Industry:Project Review/NIST SP 800-37r1 FPD Chapter 2 - Revision history

Dan Philpott: /* 2.3.2 Boundaries for Complex Information Systems (System of Systems) */

2009-12-08T03:40:24Z

‎2.3.2 Boundaries for Complex Information Systems (System of Systems)

Dan Philpott: Uploaded images and edited links to make them work properly

2009-12-08T03:13:37Z

Uploaded images and edited links to make them work properly

Dan Philpott: Initial add for GIC review of NIST SP 800-37r1 FPD

2009-12-04T05:27:36Z

Initial add for GIC review of NIST SP 800-37r1 FPD

Show changes

@@ Line 94: / Line 94: @@
-In the above example, an information system contains a system guard that monitors the flow of information between two local area networks. The information system, in this case, can be partitioned into multiple [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] components: (i) [http://fismapedia.org/index.php?title=Term:Local_Area_Network local area network] one; (ii) [http://fismapedia.org/index.php?title=Term:Local_Area_Network local area network] two; (iii) the system guard separating the two networks; and ([http://fismapedia.org/index.php?title=AnA:IV iv]) several dynamic subsystems that become part of the system at various points in time (see Section 2.3.3). Each [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] component within the information system may be categorized individually. The [http://fismapedia.org/index.php?title=Term:Security_Categorization security categorization] of the information system is determined by taking into consideration all of the individual [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] categorizations. When all subsystems within the information system have completed the [http://fismapedia.org/index.php?title=Term:Security_Control_Assessment security control assessment], an additional [http://fismapedia.org/index.php?title=Term:Assessment assessment] is performed on the system-level [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] not covered by the individual [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] assessments, and the results are bu, the determination of subsystems is established at system initiation and maintained throughout the [http://fismapedia.org/index.php?title=Term:Life_Cycle life cycle] of the system. However, there are some instances, most notably in [http://fismapedia.org/index.php?title=Term:Net-Centric net-centric] [http://fismapedia.org/index.php?title=Term:Architectures architectures] (e.g., cloud computing, service-oriented [http://fismapedia.org/index.php?title=Term:Architectures architectures]),<ref>A [http://fismapedia.org/index.php?title=Term:Net-Centric net-centric] [http://fismapedia.org/index.php?title=Term:Architecture architecture] is a complex system of systems comprised of subsystems and services that are part of a continuously-evolving, complex community of people, devices, information and services interconnected by a network that enhances [http://fismapedia.org/index.php?title=Term:Information_Sharing information sharing] and collaboration.</ref> where the subsystems that compose the system may not be present at all stages of the [http://fismapedia.org/index.php?title=Term:Life_Cycle life cycle]. Some subsystems may not become part of an information system until sometime after system initiation, while other subsystems may leave the system sometime prior to system [http://fismapedia.org/index.php?title=Term:Termination termination]. Generally, this will not impact the external [http://fismapedia.org/index.php?title=Term:Boundary boundary] of the information system if the dynamic subsystems are in the system design and the appropriate [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] are reflected in the [http://fismapedia.org/index.php?title=Term:Security_Plan security plan]. But it does impact the subsystems that exist within the [http://fismapedia.org/index.php?title=Term:Boundary boundary] at any given point in time.
+In the above example, an information system contains a system guard that monitors the flow of information between two local area networks. The information system, in this case, can be partitioned into multiple [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] components: (i) [http://fismapedia.org/index.php?title=Term:Local_Area_Network local area network] one; (ii) [http://fismapedia.org/index.php?title=Term:Local_Area_Network local area network] two; (iii) the system guard separating the two networks; and ([http://fismapedia.org/index.php?title=AnA:IV iv]) several dynamic subsystems that become part of the system at various points in time (see Section 2.3.3). Each [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] component within the information system may be categorized individually. The [http://fismapedia.org/index.php?title=Term:Security_Categorization security categorization] of the information system is determined by taking into consideration all of the individual [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] categorizations. When all subsystems within the information system have completed the [http://fismapedia.org/index.php?title=Term:Security_Control_Assessment security control assessment], an additional [http://fismapedia.org/index.php?title=Term:Assessment assessment] is performed on the system-level [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] not covered by the individual [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] assessments, and the results are bundled together into the authorization package and presented as evidence to the authorizing official.
 Dynamic subsystems that become part of an organizational information system at various points in time may or may not be under the direct control of the organization. These subsystems may be provided by external providers (e.g., through contracts, interagency agreements, [http://fismapedia.org/index.php?title=Term:Lines_of_Business lines of business] arrangements, licensing agreements, and/or [http://fismapedia.org/index.php?title=Term:Supply_Chain supply chain] exchanges). Regardless of whether the [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] is or is not controlled by the organization, the expectations of its capabilities have to be considered. The dynamic inclusion or exclusion of the subsystems may or may not require reassessment of the information system as a whole. This is determined based on constraints and assumptions (e.g., functions the subsystems perform, connections to other subsystems and other information systems) imposed upon the subsystems at system design and incorporated in the [http://fismapedia.org/index.php?title=Term:Security_Plan security plan]. So long as the subsystems conform to the identified constraints and assumptions, they can be dynamically added or removed from the information system without requiring reassessments of the system.
 As noted above, the assumptions and constraints on the dynamic subsystems are reflected in the information system design and the [http://fismapedia.org/index.php?title=Term:Security_Plan security plan]. The determination as to whether the subsystems conform to the assumptions and constraints is addressed during the continuous monitoring phase of the [http://fismapedia.org/index.php?title=Term:Risk_Management risk management] process. Depending upon the nature of the subsystems (including the functions, connections, and relative trust relationships established with the [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] providers), the determination of conformance may be performed in a manual or automated manner, and may occur prior to, or during the [http://fismapedia.org/index.php?title=Term:Subsystem subsystem] connecting/disconnecting to the information system.
 == 2.4 SECURITY CONTROL ALLOCATION ==

