Understanding the Risk Management Framework & (ISC)2 CAP Module 6: Categorize
1 like349 views
The document outlines a system inventory process to categorize an organization's information systems. It involves identifying general support systems and applications, classifying them based on information sensitivity and criticality, determining major applications, and publishing the inventory for review. Key terms defined include general support system, major application, and information system. The process helps organizations understand and protect sensitive data types by properly inventorying and categorizing automated information resources.
Understanding the Risk Management Framework & (ISC)2 CAP Module 6: Categorize
- 14. • Criticality: A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. • Sensitivity: Used in this guideline to mean a measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection. • - NIST SP 800-60
- 33. Data Type Confidentiality Integrity Availability Personal Identity and Authentication Moderate Moderate Moderate Help Desk Services Low Low Low Budget & Finance Moderate Moderate Low Accounting Low Moderate Low Space Operations Low High High
- 40. Source: 45 C.F.R. Sec. 160.103
- 48. 1 • Identify General Support Systems and Applications • Identify Business Functions • Identify automated information resources & categorize as GSS or application 2 • Classify GSS and applications • Determine information sensitivity • Determine mission criticality 3 • Determine what applications qualify as major applications • Determine major applications support systems • Non-major application become GSS 4 • Submit to CIO for review • Business unit executive review • Publish inventory
- 50. “The term ‘information system’ means a discrete set of information resources organized for the collection, processing, maintenance, transmission and dissemination of information in accordance with defined procedures, whether automated or manual.” OMB Circular A-130
- 51. General Support System “An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.” OMB Circular A-130 Major Application “An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.” OMB Circular A-130
- 59. NIST SP 800-100 “It is also possible for multiple information systems to be considered as independent subsystems. A subsystem is a major subdivision of an information system consisting of information, information technology, and personnel that perform one or more specific functions.” - NIST SP 800-37 Rev 1 System 1 Subsystem A Subsystem B Subsystem C