Security Objectives for Information Types – A Comprehensive Guide
Introduction
Security objectives for information types are a foundational concept in governance, risk, and compliance (GRC), particularly relevant to frameworks such as NIST SP 800-60 and the Federal Information Processing Standards (FIPS) 199. Understanding how to assign security objectives to information types is critical for determining the overall security categorization of an information system, which in turn drives the selection of security controls and the level of protection required.
Why Is This Important?
Security objectives for information types matter because they directly influence:
• System Categorization: The security category of an information system is derived from the security objectives assigned to the information types processed, stored, or transmitted by that system. This categorization (Low, Moderate, or High) determines the baseline set of security controls that must be implemented.
• Resource Allocation: Organizations must allocate resources efficiently. By understanding the impact levels associated with different information types, organizations can prioritize spending and effort on the systems and data that require the most protection.
• Regulatory and Legal Compliance: Many regulations (e.g., FISMA, HIPAA, SOX) require organizations to classify and protect information appropriately. Security objectives for information types provide a standardized methodology for achieving this.
• Risk Management: Properly identifying the security objectives helps organizations understand and manage risk effectively, ensuring that the right level of protection is applied to the right data.
• Consistency and Standardization: Using a structured approach to defining security objectives ensures consistency across the enterprise and enables meaningful comparisons between systems.
What Are Security Objectives for Information Types?
Security objectives refer to the three pillars of information security, commonly known as the CIA Triad:
1. Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.
2. Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.
3. Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.
An information type is a specific category of information (e.g., medical records, financial transactions, authentication data, public affairs information) as defined by an organization or, in the federal context, by guidance such as NIST SP 800-60 and the Office of Management and Budget (OMB) Circular A-130.
For each information type, the organization must assign a potential impact level — Low, Moderate, or High — for each of the three security objectives (Confidentiality, Integrity, and Availability).
How Does It Work?
Step 1: Identify Information Types
The first step is to identify all the information types that are processed, stored, or transmitted by the information system. NIST SP 800-60 Volume II provides an extensive catalog of information types organized by mission-based and management-and-support categories. Examples include:
• Budget formulation
• Payroll management
• Law enforcement investigation information
• Health care information
• Authentication credentials
Step 2: Assign Impact Levels to Each Security Objective
For each information type, determine the potential impact on the organization and individuals if there is a loss of confidentiality, integrity, or availability. The impact levels are defined by FIPS 199:
• Low: The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
• Moderate: The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
• High: The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
This yields a security category expression for each information type in the format:
SC (information type) = {(confidentiality, impact), (integrity, impact), (availability, impact)}
For example:
SC (patient medical records) = {(confidentiality, HIGH), (integrity, HIGH), (availability, MODERATE)}
Step 3: Determine the Overall System Security Category
When a system processes multiple information types, the overall system security categorization is determined by taking the high-water mark (the highest impact level) across all information types for each security objective. The formula from FIPS 199 is:
SC (system) = {(confidentiality, MAX), (integrity, MAX), (availability, MAX)}
Where MAX is the highest value assigned across all information types for that particular security objective.
For example, if a system processes three information types:
• Type A: {(C: Low), (I: Moderate), (A: Low)}
• Type B: {(C: Moderate), (I: Low), (A: High)}
• Type C: {(C: Low), (I: High), (A: Moderate)}
The system security category would be:
SC (system) = {(confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH)}
The overall impact level of the system is then the highest value among the three objectives, which in this case is HIGH.
Step 4: Select Security Controls
Based on the overall system categorization, the organization selects the appropriate baseline security controls from NIST SP 800-53. A HIGH system requires significantly more rigorous controls than a LOW system.
Step 5: Review and Adjust (Tailoring)
Organizations may adjust provisional impact levels based on:
• Situational and environmental factors
• Legal and regulatory requirements
• Mission criticality
• Organizational policy
This is sometimes called tailoring or scoping. However, organizations generally cannot lower the impact level below the recommended provisional level from NIST SP 800-60 without strong justification and documented rationale.
Key Frameworks and Standards to Know
• FIPS 199 — Standards for Security Categorization of Federal Information and Information Systems. Establishes the three security objectives and the three impact levels (Low, Moderate, High).
• FIPS 200 — Minimum Security Requirements for Federal Information and Information Systems. Specifies minimum security requirements based on the categorization from FIPS 199.
• NIST SP 800-60 Vol. 1 & 2 — Guide for Mapping Types of Information and Information Systems to Security Categories. Provides detailed guidance and provisional impact levels for a wide range of information types.
• NIST SP 800-53 — Security and Privacy Controls for Information Systems and Organizations. Contains the catalog of controls selected based on system categorization.
