Information Security Standards and "Levels of Protection"

Issue/Topic: Information Security Standards and “Levels of Protection” (F3F)

Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes

Convener: Ankit Kapasi

Notes-taker(s): Ankit Kapasi

Tags for the session - technology discussed/ideas considered:

Information Security, Privacy, Level of Protection, LOP, Level of Assurance, LOA, Legal, Liability, NIST SP 800, ISO 27001/27002

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Discussion:

There are 4 levels of protection. These levels of protection are mentioned but not defined. Levels of protection are complimentary to levels of assurance and as higher levels of assurance are implemented, levels of protection become more important. The levels of protection concept are drawn from legal requirements surrounding data protection policies.
 * Level of assurance is focused on trust in credentialing. Within NIST it is the identification and authentication security control families.
 * Level of protection is related to the remaining 15 NIST security control families
 * A levels of protection paper will be presented at the ISO Privacy Standards Conference in October 2010.

As frameworks are developed, each framework is responsible to establish the requirements for levels of protection based on the legal and business needs. Levels of protection can be used as a product/service differentiator.

A level of protection is a service provider’s obligation to the consumer that should follow data security and privacy legal and business requirements. There are several information security standards, including NIST SP 800 series and ISO 27001/27002.
 * The NIST framework is a US standard and the required framework for US Federal Government systems. It is based on a FIPS 199 system categorization of low, moderate, or high. Security controls are then selected from NIST SP 800-53 to manage risk to the information assets processed and stored by the system.
 * NIST SP 800-63 covers levels of assurance and addresses the risk of a false positive. There is no NIST publication that speaks to levels of protection.
 * ISO 27001/27002 is an international standard and can also be used to secure an information system and in general is more organizationally focused than system focused.

There is an opportunity for the National Strategy for Trusted Identities in Cyberspace to address liability and the insurance infrastructure. Currently, many industries (e.g., healthcare) view security as an impediment. The focus needs to shift to that of a business enabler such that trust with consumers can be established for high value, sensitive transactions in cyberspace.