operations to you. Even if you don't fall into these two cate­gories, FISMA contains so many useful guidelines that you can use it as a self-assessment tool if not as a blueprint for develop­ing and implementing your own comprehensive security plan.

A pragmatic, risk-based approach
The standards developed by NIST take the perspective that IT security involves appropriate, efficient, and cost-effective risk management. NIST proposes the following approach:

• Categorize the risks of your systems and the information contained in them from the point of view of confidentiality,
  integrity, and availability.
• Select and tailor a set of security controls based on the risk assessment of low, moderate, or high.
• Supplement the initial set of controls based on site-specific needs, for example the knowledge of specific threats or spe­cial circumstances.
• Document the controls and the rationale for choosing them in a system security plan.
• Implement the controls.
• Assess whether the controls you implemented operate cor­rectly and are sufficient.
• Determine the risk that operating, or continuing to operate, the information system presents to organizations, their assets, or individuals.
• Authorize the system's operation or continued operation.
• Monitor the security controls on a continuous basis.

NIST provides standards documents to help with every step in this process, including categorizing the risk level of sys­tems, selecting security controls, assessing security controls, and how to certify and accredit systems. NIST hopes that FISMA will raise the overall level of security across the federal government's critical infrastructure by promoting this risk-based approach consistently across all agencies. By helping each agency to better understand the risks associated with its IT sys­tems, diligence will increase and the result will ultimately be a more secure IT infrastructure.

Some FISMA specifics
If you Google “FISMA,” the first thing you'll find is a lot of vendors selling products to help agencies implement their security plans and controls. Don't let the bewildering array of document numbers deter you from forging ahead and looking at the original sources. There is a wealth of useful best practices information in them.

NIST's home page for FISMA is at http://csrc.nist.gov/sec­cert/. If you click on “Risk Framework,” you'll see the list of documents that support each of the nine steps outlined above. The first two steps are to cate­gorize your infor­mation systems and then select the security con­trols that are appropriate to mitigate the risk that they present. This is the core of the risk-based approach.

Categorizing your systems
A risk-based approach begins with assessing risk, and the Federal Information Processing Standards (FIPS) document 199 defines the criteria for doing so. The corresponding NIST Special Publication (SP) 800-60 provides guidelines for using the FIPS 199 criteria. FIPS 199 considers both IT systems and the information stored on them. For each of the three categories in the now ubiquitous C-I-A security triad, you rate your systems as low, moderate, or high risk depending on whether the impact of a failure is limited, serious, or severe to catastrophic (Figure 2):

• Confidentiality considers the unauthorized disclosure of infor－mation.
• Integrity covers the unauthorized modification or destruction of information.
• Availability takes into account the impact of a disruption of access or use of the information in an IT system.

The risk assigned to your systems is usually the highest risk in any of the three categories.

Choosing security controls
Most interesting is the set of concrete guidelines that NIST pro­vides in the form of recommended security controls for the risk that you've assessed. The FIPS 200 document provides the actual standard, and NIST 800-53 provides guidelines for imple­menting the standard. These documents provide a wealth of best practices information that you can use to assess your own IT operations, and that you can use as guidance for securing your own systems - whether you're a government agency, contractor, or neither.

If you look at the summary of minimum security require­ments in FIPS 200, you'll appreciate how broadly the standard covers IT operations, including access control, audits, backups, contingency planning, incident response, media protection,

about everything, from employees connecting their laptops to internal networks to mitigating the risk of water damage.

Pick a control that interests you. For example, backups (CP-9) is a topic dear to all of our hearts. This control says that low-risk systems should have backups and off-site backups (if needed) that are consistent with the organization's recovery-time and recovery-point objectives. The control suggests con­sidering backup transfer rates and encryption when transferring to another facility, either physically or electronically. Moderate-risk systems additionally should encrypt their backups, and they should regularly test them to ensure both media and informa­tion integrity. For high-risk systems, backups also should be restored to test that they can be used in the event of a site fail­ure, and they should be stored off-site or in fireproof containers.

A great step forward
We believe that FISMA is a great step forward, and the stan­dards that NIST has created are consistent with the methodol­ogy and values that Applied Trust promotes: establish a risk-based security policy, implement it, audit it, test it, and continue to refine it as your requirements, applications, and systems change. NIST SP 800-53 covers many of the essentials that we discuss with our clients and in The Barking Seal. Although we can find holes here and there, it is a good compendium of best-practices information. Regardless of what type of organization you work in, FISMA can provide all of us with a comprehensive set of security controls to consider.