuals, would have a Moderate Confidentiality rating.

When considering impact of disclosure, it helps if the data within your organization has a classification scheme. If it does, you can create numerical weights based on the data classification scheme that are somewhat more specific than the assignments of High, Medium, or Low.

Integrity

Like Confidentiality, Integrity is also a legal term defined by FIPS 199 and reads as follows:

…means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity…

Preserving the Integrity of the data ensures that the information is reliable and has not been altered either by unauthorized users, or processes gone awry. After all, if data is not accurate, it is of little use and in fact can be detrimental if it is being used to make decisions where lives are at stake. Attackers may attempt to purposely alter data, but systems administration errors and sloppy programming can also create data that contains the wrong information. If input variables in programs are not checked for memory bounds, buffer overflows can occur, which have the potential to alter good data.

Integrity often is preserved through the same techniques you use to preserve Confidentiality. However, additional techniques that help ensure that Integrity of data is left in tact are:

■   Perimeter network protection mechanisms
■   Host-based intrusion prevention systems
■   Network-based intrusion detection systems
■   Protection against viruses and other malware
■   Physical security of the information systems
■   Adherence to secure coding principles
■   Backups and off-site storage
■   Contingency management planning

Determining the Integrity Level

Similar to determining the Confidentiality level, when you determine the Integrity level, you need to determine what impact a loss of data Integrity would have on your organization. If the impact of unauthorized data modification would be of little consequence, select the Low rating. If the impact of unauthorized data modification would be disastrous, select the High rating. If the impact of adverse and unauthorized data modification would be somewhere between Low and High, you should select Moderate.

Remember, loss of Integrity means that the data has been modified through unauthorized channels, either on purpose or by accident. If it is a company calendaring application that has its Integrity breached, this will not have anywhere near the same consequences as if it were a patient’s medical record in a Veteran’s Hospital. A breach of Integrity on a patient’s medical record could have life or death consequences and a serious adverse affect.

Integrity levels should be assigned based on a scale that is indicative of risk to Integrity loss.

Availability

FIPS 199 stipulates the legal definition of Availability to be:

…means ensuring timely and reliable access to and use of information.

Not all data have the same requirements for Availability. Data that has an impact on human lives needs to have its Availability ensured at higher levels than data that is intended for trivial purposes (e.g., the cafeteria lunch menu). Data that has high Availability requirements needs more elaborate safeguards and controls to ensure that Availability is not compromised. Data that has low Availability requirements may need no safeguards or controls.

Determining the Availability Level

In determining Availability, you need to understand how urgent it is (or not), that the data exists in its everyday state. What would happen if the data were to become unavailable for a period of time? Would the unavailability of the data prevent critical decisions to be made? Would human lives become at stake? Would anyone even notice or care? Some C&A experts claim that risks to Availability should be concerned only with security, and not performance. However, security vulnerabilities often are exploited through attacks on performance, and therefore, I believe that taking performance into consideration is important. If a denial of service attack prevents data from becoming available due to degradation in system performance, it would be prudent to consider the performance impact caused by the attack on security.

How to Categorize Multiple Data Sets

If you are planning to certify and accredit multiple applications together, or applications for multiple lines of business or multiple operational areas, you will need to do some additional work to figure out your Confidentiality, Integrity, and Availability scores. However, it is much more efficient to C&A multiple applications together, and multiple lines of business together, than to develop two entirely separate C&A packages.

First you figure out the Confidentiality, Integrity, and Availability qualitative ratings individually for each application, line of business, or operational area. Once you have done that, you put the final scores for each of the individual areas into a summary table. The different individual areas may have different scores for Confidentiality, Integrity, and Availability. However, your C&A package needs to be geared toward one level. To obtain the final Confidentiality, Integrity, and Availability rating, you will want to select the highest rating in all categories and use that one. For example, if you have three lines of business, and they have Confidentiality ratings of High, Moderate, and Low, you will select High for your final Confidentiality rating.

Management

Figuring out Confidentiality, Integrity, and Availability using the approach I have just described is the ideal way to figure Confidentiality, Integrity, and Availability scores if you have different departments that share the same server. You certainly will not want to put together three different Certification Packages for the same server. Due to the large amount of time and resources it takes to put together a Certification Package, you want to cover as many information technology assets in one package as you can.

Impact Levels and System Criticality

FIPS 199 summarizes the characterization of Confidentiality, Integrity, and Availability according to adverse impact in the event of a security incident. Low, Moderate, or High impacts are described by FIPS.

