IB in the American way. Part 3. What is a basic set of controls and how to determine the criticality of systems?
- Tutorial

* Safety is by no means a struggle with windmills *
In previous articles, I have already talked in sufficient detail about the publication of NIST SP 800-53. The breakdown of controls into families, a detailed description of the structure of security controls, the organization-wide risk management process, and even briefly a separate publication FIPS 200 were successfully covered.
Due to the release of Geektimes, we had to delay a little, but we continue to move on, and today we will talk about basic sets of security controls and on determining the criticality of information systems.
And of course, authentic American security posters are included.
References to previous articles:
American Information Security. Part 1. What is the NIST 800-53 and what do the security controls look like?
IB in the American way. Part 2. And can you elaborate on NIST 800-53, and where does risk management?
IB in the American way. Part 3. What is a basic set of controls and how to determine the criticality of systems?
IB in the American way. Part 4. Understanding “fit” and “overlap” and complete this review
Basic sets of controls
We talked about the structure of security control families and the design of an individual control (including its “enhancements”) in the first part. Now is the time to figure out what to do with these controls. How to choose from several hundred different measures, how to be guided in determining the need for implementation and in what order to carry out this process.
So, the organization needs to adequately compensate for the information security risks that arise during the functioning and implementation of business tasks. A serious problem for the organization is the determination of the most suitable financially beneficial set of controls, which after implementation will also be effective.
Since you still need to start with something, but grabbing at everything is not very productive, and it would not be bad at all to provide everyone with a single reliable basis for further research, three basic sets of security controls were developed at NIST, which are the starting point for the further “fitting” process (a free translation of the term “tailoring”, in the context of a document, means optimization or adaptation). Sets differ among themselves in such a parameter as the criticality of the information system to which they will be applied and which, in fact, must be protected. A specific starter kit is selected based on the security category of an individual IP (or IP group), determined in accordance with FIPS Publication 199 (you may remember that this is the first step discussed in the second part of the Risk Management Framework). More on the categorization process will be described a little further.
Naturally, it would be naive to suppose that it would be possible to develop at least one universal set of IS measures (not to mention three) that could provide the proper level of security for an indefinite range of systems. Moreover, NIST positions its document as an extremely universal tool, suitable both for large organizations and government agencies, and almost for private use. Therefore, the essence of basic sets lies in their name - this is the starting point from which you can and should start. Especially for those who don’t know the end from which to grab a stick
So, there are three basic sets designed for systems with low, medium and high criticality. In order to give the reader an approximate idea of the volume of measures contained in the sets (and, consequently, resistance, although the relationship between the number of controls and the resulting IS level is still completely non- linear), we can cite the following statistics:
- The basic set of the LOW level contains about 110 security controls and about 10 “reinforcements” of controls.
- The MODERATE level set contains about 150 controls and several dozen “boosts”.
- The coolest set of HIGH level contains almost 170 controls and the number of “amplifications” approaching a hundred.
It is worth noting here that even a set of HIGH level is far from a complete list of all possible security measures presented in NIST SP 800-53. These are just starting points, implying a further “fit”, i.e. work on optimizing these lists for the needs of a particular organization, the subtleties of the device of individual IPs, and the features of the functioning environment.

