Security Basics mailing list archives
Clairification on levels of CIA
From: mr.nasty () ix netcom com
Date: 2 Nov 2006 20:30:50 -0000
I'm in the process of working the bugs out of a new security plan. In the plan (according to NIST) there's a section to indicate the type of protection needed for the system. A system may need protection for one or more of the following reasons: Confidentiality - The system contains information that requires protection from unauthorized disclosure. Integrity - The system contains information which must be protected from unauthorized, unanticipated, or unintentional modification. Availability - The system contains information or provides services which must be available on a timely basis to meet mission requirements or to avoid substantial losses. Describe, in general terms, the information handled by the system and the need for protective measures. - Relate the information handled to each of the three basic protection requirements above (confidentiality, integrity, and availability). - Include a statement of the estimated risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information in the system. To the extent possible, describe this impact in terms of cost, inability to carry out mandated functions, timeliness, etc. For each of the three categories (confidentiality, integrity, and availability), indicate if the protection requirement is: High a critical concern of the system; Medium an important concern, but not necessarily paramount in the organization's priorities; or Low some minimal level or security is required, but not to the same degree as the previous two categories. It seems every organization I've worked at feels their information is at the High level. How do you explain that that anyone who might compromise their data only has access to the following; 1) name (could be a business name) 2) address (probably a business addy) 3) access to the data (which is basically publicly available) 4) phone number That would be all the personally identifiable information available. They cannot get credit card, SSN, dob, Drivers License or any other personally identifiable information. Did I miss something here? My reason for asking is if any of you have had experience with putting together a security plan in accordance with NIST you'll know that as you gather together the information you can see a picture of a purpose for a certain level of security. If an organization artificially raises the security level with no justification within the plan and the actual level of security is operating at a low to medium, won't that have an adverse affect when it comes to an IT audit? Common sense tells me that it would. I cannot get management to provide a statement of the estimated risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information in the system. Except to say that look at the page its pretty obvious. I wouldnt be asking if it was so obvious. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Clairification on levels of CIA mr . nasty (Nov 03)