For each CIA concept below, classify each example as having a low, moderate, or

Question

For each CIA concept below, classify each example as having a low, moderate, or highlevel of impact on organizations or individuals. Justify your classifications.a.Confidentiality:Student enrollment information; Student grade information; Student directories (name, address, telephone).b.Integrity:An anonymous online poll; A hospital patient’s allergy information stored in a database; A Web site that offers a forum to registered users to discuss some specific topic. c.Availability:A public Web site for a university; An online telephone directory lookup application; A system that provides authentication services for critical systems, applications, and devices.Three levels of impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability), are defined in FIPS PUB 1991:Low:The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capacity to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; or (iii)result in minor harm to individuals.Moderate:The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss might (i) cause a significant degradation in mission capability to an extent Page 2of 4March 5, 2018and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious, life-threatening injuries.High:The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss might (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious, life-threatening injuries.1The National Institute of Standards and Technology (NIST) has produced a large number of Federal Information Processing Standards Publications (FIPS PUBs), including FIPS 199(Standards for Security Categorization of Federal Information and Information Systems). FIPS PUB 199 provides a useful characterization of the three security objectives (the CIA triad) in terms of requirements and the definition of a loss of security in each category (confidentiality, integrity, availability).

Explanation / Answer

Confidentiality - protects our data from being accessed by others

a) Student enrollment information - This will only contains informations of student who have enrolled in some course. Accessing this will not lead to any big effect in the functioning of organisation. So the impact will be low.

b) Student grade information - This contains the scores secured by the students in various assessments. If the confidentiality level is low,it allows anyone to access anyone's record ,then no longer data is protected. impact will be high.

c) Student directories - This contains personal details about the students along with some sensitive information like telephone number, email etc. So there should be some mechanism to stop anyone accessing anyone's data but this not stop the organisation.So impact will be low.

Integrity - This ensures that data is not altered by any unauthorized person.

a) An anonymous online poll - It will contain the poll results. It might contain results of some research etc. changing the result will change the outcome also. so impact will be moderate.

b) A hospital patient’s allergy information stored in a database - The patient's allergy information should only be accessed by authorized persons. Doctors treat patients by refering to this information stored on the database. It contains what drugs have been given,whats the result for it etc. this helps in futher treatment. altering this will play with the lives of patients. So impact will be high.

c)  A Web site that offers a forum to registered users to discuss some specific topic - Altering the contents will only result in useless discussion. But this will not be a big issue. So Impact will be low.

Availability - This ensures that the information is available to the users almost all the time.

a) A public Web site for a university - If the university website is down,it will not cause any problem. So impact will be low.

b) An online telephone directory lookup application - This is an public application and anyone can access this app at any time for getting some telephone numbers. so impact will be moderate.

c) A system that provides authentication services for critical systems, applications, and devices - This system cannot be down if its down then there will be security breach. This allows critical systems to be accesssed by unauthorised persons also.So impact is high.

Related Questions

Navigate

• Browse (All)
• Browse F
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.