for less than 1.3. We're gonna be talking about the risk management framework that we're not gonna go really in depth into this. But it's just good to understand where this 853 sits in this in this framework into the process, Cyber actually has a separate arm F lesson are Sorry,
said the videos. You can actually go Look at those if you want. If you get to this end and you feel like you need to learn a little bit more
so if we're gonna be in this lesson explaining what security kept categorization means describing that they were 853 fits in the arm F process. And then when I organized the legal framework because it's good to understand how we got here, why 853 is mandated based on the
the laws were put in place. So here it is. There's the way back in 1996 through the first was the Team Management Act. That was kind of the basis that that started this
andan 2002. There was the fisma, which is the federal information security monitored in the Modernization Act. It was part of the E government act
is what we set the standards and said, Sorry, I said, Sandra, but said Missed. You must set the standards. This does standard for wait to measurements, everything like that. So they were tasked with setting the standards for cyber security.
There was a reform act in 2014 that modernize it a little bit more.
The next one was in 2004 was tips 1 99 50 is the federal information processing system.
This is just the this documentation that set the standards for again, like set for cyber security. That said, this is what confidentiality means. It's what integrity means.
This is what low, moderate high means
and then the next or that the next portion waas fits 200 where they said, Okay,
we set the standards. Now here's what the minimum security requirements are that you need to meet in order to secure your system.
And he saw this to the control families. That previous slide and we'll talk about those were the minimum standards. And that's what missed 853 used to then say Here's what the security families are based on those minimum requirements
and the next was that there was a couple of revisions of the state are 837 and 53 1st was 837 which is the arm halfway to. We're gonna talk about that. That set up the whole life cycle of cyber security from beginning a system deciding it's categorization.
Implement it controls, testing them and running the system all the way to decommission.
One thing you'll notice as you go through these, the Miss Documentation is that S p that's the special publication that they all use. The 800 Siri's is all related to cybersecurity, so you'll see that that prefix and all across them and then 2013 853 came out. Sorry that one of the revisions,
and it's how they recommended security control. So it it came all the from defining the standards, setting the minimums. And here's what they actually are that you have to implement.
So I mentioned it a couple times. This is the arm F process. You've probably seen this before. There's six steps to the life cycle. We're on step two, but it's good to understand where we came from, where we're going so dimensions with mentioned 1 99 set the categorization. That's where you
you look, you go through the process and you say This is a load of moderate this a high system,
and that has implications all throughout the whole life cycle. So when you go thio in Step two and you pick the controls, there are baseline set, and they're dependent on that categorization. So the higher the canonization, the more control you have to implement, the more money you have to spend them or effort.
That's why I put this, practitioners note. Here is never over category sized categorize. There's no reason to do it.
If you just trust the process, go through 1 99 it says. This is your system. Do that. If you decide you want to doom or you're just gonna be spending extra time, that may not be worth it.
Mention Couple times here fits. 1 99 Was the set the standard? It's the security categorization for federal information information systems.
It's in tandem with 860 which is from large volumes. You could take a look at those if you if you want
as well, but it defined the impact levels as low, moderate, high. It set what confidentiality integrity availability mean within the security context.
Another note here is there's idea of a high watermark in 51 99 200 which means whatever the highest level, you set the whole system instead. So you actually have to set confidentiality, integrity, availability and whether those air low, moderate high, whichever one is the highest.
Your whole system becomes that
through some definition, just so we understand what
they mean. This is actually pulled from the information security of 44 U. S. C. Section 3 52
So confidentiality means preserving authorized restrictions on information, access and disclosure.
They find integrity, integrity. Being guarding against improper information modification or destruction and availability means ensuring timely and reliable access to and use of information
as we go through. That's what those really mean
and again Fitz 200 then took those requirements and said, Okay, here's here's the minimum that we need to secure a system and there's a little formula on the right there. But that's really hasn't mentioned is that you have to define the impact of a confidentiality if it's compromised
the impact. If integrity is or availability, and you have to set low modern hi to all of those in whichever is the highest. Your whole system becomes that
it was released, this part of fisma. They tied information security to risk, which was concept We sort of understood but didn't really
document. So you go from hole in reality, what it actually means to the system residual risk like that.
It also said that I said the minimum security requirements and these the security categorization which will keep talking about is again that low modern are high.
That's what your security categorization is
on. Ben. As I mentioned those control or those minimums controls became the the control families for n'est.
So this is another idea that just want you to understand. Is this tiered risk at the top? You have the organization, they have some risk or they set certain standards. That's usually the policy, things like that. At the top level, you obviously wouldn't want
every system defined in Rome policy how they assess risk, great thing like that, because then again you'd have this authorising official has all these different controls, different policies in no way of looking across the portfolio and really understanding what risk means to them across the organization,
and those risks are inherited. So whatever level above you says, I accept this risk down at the lower level, you you're inheriting that risk as well
again. But they're they're they're shared across the organization
and in the middle tier you have the mission in the business that processes. They have their own risks, little bit below the organization level, maybe in my spank multiple systems.
And then at the lower tier, you have the actual information systems where they're implemented, the controls in the operating systems application, whichever part you wouldn't think about.
I want another concept when it just makes you understand, is we manage risk. We don't fix it. Another fundamental NIST want want you to understand is that we may be able to fix some security or some risk, but you really want to manage. You want compensating controls, managing you manage these control so that we
reduce it to acceptable level. You don't always have to spend all your time
completely eliminating risk, especially if you have some other mitigating controls that
that make it less likely to impact the system
the 1st 1 I do a couple quick quizzes throughout the the lessons here. I'll read through it, give you give a slight pa just in case you want to look at it yourself and maybe pause before actually show the answer.
So which is the correct order to follow in our meth? Do we select, implement, categorize or do we categorize, select implement? Or do we implement, select categorize.
So the answer is categorized. If you remember from our mess, we have to categorize the first we have to say what it is first, before we even know what to select. And then we have to select the controls before we can actually implement them.