This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Industry:Project Review/NIST SP 800-37r1 FPD Chapter 1"

From OWASP
Jump to: navigation, search
(Added footnotes section.)
(Added first run of detailed comments for chapter.)
Line 7: Line 7:
 
<big>'''INTRODUCTION'''</big>
 
<big>'''INTRODUCTION'''</big>
  
 +
Lines which reads: "Information systems can include a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems)."  The phrasing here doesn't clearly indicate that these are not systems in and of themselves. Given widespread confusion regarding how to determine boundaries every effort should be made to prevent any confusion on this matter.  Recommend sentences begin with a phrase like, "Information systems can include as constituent elements ..."  [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
  
 +
: Is it really necessary to spell this out for readers of the document?  Shouldn't we expect them to be able to ascertain what we meant from what we said? [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
:: No, assuming that a reader starting at the beginning isn't going to have their understandings colored by a misinterpretation here depends on an expectation that is unlikely to be met. [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
  
 
== 1.1 BACKGROUND ==
 
== 1.1 BACKGROUND ==
  
 +
Bullet point which reads: "Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;". The continuous monitoring described later in this document does not rise to the level of a robust continuous monitoring process which can support real-time risk management.  Additional technical detail in support of continuous monitoring for real-time risk management needs to be included to support this concept later in this document.  [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
Line which reads: "... changes the traditional focus from the stove-pipe, organization-centric, static-based approaches to C&A ..." C&A was previously very system-centric and lacked the organization-centric functions of the new Risk Management Hierarchy.  The adjective fest here seems a little out of place.  It might be more accurate to describe C&A as a static, procedural activity which provided inadequate guidance to support ongoing risk based decisions.  Recommend dropping dramatic flourishes and have a simple statement that RMF moves the process of FISMA compliance away from a procedural, documentation of C&A focus to a process focused on risk management that leads to FISMA compliance. [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
  
  
 
== 1.2 PURPOSE AND APPLICABILITY ==
 
== 1.2 PURPOSE AND APPLICABILITY ==
  
 +
Bullet point which reads: "To ensure that managing risk from the operation and use of federal information systems is consistent with the organization's mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function);" The concept of mission/business objectives is not well defined in the RMF or SP's 800-30, 800-37 or 800-39.  Recommend that as this mission/business objective concept is central to understanding the risk posed from a failure in the security objectives for a system a clear process for establishing the mission/business objectives for an organization in the context of information systems security should be described as part of the risk strategy established by senior leadership. [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
  
 +
Bullet point which reads: "To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk-related information, and reciprocity of authorization results; and". The focus on security authorization decision deemphasizes awareness of and acceptance of risk.  Speaking to the authorization decision emphasizes the process. Speaking to awareness of and acceptance of risk in consideration of whether to grant a security authorization emphasizes the management of risk.  Recommend that as RMF is trying to place the emphasis on risk management and away from the empty process of making a decision this should be reworded to emphasize awareness of and acceptance of risk and relate the authorization decision only as a consequent of this awareness and acceptance.
  
 
== 1.3 TARGET AUDIENCE ==
 
== 1.3 TARGET AUDIENCE ==
Line 27: Line 36:
 
