You need to do what best fits your business model and can have meaningful
implementation in your environment(s). Some organizations I know have a
3x4 classification scheme (C1-4,I1-4,A1-4). A secondary classification
combines these ratings to produce 'criticality.' Others have a 2x4,
separating out confidentiality and combining integrity and availability.
What would work for you?
Keep in mind how the classification will be used. It would make no sense
for an application with extremely high availability but no confidentiality
requirements to be subject to high confidentiality controls just because
it averages out to a "highly critical" application.
Using other ISF tools, criticality is derived from the overal potential
business impact of a compromise in C,I, or A as well as other factors. PWC
publishes an information security text that has a scheme for combining I
and A--although I'm not sure how well this would work in practice.
The ISF Standard does not specify the output of the classificaton scheme
for precisely this reason--the scheme needs to fit your organization.
-- Alan Willcox
The Vanguard Group
"The views expressed here are mine and do not reflect the official opinion
of my employer or the organization through which the Internet was
accessed."
"Nimrod Steinbock" <nsteinbock@ensuresoft.com>
10/26/2004 11:26 AM
Please respond to nsteinbock
To: <security-management@securityfocus.com>
cc: (bcc: Alan Willcox/Corp/VGI)
Subject: Security Classifications
Hello,
When dealing with security classifications, many risk management models
and security standards are referring both to system Criticality and
Sensitivity, and to system Confidentiality, Integrity, and Availability
requirements.
For example, from the ISF standard:
--------------
CB 5.2.2
The classification scheme should be used to determine varying levels of:
a) criticality of information or systems (e.g. 'critical', 'important
but not critical' or 'other')
b) sensitivity of information or systems (e.g. 'confidential', 'strictly
confidential' or 'top secret').
CB 5.2.3
Security classifications should:
a) take account of the possible business impact of a loss of
confidentiality, integrity or availability of information
--------------
I am not sure I understand the relation between the two classification
schemes. Is there a method to map between CIA requirements and the
Criticality\Sensitivity of systems?
Should I look at "Criticality" as a classification deriving from
"Availability" requirements, and at "Sensitivity" as a classification
deriving from "Confidentiality" and "Integrity" requirements?
If so, how do you map the two parameters (confidentiality and integrity)
into one classification (sensitivity),
max{integrity, confidentiality)?
Hope someone can clear this up.
Thanks,
Nimrod
