Determining Impact to Your Assets

We’ve already talked about FIPS 199. But there's a companion publication to 199 called FIPS 200. Publication 200 takes the FIPS standard from 199, this concept of classifying your information systems, and generates a level of applicability for information security standards. Once you’ve determined the level of impact for your information systems, low, medium, high, across the three metrics, confidentiality, availability, and integrity, the 200 standard determines the overall impact of that system. A low impact system is one in which all of your metrics, confidentiality, integrity, and availability, are low. A moderate impact system is when at least one of those dimensions reaches a medium impact level, but none of them cross the threshold into high. And of course, a high impact system is one defined in which any of those levels crosses into the territory of high impact. It is important to note that when you apply additional standards, like the NIST cyber security framework, or other NIST information security standards, this level of applicability, low, medium, and high, is reflected in the control requirements in NIST.  

Related Videos