Question

Accreditation is the evaluation of the security controls of an IT system to establish the extent to which a particular design and implementation meets a set of specified security requirements. The risk management strategy used for A&A is depicted in the document, Risk Management Framework. Select Three of the six steps of the framework illustrated in the Risk Management Framework below:

STEPS: 1: Categorize Information System 2: Implement Security Controls 3: Assess Security Controls 4: Select Security Controls 5: Authorize Information System 6: Monitor Security Control

1. Identify the step and associated government document.
2. Discuss the importance of the step in the overall framework.
3. What are the consequences if the step is not included in the risk management life-cycle.

Answer 1

Categorize Information System:
This is the first step of Risk Management Framework. This step determines the main importance of the information and on based of this informationit will conclude the following.
a.) worst case scenario
b.) antagonistic effect to the organization
c.) the vision and mission of the organization
According to Federal Information Processing Standard(FIPS)199, the following are the standards for Security Categorization of FIPS.
1.Confidentiality
2.Integrity
3.Availability
We should take care of how these 3 objectives effects the information. If the impact level is low, the loss has limited effect. If the impact level is moderate, the loss has serious effect which we should bother about. If the impact level is high, the loss has a very high effect which should be taken into account on an important note.
If this step is not included, then we will not be sure about which kind of information we have and how to go through about it. Further steps will be easy if we categorize the information.

Select Security Controls:
This is the second step of Risk Management Framework. This step selects its own security controls by starting with the most appropriate base using the output from Categorize Information System(Step 1). If needed, we have to use tailoring guidance according to the risk management.
Minimalistic Security Requirements for FIPS defines 17 security based families which includes broad based and balanced security system, in depth of operational, management and technical security controls(needed for the defense).The minimum baseline of the security controls will be implemented. We should take care that these baselines should be correctly tailored.
These privacy and Security measures are mainly not focused on any particular technology.
For example, Cloud based technology, mobile systems and their applications.
A very important point that is to be noted is that the Baselines should be tailored only based on the type of risk, to properly fit the mission and
vision of the system environment.
If this step is not included, we might lose the data or it might get hacked by others. So we need to protect our information. Confidentiality is very important.

Implement Security Controls:
We have to implement security controls which falls under the organizational architecture. We should use the appropriate security engineering methods to implement. SP 800-160 can be referred in this case. We should apply the configuration settings of the security properly.
We should plan the implementation in the development phase of SDLC. There are many publications that are available which helps us for proper implementation on a vast area of controls and its types.
The implementation might include the following.
i.) Taking a note of the policies and following the plans and the operational procedures.
ii.) Configuring the settings appropriately in the applications
iii.) Automating the implementation.
If this step is not included, then the information may get leaked and the actual purpose may be deviated.