==Footnotes==
 
==Footnotes==
  
 +
A recurring problem with footnotes is that the definitions used here do not match the definitions provided by the glossary.  Variation in definitions leads to confusion and the possibility of misinterpretation.  The use of a single definition should be standard practice. [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
"Footnote 5: An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information." Recommend either referring readers to glossary for full definition or using full definition here "Information System [44 U.S.C., Sec. 3502] A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.]" [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
"Footnote 6: A federal information system is defined as an information system used or operated by a federal agency, or by a contractor of a federal agency or by another organization on behalf of a federal agency." This definition varies a great deal from the definition in the glossary.  Also, as no other footnoted definition uses 'is defined as' it is not recommended for use here.  Recommendation: use definition from glossary as it uses the correct reference to executive agency and is a legal definition: "Federal Information System [40 U.S.C., Sec. 11331] An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency." [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
"Footnote 7: Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security." This phrase should be included in the glossary. [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
"Footnote 8: OMB Circular A-130, Appendix III, describes adequate security as security commensurate with risk. This risk includes both the likelihood and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information." The definition should be the same as the A-130 definition as the implication by reference is that this is the A-130 definition. 
 +
 +
The glossary definition: "Adequate Security [OMB Circular A-130, Appendix III] Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information."
 +
 +
The A-130 definition: "adequate security" means security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls. [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
"Footnote 9: Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of the likelihood of the circumstance or event occurring and of the resulting adverse impacts."  Again the definition varies slightly from the definition in the glossary. This disparity can cause confusion and misinterpretation.  The glossary definition also includes a modifying footnote detailing information system-related security risks which is what is intended to be discussed in this footnote.  Recommendation is to stick with the glossary definition or come up with a hybrid definition including all the elements described and used both here and in the glossary.  [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
"Footnote 10: Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems." Recommend rewording this for clarity, "Security categorization methodologies for national security systems are described in CNSS Instruction 1253. Security categorization methodologies for non-national security systems are described in FIPS 199. [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
"Footnote 12: Reciprocity of security authorization results is the mutual agreement among participating organizations to accept each other's security assessments in order to reuse information system resources and/or to accept each other's assessed security posture in order to share information. Reciprocity is best achieved by promoting the concept of transparency (i.e., making sufficient evidence regarding the security state of an information system available, so that an authorizing official from another organization can use that evidence to make credible, risk-based decisions regarding the operation and use of that system or the information it processes, stores, or transmits)."  Different term is used in glossary and in this footnote, enterprise and organization respectively.  Organization is more accurate but reciprocity is defined in NIST SP 800-53r3 with the enterprise term.  Recommend changing the glossary definition to use organization.
 +
 +
Also, the parts of the Defense Security Service Glossary definition for reciprocity might be worth including in the definition as the term will be used in IC.  "Recognition and  acceptance, without further  processing of: (1) security background investigations and  clearance  eligibility determinations. (2) accreditations of  information systems; and (3)  facility accreditations.  Reciprocity is obligatory in the  Intelligence Community when there are no waivers, conditions, or deviations to the Director of  National Intelligence." [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
"Footnote 14: A federal information system is an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency." Recommend 'federal information system' should be italicized as it is a defined term. [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
 +
 +
"Footnote 16: At the agency level, this position is known as the Senior Agency Information Security Officer. Organizations may also refer to this position as the Chief Information Security Officer." Recommendation: Drop the word "may" from second sentence as it implies NIST is allowing organizations to this. "Organizations also refer" works.  [[User:Dan Philpott|Dan Philpott]] 04:26, 16 December 2009 (UTC)
  
  
  
 
[[Category:GIC-NISTSP80037r1FPD]]
 
[[Category:GIC-NISTSP80037r1FPD]]

Revision as of 04:26, 16 December 2009

CHAPTER ONE

INTRODUCTION

Lines which reads: "Information systems can include a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems)." The phrasing here doesn't clearly indicate that these are not systems in and of themselves. Given widespread confusion regarding how to determine boundaries every effort should be made to prevent any confusion on this matter. Recommend sentences begin with a phrase like, "Information systems can include as constituent elements ..." Dan Philpott 04:26, 16 December 2009 (UTC)

Is it really necessary to spell this out for readers of the document? Shouldn't we expect them to be able to ascertain what we meant from what we said? Dan Philpott 04:26, 16 December 2009 (UTC)
No, assuming that a reader starting at the beginning isn't going to have their understandings colored by a misinterpretation here depends on an expectation that is unlikely to be met. Dan Philpott 04:26, 16 December 2009 (UTC)

1.1 BACKGROUND

Bullet point which reads: "Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;". The continuous monitoring described later in this document does not rise to the level of a robust continuous monitoring process which can support real-time risk management. Additional technical detail in support of continuous monitoring for real-time risk management needs to be included to support this concept later in this document. Dan Philpott 04:26, 16 December 2009 (UTC)

Line which reads: "... changes the traditional focus from the stove-pipe, organization-centric, static-based approaches to C&A ..." C&A was previously very system-centric and lacked the organization-centric functions of the new Risk Management Hierarchy. The adjective fest here seems a little out of place. It might be more accurate to describe C&A as a static, procedural activity which provided inadequate guidance to support ongoing risk based decisions. Recommend dropping dramatic flourishes and have a simple statement that RMF moves the process of FISMA compliance away from a procedural, documentation of C&A focus to a process focused on risk management that leads to FISMA compliance. Dan Philpott 04:26, 16 December 2009 (UTC)


1.2 PURPOSE AND APPLICABILITY

Bullet point which reads: "To ensure that managing risk from the operation and use of federal information systems is consistent with the organization's mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function);" The concept of mission/business objectives is not well defined in the RMF or SP's 800-30, 800-37 or 800-39. Recommend that as this mission/business objective concept is central to understanding the risk posed from a failure in the security objectives for a system a clear process for establishing the mission/business objectives for an organization in the context of information systems security should be described as part of the risk strategy established by senior leadership. Dan Philpott 04:26, 16 December 2009 (UTC)

Bullet point which reads: "To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk-related information, and reciprocity of authorization results; and". The focus on security authorization decision deemphasizes awareness of and acceptance of risk. Speaking to the authorization decision emphasizes the process. Speaking to awareness of and acceptance of risk in consideration of whether to grant a security authorization emphasizes the management of risk. Recommend that as RMF is trying to place the emphasis on risk management and away from the empty process of making a decision this should be reworded to emphasize awareness of and acceptance of risk and relate the authorization decision only as a consequent of this awareness and acceptance.

