2.0 Categorize the System (Including HVA's)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

1 hour 45 minutes
Video Transcription
Hi everyone and welcome to Risk Management Framework for executive management. This is less than two dot oh, where we're going to categorize the system.
So are learning objectives for this video are going to be where the categorization step fits into RMF. We're also going to look at what tasks are associated with the categorization step,
as well as how executive leadership can support the team to categorize the systems properly.
So we're going to talk about the definition by the Nist special publication 837 rev two as it relates to categorization step.
The purpose of the categorization step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets. Individuals, other organizations and the nation with respect to the loss of confidentiality integrity and availability
of organizational systems and the information set
process stored and transmitted by those systems. And again, that's directly from the Nist sp 837.
Um so why, why why do we need to categorize? Um it's really important to understand the differences between a system high or a system low. Any any kind of system that you want to make sure that you're categorizing properly. You need to understand that risk. You don't want to
overly implement too many security controls and you don't want to implement too few, so you want to make sure you find that good balance
when you're categorizing your system.
So the tasks that are associated with the categorization step,
it's going to be the system description, the categorization and then the review and approval for the description. We just want to make sure that we're documenting what we're actually categorizing, what's the system that we're talking about. Uh And for the actual security categorization, we want to make sure that we're including the information that's processed by the system, not just the system itself, so
whether it's Windows or Mac or Linux, whatever time system you're talking about,
but also what data is going to be flowing through that system or stored on that system.
And then when we're talking about reviewing approval, of course, that will be the decision by the senior leaders. So, executive management, your system or any security management that might be involved.
So when we're talking about system description, there's a lot of uh inputs that are going to go into this design. So we're talking about system design, the authorization boundary. So how much does my system encompass? And where do I set those limits for what I'm actually talking about with the system.
So again, as we mentioned in previous lessons, this includes security and privacy requirements. Uh we're going to be talking about the system element information
as well as the inventory or supplier information. So it's going to include any your vendors if you're using outside products or applications also the data map of the information lifecycle. That's really important. So when we were talking about that process information, is it stored? Is it transmitted? Is it going through the system and then who are are
users? What our role is gonna be? Are we going to be using any groups for the system?
That's all going to be the inputs that are going to go into the system description.
So are expected. Outputs are going to be the actual documented system description so that we have that full baseline knowing that what is our actual system
and the responsibilities and supporting roles. We're gonna be talking about authorizing official aO any designated representative that may be working with the audio. You're going to see that term come up a lot designated representatives. So it could be someone that the AO has said, hey, you know, you're okay, you can you can authorize this system to
and then the information owner and any security or privacy officers that may be involved in this system categorization.
Uh So quiz who should be the main players in the categorization step?
We know as we talked about before, it's going to be a couple different people were going to be talking about security and privacy officers. I think that's important to note to make sure that we are involving those privacy officers when we're talking about categorizing our system and of course the information owner or the system owner.
Okay, So um some of the other possible inputs we're gonna be talking about uh
when we're categorizing the system, we're talking about the security categorization,
We're talking about a risk management strategy. So um what is our actual risk management strategy at the organizational level? How are we going to put that into categorizing the system?
Um And again the information that's going to be processed or transmitted. Anything that's going to go through the system. We want to make sure we understand what that means to our security categorization.
What's the environment? Where is this operating? Is this in a data center? Is this in the cloud? Where is it,
does it contain mission information? What mission information is relevant to the system?
A business impact analysis that we've mentioned in previous steps? Uh It can be really crucial and important in this categorization step. Making sure we understand what impact does the system have on our overall organization and obviously his executive management, we want to understand that risk
uh and then purpose for the operation of the system. Why do we need this? What's it going to do to improve functionality or business processes?
So are expected outputs for the security categorization task?
We're thinking about the CIA triad. So, confidentiality, integrity and availability. We're looking at the impact level determination.
So we're looking at that based on the impact levels, like our impact analysis that we talked about before. Um and we're going to have the system owner involved as far as responsibilities and supporting roles, as well as any senior official for risk management. So if you have a risk management executive, they're going to be really involved in this security categorization.
Your C. I. O. Will be involved as well as your again, your security or privacy officers will need to play a role in this security categorization
quiz. So what are some issues which could arise if categorization is not done properly?
So this is kind of a thinking one. It's like, well, you know, if we don't categorize the system properly, maybe we're not adding the proper controls to it. Maybe it's not as secure as it should be if we're storing data through or we're transmitting data through it or for storing data on there, what kind of data are restoring?
Um So it's good to make sure that we're categorizing the system properly, so we're securing it properly.
Okay, so review and approval.
Uh so are inputs for this task, It's going to be the impact levels for each information type uh and the confidentiality integrity and availability objectives.
So our security categorization from the previous step, we're going to use that as an input into our review and approval process as well as high value assets. Do we have any high value assets? Is that needed in this um in this scenario when we're categorizing? So it's important to look at that while we're reviewing and approving the system.
Uh, so to give a little bit more information about what an H. V. A. Is, I included the definition here from DHS from their security high value assets documentation.
So H P S are federal information systems, information and data for which an unauthorized access, use, disclosure, disruption, modification or destruction could cause a significant impact to United States national security interests,
um, etcetera. So this is, you know, a high value assets, something that's got really critical data on it, that we need to make sure that we're protecting properly.
So review and approval. Obviously the expected output would then be approval of the security categorization that means everybody's on board. They understand why we categorize the system the way we did and we're okay with it.
Uh, so primary responsibility is again going to be that authorizing official oreo or someone that they designated to say yes, they can sign off on this.
So some of the supporting people would be your risk management, executives, anyone in the executive suite who has risk management experience or expertise in your C I. O.
So executive leadership.
Um what do I really need to know as an executive for the categorization step?
Um It's really important to understand which systems you have. So do I have any high value assets? If I do in my securing them properly? How am I securing them?
Which teams and leaders should you have in each sector to address these tasks? So making sure, you know, you're going to see this as a running theme, but making sure you have the right people on the right teams to make sure that you're securing these properly.
And are the systems categorized to ensure? Value of system is properly defined? Uh It's really important to understand that if this system was compromised, what kind of, what kind of impact would that have on our organization? So it's important as an executive to say, okay, I know these are my high valued assets or
I know these ones I'm not as concerned about. It's okay. The risk is a lot lower over here.
So it's really important to understand that.
All right. So in this video, we talked about the definition of the categorization step. We talked about what tasks are associated with the categorization step in risk management framework. We also talked about some of the take aways that senior leadership needs from the steps, so making sure that we're categorizing properly so that we're securing properly,
uh and then what's an H. V. A and how would it affect categorization or my my organization, making sure that
I understand what a high value asset is. And if I have any in my environment
Up Next