Your organization is developing a Transportation Management System (TMS) that processes two types of data: air and ground transportation data. Confidentiality and cost-effectiveness are the most concern of your organization, and biometric authentication belongs to the security control baseline for high-impact systems. After the business and privacy impact analysis, incidents such as data breach, unauthorized change, and loss of access to any transportation data will cause a low impact on your organization. However, unauthorized alteration to air transportation data renders a moderate impact. It is about time to determine baseline security controls based on the system impact level. Which of the following is the best decision according to the impact analysis?
A. Implement a fingerprint-based authentication system
B. Implement a hardware token authentication system
C. Implement an authentication system based on something you know
D. Implement a two-factor authentication system
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Implement a two-factor authentication system. (“C. Implement an authentication system based on something you know” is also acceptable if you can justify your decision supported by a security control baseline or framework)
The system is categorized as a moderate-impact system. The control enhancement, IA-2 (1), defined in the security control baselines of NIST SP 800-53 R4 requires multifactor authentication for network access to privileged accounts as follows:
IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS
The information system implements multifactor authentication for network access to privileged accounts.
This question is designed to highlight the importance of the NIST Risk Management Framework (RMF).
- Step 1: To “categorize system” means to determine the system impact level based on the impact of information types. The concept of high watermark plays a crucial role. Please refer to FIPS 199 and NIST SP 800-60 for details.
- Step 2: To “select controls” means to select controls from the security control frameworks; please refer to FISP 200 and NIST SP 800-53 R4 for details.