* Mona Lisa only silently smiles about her secrets. Smile and you *
IP criticality determination
In the process of preparing for choosing an appropriate basic set of security controls for the organization’s IS and their operating environment, it is first necessary to determine the criticality of the information that will be processed, stored or transmitted by these IS. This process is called IP categorization in NIST documents and is described in FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems. The title of the document does not need translation, everything is disgracefully simple and similar to the names of the publications mentioned earlier. The categorization is based on the assessment of the possible negative impact on IP. The results of this process make it possible to select the necessary security controls for adequate IP protection by selecting the appropriate basic set. In general, there are no new ideas, This is a long-established principle, simply correctly formulated and fixed in an official document in a uniform form for all. Let's go over it briefly.
FIPS 199 Methodology
Of the entire document, I selected for the reader only a substantial part and tried to arrange it in the form of a small technique. I consider it necessary to bring it here, since it is a necessary step from which the construction of an information security system begins. It will be especially useful for those who are just starting to get acquainted with information security.
Security Objects
The objects of security (my free translation. Since these terms appear only a few times and only within the framework of this document, I did not consider it necessary to strongly emphasize the compact definition and convenience of further applicability) are three basic characteristics of information: Confidentiality, Integrity and Accessibility ( I suppose that they don’t need to be introduced). Further, the loss of each of these three security facilities, i.e. explains, for example, what is the loss of integrity.
Potential exposure levels
Three levels of potential impact of the loss of the security object on the organization and individuals are distinguished: low, medium and high. The application of the levels of potential impact below should be assessed and made specifically for each organization based on individual characteristics. Next, I will try to fit three definitions into one:
Potential impact is low / medium / high, if -
loss of confidentiality, integrity, accessibility can lead to limited / significant / critical negative impact on the organization's activities, its assets and individuals.
A description of the three levels of negative influence is also presented in the document, but, in fact, they are just general formulations. As an example, I will give a description only for critical impact. To describe the remaining levels, you can simply replace the word “Critical” with the appropriate adjective, correct the description in the direction of mitigating the consequences and remove human casualties.
A critical negative impact means that, for example, a loss of confidentiality, integrity or accessibility can lead to: severely limiting the ability to perform business tasks to such an extent that the organization is not able to perform one or more of its main functions; to severe damage to the organization’s assets; to large financial losses; serious or critical harm to individuals, loss of life, or serious personal injury.

* Compliance with access control applies to all *
Information Security Categories
The security category of information type can be immediately associated with both user and system information and can be used for information presented both in electronic and non-electronic form (after all, many information systems go beyond digital media at least at the point where the printer cable is connected ) Security categories of information types can be further used to determine the security category of the relevant information systems in which they are presented. Assigning a type of information to a certain security category essentially requires an assessment of the potential impact of the loss of each of the three security objects (confidentiality, integrity, accessibility) related to this type of information.
The security category of the information type is as follows:
KB information type = {( confidentiality , impact), ( integrity , impact), ( accessibility , impact)},
where the potential impact can take the following values: LOW, MEDIUM, HIGH, NO. The value NONE is applicable only for confidentiality (it is believed that there is information that can be provided to anyone without worrying about confidentiality. However, even such information must have minimum integrity and accessibility requirements).
It is worth noting that this is not a formula, but a vector (hello to matan and linear algebra). In this case, braces mean a combination of three characteristics. More details in the example below.
Information System Security Categories
The definition of the security category of an information system should take into account the security categories of all types of information presented in this system. For an information system, the potential impact of the loss of each of the three security objects (confidentiality, integrity, accessibility) is determined by the highest value of the potential impact of the loss of the corresponding security objects among the security categories of all types of information presented in the information system.
The security category of the information system is as follows:
KB information system = {( confidentiality , impact), ( integrity , impact), ( accessibility , impact)},
where the potential impact can take the following values: LOW, MEDIUM, HIGH. In the case of information systems, the value NO is not applicable even to the potential impact of loss of confidentiality due to the need to ensure minimal security of the functioning of systems and system information.
The criticality of types of information and information systems
The criticality of the type of information and information system is defined as the highest value of the potential impact among all three security objects represented in the security category.

* There is nothing old-fashioned in safety *
Example
So that from all these creepy formulations and vectors, an understanding of the reality of a not very complex and logical principle will be developed, we consider the following example.
There is an information system used in the main business processes of the organization, containing both business-critical data on contracts and customers, as well as ordinary system information. The organization’s management decided that: for information about contracts and customers, the potential impact of loss of confidentiality is moderate, loss of integrity is medium, and loss of accessibility is low; for system information, the potential impact of loss of confidentiality is low, integrity is low, accessibility is low. As a result, the types of information security categories are as follows:
KBinformation about contracts and customers = {( confidentiality , MEDIUM ), ( integrity , MEDIUM ), ( availability , LOW )},
KB system information = {( confidentiality , LOW ), ( integrity , LOW ), ( availability , LOW )}.
The security category of the assessed information system takes the following values:
KB assessed system = {( confidentiality , AVERAGE ), ( integrity ,MEDIUM ), ( availability , LOW )}.
For ease of
Table 1. Categories of security and criticality of information and information systems
Confidentiality | Integrity | Availability | Criticality | |
---|---|---|---|---|
Contract Information | Average | Average | Low | |
System Information | Low | Low | Low | |
Evaluated system | Average | Average | Low | Average |