1.3 TARGET AUDIENCE

1.4 ORGANIZATION OF THIS SPECIAL PUBLICATION

Footnotes

A recurring problem with footnotes is that the definitions used here do not match the definitions provided by the glossary. Variation in definitions leads to confusion and the possibility of misinterpretation. The use of a single definition should be standard practice. Dan Philpott 04:26, 16 December 2009 (UTC)

"Footnote 5: An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information." Recommend either referring readers to glossary for full definition or using full definition here "Information System [44 U.S.C., Sec. 3502] A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. [Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems.]" Dan Philpott 04:26, 16 December 2009 (UTC)

"Footnote 6: A federal information system is defined as an information system used or operated by a federal agency, or by a contractor of a federal agency or by another organization on behalf of a federal agency." This definition varies a great deal from the definition in the glossary. Also, as no other footnoted definition uses 'is defined as' it is not recommended for use here. Recommendation: use definition from glossary as it uses the correct reference to executive agency and is a legal definition: "Federal Information System [40 U.S.C., Sec. 11331] An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency." Dan Philpott 04:26, 16 December 2009 (UTC)

"Footnote 7: Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security." This phrase should be included in the glossary. Dan Philpott 04:26, 16 December 2009 (UTC)

"Footnote 8: OMB Circular A-130, Appendix III, describes adequate security as security commensurate with risk. This risk includes both the likelihood and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information." The definition should be the same as the A-130 definition as the implication by reference is that this is the A-130 definition.

The glossary definition: "Adequate Security [OMB Circular A-130, Appendix III] Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information."

The A-130 definition: "adequate security" means security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls. Dan Philpott 04:26, 16 December 2009 (UTC)

"Footnote 9: Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of the likelihood of the circumstance or event occurring and of the resulting adverse impacts." Again the definition varies slightly from the definition in the glossary. This disparity can cause confusion and misinterpretation. The glossary definition also includes a modifying footnote detailing information system-related security risks which is what is intended to be discussed in this footnote. Recommendation is to stick with the glossary definition or come up with a hybrid definition including all the elements described and used both here and in the glossary. Dan Philpott 04:26, 16 December 2009 (UTC)

"Footnote 10: Security categorization methodologies are described in CNSS Instruction 1253 for national security systems and in FIPS 199 for other than national security systems." Recommend rewording this for clarity, "Security categorization methodologies for national security systems are described in CNSS Instruction 1253. Security categorization methodologies for non-national security systems are described in FIPS 199. Dan Philpott 04:26, 16 December 2009 (UTC)

"Footnote 12: Reciprocity of security authorization results is the mutual agreement among participating organizations to accept each other's security assessments in order to reuse information system resources and/or to accept each other's assessed security posture in order to share information. Reciprocity is best achieved by promoting the concept of transparency (i.e., making sufficient evidence regarding the security state of an information system available, so that an authorizing official from another organization can use that evidence to make credible, risk-based decisions regarding the operation and use of that system or the information it processes, stores, or transmits)." Different term is used in glossary and in this footnote, enterprise and organization respectively. Organization is more accurate but reciprocity is defined in NIST SP 800-53r3 with the enterprise term. Recommend changing the glossary definition to use organization.

Also, the parts of the Defense Security Service Glossary definition for reciprocity might be worth including in the definition as the term will be used in IC. "Recognition and acceptance, without further processing of: (1) security background investigations and clearance eligibility determinations. (2) accreditations of information systems; and (3) facility accreditations. Reciprocity is obligatory in the Intelligence Community when there are no waivers, conditions, or deviations to the Director of National Intelligence." Dan Philpott 04:26, 16 December 2009 (UTC)

"Footnote 14: A federal information system is an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency." Recommend 'federal information system' should be italicized as it is a defined term. Dan Philpott 04:26, 16 December 2009 (UTC)

"Footnote 16: At the agency level, this position is known as the Senior Agency Information Security Officer. Organizations may also refer to this position as the Chief Information Security Officer." Recommendation: Drop the word "may" from second sentence as it implies NIST is allowing organizations to this. "Organizations also refer" works. Dan Philpott 04:26, 16 December 2009 (UTC)