Integrity, or Availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Confidentiality, Integrity, or Availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

Integrity, or Availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

What is important in following these guidelines is being able to justify the rationale behind selecting the category of Low, Moderate, or High for your information system. Questions that you will want to ask the in-house subject matter experts to help you determine the Confidentiality, Integrity, and Availability impact levels are:

■   Do these information systems perform operations that put human lives at stake?
■   Is the data read-only data?
■   Does the data constitute executable programs?
■   Who are the stakeholders of the data?
■   If the data disappeared completely and forever what would be the impact?
■   If the data disappeared for one hour what would be the impact?
■   If the data disappeared for one day what would be the impact?
■   Does the information system connect to any other systems or networks?

The final Confidentiality, Integrity, and Availability rating that you calculate to summarize all the systems in your C&A package is called the Security Profile.

System Attribute Characteristics

Aside from Confidentiality, Integrity, and Availability, there are four other system attributes that should be taken into consideration to determine your C&A level.Those four attributes are known as the Interconnection State, the Processing State, the Complexity State, and Mission Criticality. By assigning numerical risk levels to these attributes and tallying up the totals, you can refine your security characteristics and justify your C&A level.

Interconnection State (Interfacing Mode)

The interconnection state often is referred to as the interfacing mode in agency documents, and refers to the connections the information system has to other networks, devices, databases, and systems. I prefer the terminology “interconnection state” because it is more descriptive and less cryptic than interfacing mode. Many security experts do not know what interfacing mode means without doing further research. If you see interfacing mode in C&A publications put out
by federal agencies, what the terminology refers to is the state of the interconnections of the different network components, and you should think of this as the same thing as the interconnection state.

To understand what the interconnection state is, let’s take into consideration a security incident. If a security incident occurred, would the incident be contained within the single information system or would it perpetrate out to other systems? In understanding the interconnection state, you need to determine if risks can be contained.To determine if the risks can be contained, you need to know if the interconnection of network devices are nonexistent, passive, or active. A nonexistent interconnection state would indicate no physical or logical connections. A passive interconnection state would indicate logical or physical connections that are tightly controlled. For example, a system may be set up to receive only certain types of data on certain ports. An active interconnection state would indicate a direct, and relatively open, interaction with other systems, data structures, and networks.

Clearly there is more risk associated with an active interconnection state, less risk with a passive interconnection state, and no risk with a nonexistent interconnection state. Although some C&A programs may assign other numerical weights to these interconnection states, I recommend that the weights that appear below to be used:

Access State (Processing Mode)

The access state of your information system refers to the complexity by which data is accessed, transmitted, and stored. The access state often is referred to as the processing mode in agency C&A documents. However, I believe that processing mode is misleading because what we are really trying to determine is the level of user access. To understand the access state, take into consideration the level of approvals necessary to access the data. How many technical security controls and configuration parameters are implemented and manipulated in order to grant access? You need to determine the number of different levels of user privileges and the complexity of configuring and implementing those access states.

Accountability State (Attribution Mode)

Accountability state refers to how accountable you need your information system to be. This information state often is referred to in agency C&A documents as the attribution mode. However, the terminology attribution mode is again cryptic—no one knows what it means and it’s time to replace it with more descriptive terminology. The terminology “accountability state” is less confusing. To understand accountability state, you need to take into consideration the complexity of accountability required to identify, validate, audit, and monitor system entities and configurations. Does the system undergoing C&A require simple or complex audit mechanisms? Are intrusion detection or intrusion prevention systems required? Do security events need to be correlated with a security information management (SIM) console? How many places should data be stored in? How many monitoring systems do you need? Do you need monitoring systems in multiple geographic locations? To determine the complexity state, it is worth considering who the stakeholders are for the data. Is it the president of the United States? Or are the stakeholders data entry clerks? Find out who the data stakeholders are and what they are using the data for.You may need to interview the stakeholders, the developers, and the information system owner in order to find out what they are using the data for.

To determine the complexity of the accountability required by the information system, I have set up a scale, depicted in table below. Make a qualitative decision based on information that you obtain from the stakeholders, the information system owner, and the developers.

Mission Criticality

One way of gauging the importance of an information system is to understand how critical that particular information system is to your business. How reliant is your business on the information system that is up for C&A? There are four categories of reliance that you should try to align your information system with:

■   No reliance
■   Cursory reliance
■   Partial reliance
■   Complete reliance

The information system owner should have a good idea of the mission criticality of the information system that is up for C&A. I caution against interviewing the end users of the information system on mission criticality because they often give exaggerated viewpoints on mission criticality. You should verify the information system owner’s viewpoint with the in-house developers and subject matter experts.