@@ Line 18: / Line 18: @@
-[http://fismapedia.org/index.php?title=Image:80037r1FPD_Figure2-1.png|500px|thumb|center|FIGURE 2-1: HIERARCHICAL RISK MANAGEMENT APPROACH]
+[[Image:80037r1FPD_Figure2-1.png|500px|thumb|center|FIGURE 2-1: HIERARCHICAL RISK MANAGEMENT APPROACH]]
@@ Line 43: / Line 43: @@
-[http://fismapedia.org/index.php?title=Image:80037r1FPD_Figure2-2.png|500px|thumb|center|FIGURE 2-2: RISK MANAGEMENT FRAMEWORK]
+[[Image:80037r1FPD_Figure2-2.png|500px|thumb|center|FIGURE 2-2: RISK MANAGEMENT FRAMEWORK]]
@@ Line 91: / Line 91: @@
 *    [http://fismapedia.org/index.php?title=Term:Security_Authorization Security authorization] conducted on the information system as a whole.
-[http://fismapedia.org/index.php?title=Image:80037r1FPD_Figure2-3.png|500px|thumb|center|FIGURE 2-3:  DECOMPOSITION OF COMPLEX SYSTEMS]
+[[Image:80037r1FPD_Figure2-3.png|500px|thumb|center|FIGURE 2-3: DECOMPOSITION OF COMPLEX SYSTEMS]]
@@ Line 105: / Line 105: @@
 There are three types of [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] for information systems that can be employed by an organization: (i) ''system-specific controls'' (i.e., controls that provide a security capability for a particular information system only); (ii) ''common controls'' (i.e., controls that provide a security capability for multiple information systems); or (iii) ''hybrid controls'' (i.e., controls that have both system-specific and common characteristics).<ref>NIST [http://fismapedia.org/index.php?title=Doc:Special_Publication_800-53 Special Publication 800-53] provides additional guidance on [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] for organizational information systems.</ref> As illustrated in Figure 2-4, [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] are allocated to organizational information systems as system-specific, hybrid, or common controls. The allocation of [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] is consistent with the organization's [http://fismapedia.org/index.php?title=Term:Enterprise_Architecture enterprise architecture] and information security [http://fismapedia.org/index.php?title=Term:Architecture architecture]. As part of the information security [http://fismapedia.org/index.php?title=Term:Architecture architecture], organizations are encouraged to identify and implement [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] that can support multiple information systems efficiently and effectively as a common capability (i.e., common controls). When these controls are used to support a specific information system, they are referenced by that specific system as ''inherited controls''. Common controls promote more cost-effective and consistent information security across the organization and can also simplify [http://fismapedia.org/index.php?title=Term:Risk_Management risk management] activities. By allocating [http://fismapedia.org/index.php?title=Term:Security_Controls security controls] to an information system as system-specific controls (e.g., [http://fismapedia.org/index.php?title=Term:Access_Controls access controls], [http://fismapedia.org/index.php?title=Term:Identification_and_Authentication identification and authentication] controls, system communications and protection controls, audit controls), as hybrid controls (e.g., [http://fismapedia.org/index.php?title=Term:Contingency_Planning contingency planning] controls), or as common controls that are inherited (e.g., physical and environmental protection controls, awareness and training controls, [http://fismapedia.org/index.php?title=Term:Personnel_Security personnel security] controls), the organization assigns responsibility to specific organizational entities for the development, implementation, [http://fismapedia.org/index.php?title=Term:Assessment assessment], authorization, and monitoring of those controls.
-[http://fismapedia.org/index.php?title=Image:80037r1FPD_Figure2-4.png|500px|thumb|center|FIGURE 2-4:  SECURITY CONTROL ALLOCATION<ref>Security plans, security assessment reports, and plans of action and milestones are critical outputs from the RMF used to manage risk associated with the operation of information systems. See Appendix F for additional information.</ref>]
+[[Image:80037r1FPD_Figure2-4.png|500px|thumb|center|FIGURE 2-4: SECURITY CONTROL ALLOCATION<ref>Security plans, security assessment reports, and plans of action and milestones are critical outputs from the RMF used to manage risk associated with the operation of information systems. See Appendix F for additional information.</ref>]]