Applying the FISMA Risk Management Framework to IBM I: Categorizing Information and Defining Baselines
In a previous article we discussed what the Federal Information Modernization Act of 2002 (FISMA) is and how it can affect your IBM i. In this article, we want to focus on the first two of the six FISMA Risk Management activities for securing your IBM i system: 1) Categorization of the information based on risk; and 2) Defining a baseline for security controls to protect critical organizational information. These first two activities are critical in maintaining FISMA compliance.
What FISMA does
In case you missed our first post, FISMA provides a framework for managing governmental information security for all information and information systems used by Federal Government agencies or by private sector entities operating information systems on behalf of the Federal Government. FISMA includes implementation, management, and reporting requirements to protect the government’s information technology infrastructure. Covered organizations must implement FISMA requirements and report annually to the Office of Management and Budget.
The National Institute of Standards and Technology (NIST) is responsible for developing the standards, guidelines, and methods for insuring information security for governmental agencies. Under its Risk Management Framework, NIST specifies six activities that lead to more secure systems and compliance with FISMA risk management.
- Categorization – Categorizing the information to be processed, stored, and transmitted based on an impact analysis (risk).
- Select – Selecting minimum baseline security controls and updating the baseline as needed, based on each organization’s risk assessment and local conditions.
- Implement – Implementing the controls and documenting how they are deployed within the environment and its associated systems.
- Assess – Assessing whether the controls are deployed and operating correctly, producing the desired outcomes, according to the security requirements.
- Authorize – Authorize the information for processing, with respect to the risk to organizational operations and informational assets, other organizations, and the Nation.
- Monitor – Monitor the security controls on an on-going basis for effectiveness, document changes, conduct security analysis of changes, and report the security state of the system.
Today, let’s focus on the Categorization and Select categories.
Categorization of the information
Categorization is the first step in the framework because you must first understand the risks you face when data is processed, stored and transmitted. Each area must be analyzed to fully understand the impact of the data being exposed or unavailable to the business. A level of risk must be assigned to each area along with determining if the information is mission critical or if it is associated with the administration, management and support of the business.
Assigning a level of risk will require input from the business and IT. The business people understand what is mission critical to them and IT can help identify the security risks. Working together you will be able to more accurately categorize your information based on how critical it is. The information will be assigned one of the following levels of risk:
- Low Risk – if the data is exposed or unavailable the impact on the business will be
- Moderate Risk – if the information is exposed or unavailable the impact on the business will be considered serious.
- High Risk – if the information is exposed or unavailable it will have a catastrophic impact on the business.
You’ll need to assign risk levels to all of your servers and data sources, not just your IBM i. This step may seem daunting because it requires a lot of time and effort to adequately determine the level of risk your business faces with each server or data source. There are many things to consider and sometimes determining where to start can seem overwhelming. This is where a 3rd party solution can be helpful in getting you started. By having an independent assessment of the security of your environment you can quickly identify areas where you can implement controls to improve the security of your data.
Selecting Minimum Baseline Controls
After you have identified and categorized the risks to your information, you need to define a baseline of controls. This means you have to define thresholds to measure whether or not you remain in compliance. If something deviates from the threshold, your risk increases and your risk of being out of compliance also rises. The baseline is meant to help you to measure your compliance.
Setting a baseline is the easy part. For example: you may say that your IBM i security level system value must be set at 40. If it’s not 40, then you are at risk. The harder part is ensuring that your controls don’t deviate from the baseline you establish. This is something that can be done manually. There are also third party solutions such as iSecurity Audit, which can automate system auditing for you.
Some of the controls you should consider when selecting a minimum baseline for IBM i should include unexpected changes in system values, user activity, network attributes, user profile attribute, and object authorities. These types of controls help to ensure that your data is protected from both external and internal risks.
Solutions such as iSecurity Compliance Evaluator can make the job of maintaining the base line easier. Once you define the baseline you can easily generate reports that help determine if you have strayed away from your baseline. For example: You may want to limit the number of users with *ALLOBJ authority to no more than 5 users. By simply running a report you can determine if you are still within your baseline. Even better, these reports make it easy for someone in the compliance department to assess the current state of security without needing to know IBM i commands to retrieve that information.
Getting started with FISMA risk management for IBM i
In future articles we will take a closer look at the four additional steps in the Risk Management framework that you need to cover to be FISMA compliant and how to make compliance easier.
A good way to start reviewing your FISMA risk management is to contact SEA for a free security assessment or for more information on how we can help you with your security issues. We’ll be glad to review your current situation and make recommendations for any changes that might be needed