Risk Management of IT: National Security Systems

Risk Assessments and Risk Management will apply to National Security Systems (NSS).

What is a Risk Assessment?

A risk assessment is the results/process to determine the likelihood that a threat will exploit a weakness. Risk assessment is a part of the risk management.

What is risk management?

Risk Management is the on-going process of determining assessing, identifying and prioritizing of risks.

Is My System a National Security System?

NIST SP 800-59, Guidance for Identifying an information system as an NSS. 800-39 is a 17 page document developed in conjunction with the Department of Defense, including the National Security Agency, for identifying an information system as a national security system. It is basised on the Federal Information Security Management Act of 2002 (FISMA).

Who determines if you have an NSS?

The head of each agency is responsible for designating an agency information security official to determine which, if any, agency systems are national security systems.

Tools to determine if you have a NSS system:

National Security System Identification Checklist (NIST SP 800-59, Appendix A). The NSS ID Checklist asks (6) questions. Answering yes to any of these questions qualifies your system as an NSS:
• Does the function, operation, or use of the system involve intelligence activities?
• Does the function, operation, or use of the system involve cryptologic activities related to national security?
• Does the function, operation, or use of the system involve command and control of military forces?
• Does the function, operation, or use of the system involve equipment that is an integral part of a weapon or weapons system?
• Is the system critical to the direct fulfillment of military or intelligence missions?
• Does the system store, process, or communicate classified information?

NSS RMF
The guidance of CNSSI 1253 is the result of NIST collaborated with the Intelligence Community (IC), Department of Defense (DoD), and the Committee on National Security Systems (CNSS) to ensure NIST SP 800-53 contains security controls to meet the requirements of National Security Systems (NSS).

KEY DIFFERENCES BETWEEN CNSS INSTRUCTION NO. 1253 AND NIST PUBLICATIONS

The key differences between CNSSI 1253 and the rest of the NIST publications is that NSS systems do not follow “high-water mark”, NSS maybe tailored through risk-based adjustment, control profiles, and a method that allows organization to practice reciprocity.

NSS and High Water Mark
Both FIPS 200 and NIST 800-53 apply the concept of a high-water mark (HWM) when categorizing information systems according to the worst-case potential impact of a loss of confidentiality, integrity, or availability of information or an information system. This Instruction does not adopt this HWM usage. In the National Security Community, the potential impact levels determined for confidentiality, integrity, and availability are retained, meaning there are 27 possible three-value combinations for NSI or NSS, as opposed to the three possible single-value categorizations obtained using the guidelines in FIPS 200. – CNSSI 1253

Risk-Based Adjustment
Potential impact-based security categorizations for NSS may be tailored through the use of a risk-based adjustment. This adjustment takes into consideration the physical and personnel security measures already employed throughout the National Security Community and factors such as aggregation of information.

Control Profile
Method by which organizations may designate sets of controls for NSS based on their enterprise-wide risk assessment and taking into account business objectives, system risks, and mission needs.

NSS Reciprocity
It is the policy of the National Security Community that member organizations practice reciprocity with respect to the certification of systems and system components to the greatest extent practicable. Reciprocity of certification reduces the cost and time to implement systems and system components.

Anti-Terrorist And Monetory Crimes Division
FBI Headquarters In Washington, D.C.
Federal Bureau Of Investigation
J. Edgar Hoover Building
935 Pennsylvania Avenue,
NW Washington, D.C. 20535-0001

Attn: Beneficiary,

This is to Officially inform you that it has come to our notice and we have thoroughly completed an Investigation with the help of our Intelligence Monitoring Network System that you legally won the sum of $800,000.00 USD from a Lottery Company outside the United States of America. During our investigation we discovered that your e-mail won the money from an Online Balloting System and we have authorized this winning to be paid to you via a Certified Cashier’s Check.

Normally, it will take up to 10 business days for an International Check to be cashed by your local bank. We have successfully notified this company on your behalf that funds are to be drawn from a registered bank within the United States Of America so as to enable you cash the check instantly without any delay, henceforth the stated amount of $800,000.00 USD has been deposited with Bank Of America.

We have completed this investigation and you are hereby approved to receive the winning prize as we have verified the entire transaction to be Safe and 100% risk free, due to the fact that the funds have been deposited at Bank Of America you will be required to settle the following bills directly to the Lottery Agent in-charge of this transaction whom is located in United Kingdom. According to our discoveries, you were required to pay for the following –

(1) Deposit Fee’s ( Fee’s paid by the company for the deposit into an American Bank which is – Bank Of America )
(2) Cashier’s Check Conversion Fee ( Fee for converting the Wire Transfer payment into a Certified Cashier’s Check )
(3) Shipping Fee’s ( This is the charge for shipping the Cashier’s Check to your home address )

The total amount for everything is $200.00 (Two Hundred-US Dollars). We have tried our possible best to indicate that this $200.00 should be deducted from your winning prize but we found out that the funds have already been deposited at Bank Of America and cannot be accessed by anyone apart from you the winner, therefore you will be required to pay the required fee’s to the Agent in-charge of this transaction via Western Union Money Transfer Or Money Gram.

In order to proceed with this transaction, you will be required to contact the agent in-charge ( Mr. Bruce Hutchinson ) via e-mail. Kindly look below to find appropriate contact information:

CONTACT AGENT NAME: Mr. Bruce Hutchinson
E-MAIL ADDRESS: brucehutchinson00@gala.net
Telephone Number : +234-802-959-2149, 0092348029592149.

You will be required to e-mail him with the following information:

FULL NAME:
ADDRESS:
CITY:
STATE:
ZIP CODE:
DIRECT CONTACT NUMBER:

You will also be required to request Western Union or Money Gram details on how to send the required $200.00 in order to immediately ship your prize of $800,000.00 USD via Certified Cashier’s Check drawn from Bank Of America, also include the following transaction code in order for him to immediately identify this transaction : EA2948-910.

This letter will serve as proof that the Federal Bureau Of Investigation is authorizing you to pay the required $200.00 ONLY to Mr. Bruce Hutchinson via information in which he shall send to you, if you do not receive your winning prize of $800,000.00 we shall be held responsible for the loss and this shall invite a penalty of $200.00 which will be made PAYABLE ONLY to you (The Winner).

Robert Mueller
Washington DC FBI.
Room, 7367
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW
Washington, D.C. 20535-0001

NOTE: In order to ensure your check gets delivered to you ASAP, you are advised to immediately contact Mr. Bruce Hutchinson via contact information provided above and make the required payment of $200.00 to information in which he shall provide to you