• NIST Risk Management Framework (RMF) — The overarching framework within which system categorization (including security objectives for information types) is the first step (Categorize).
Real-World Example
Consider a healthcare organization's electronic health records (EHR) system. The information types might include:
1. Patient Health Information (PHI): Confidentiality = HIGH (unauthorized disclosure could cause severe harm to individuals), Integrity = HIGH (incorrect medical data could lead to life-threatening treatment errors), Availability = HIGH (clinicians need immediate access for patient care).
2. Administrative Scheduling Data: Confidentiality = LOW, Integrity = MODERATE, Availability = MODERATE.
3. Billing and Insurance Data: Confidentiality = MODERATE, Integrity = HIGH, Availability = MODERATE.
Using the high-water mark approach:
SC (EHR system) = {(Confidentiality, HIGH), (Integrity, HIGH), (Availability, HIGH)}
This system would be categorized as a HIGH impact system, requiring the most stringent set of security controls.
Common Mistakes and Misconceptions
• Confusing information types with data classifications: Information types are categories of information based on function or purpose (e.g., payroll, law enforcement), while data classifications (e.g., Public, Confidential, Secret, Top Secret) are sensitivity labels. Both are important but serve different purposes.
• Forgetting the high-water mark principle: The overall system categorization is driven by the highest impact level across all information types and objectives, not the average or most common level.
• Assuming all three objectives have the same impact level: Each objective (C, I, A) can have a different impact level for the same information type. For example, public website content might be LOW for confidentiality but HIGH for availability.
• Neglecting to re-evaluate: Security objectives should be reviewed periodically, especially when new information types are added to a system or when the mission or threat environment changes.
Exam Tips: Answering Questions on Security Objectives for Information Types
1. Memorize the CIA Triad definitions precisely: Exam questions often test whether you can correctly match a scenario (e.g., unauthorized modification) to the correct security objective (integrity). Know the exact wording from FIPS 199.
2. Understand the High-Water Mark principle thoroughly: Many exam questions will present multiple information types with different impact levels and ask you to determine the overall system categorization. Always take the highest value for each objective across all information types, then the highest overall to determine system impact.
3. Know the three impact levels and their definitions: Low = limited adverse effect, Moderate = serious adverse effect, High = severe or catastrophic adverse effect. Questions may describe a scenario and ask you to assign the appropriate impact level.
4. Be familiar with NIST SP 800-60's role: Understand that SP 800-60 provides provisional impact levels for information types, and that these serve as a starting point that organizations can adjust (usually upward) based on their specific context.
5. Distinguish between FIPS 199 and FIPS 200: FIPS 199 deals with categorization (assigning impact levels), while FIPS 200 deals with minimum security requirements based on that categorization. Exam questions may try to confuse the two.
6. Remember the RMF sequence: Categorization is Step 1 of the NIST Risk Management Framework. Security objectives for information types feed directly into this step. If a question asks about the first activity in the RMF, think categorization using FIPS 199.
7. Watch for trick scenarios: A question might describe a system where confidentiality is not a concern (e.g., a public-facing website with no sensitive data), so confidentiality might be LOW or even N/A, while availability might be HIGH. Don't assume all three objectives are equally important for every system.
8. Practice the formula: Be comfortable writing and interpreting the security category notation: SC = {(confidentiality, impact), (integrity, impact), (availability, impact)}. Questions may present this format and ask you to identify errors or determine the correct categorization.
9. Consider the stakeholders: Some questions may ask about who is responsible for assigning security objectives. The information owner or data owner typically assigns impact levels, often in collaboration with the system owner and with approval from the authorizing official.
10. Read questions carefully for scope: If a question asks about the security objective for a specific information type, provide the impact level for that type alone. If it asks about the system, apply the high-water mark across all information types in the system.
11. Understand the concept of proportionality: The level of security controls applied should be proportional to the potential impact. Exam questions may test whether you would over-protect a LOW system or under-protect a HIGH system.
12. Use the process of elimination: When in doubt on a multiple-choice question, eliminate answers that confuse security objectives (e.g., an answer that says a loss of availability is about unauthorized disclosure is clearly wrong), then choose from the remaining options based on impact severity described in the scenario.
Summary
Security objectives for information types are the cornerstone of system categorization under FIPS 199 and the NIST Risk Management Framework. By assigning appropriate impact levels (Low, Moderate, High) to each security objective (Confidentiality, Integrity, Availability) for every information type in a system, organizations can determine the overall security posture required and select the appropriate security controls. Mastering this concept requires understanding the CIA Triad, the high-water mark principle, the role of NIST SP 800-60, and the ability to apply these concepts to real-world and exam scenarios.
