While I was slaving away last week, our friends over at NIST published a new version of SP 800-60. Go check it out at the NIST Pubs Page.
Now for those of you who don’t know what 800-60 is, go check out my 3-part special on the Business Reference Model (BRM), a primer on how SP 800-60 aligning FIPS-199 with the BRM, and a post on putting it all together with a catalog of controls.
And oh yeah, the obligatory press reference: Government Computer News.
Data Release Show photo by Discos Konfort.
So deep down inside, you have to be asking one question by now: “Why do we need SP 800-60?” Well, 800-60 does the following:
- Level-sets data criticality across the Government: Provides a frame of reference for determining criticality–ie, if my data is more important than this but less than this, then it’s a moderate for criticality.
- Counters the tendency to rate system criticality higher than it should be: Everybody wants to rate their system as high criticality because it’s the safe choice for their career.
- Protection prioritization: Helps us point out at a national level the systems that need more protection.
- Is regulations-based: The criticality ratings reflect laws and standards. For example, Privacy Act Data is rated higher for confidentiality.
All things considered, it’s a pretty decent systemfor Government use.
Now this is where I have a bit of heartburn with GRC tools and data classification in general in the private sector–they classify the wrong things. How the vendors (not all of them, there is a ton of variation in implementation) want you to categorize your data:
- All other data types
How your CISO needs to categorize data to keep the business afloat:
- Data that gets you paid: If you’re a business, your #1 priority is getting money. This is your billing/AR/POS data that needs to keep going.
- Data that keeps you with a product to sale over the next week: usually ERP data, stuff that slows down the production line.
- Data that people want to rip off your customers: hey, almost all the regulated data (PCI-DSS, HIPAA, etc) fits in here.
- Data where people will rip you off: ie, your internal financial systems. Typically this is SOX country.
I guess really it comes down to the differences between compliance and risk, but in this case, one version will keep you from getting fined, the other will keep your business running.
Posted in FISMA, NIST | No Comments »
Tags: 800-60 • C&A • catalogofcontrols • categorization • compliance • datacentric • fips-199 • fisma • government • infosec • infosharing • management • pii • privacy • risk • security