Step One for Risk Assessment

As with all things in information security, we derive our recommendations and our requirements from standards. Those standards are, generally speaking, globally known and understood by everyone in the profession. One of the key standards for us is FIPS publication 199. Publication 199 comes out of a law enacted in 2002 which recognized information security as a key element of law and of general government practice. FIPS 199 developed standards for categorizing information systems. It’s the very first part of the law that was issued in 2002. This categorization schema is now used across the entirety of the information security landscape. Understanding publication 199 and understanding how to classify your systems and data is key to both establishing your risk profile and your success across many of the frameworks that you’re going to deal with as a member of an information security audit.   

Related Videos