The following question discussed in Discord is short and seems simple, but it deserves more thinking. So, I wrote this post to share my perspectives.

Determining which element of the confidentiality, integrity and availability (CIA) triad is MOST important is a necessary task when:
A. assessing overall system risk.
B. developing a controls policy.
C. determining treatment options.
D. developing a classification scheme.

Source: Discord/Certification Station

I rephrase the question as “when is prioritizing the CIA necessary?” To answer this question, I hold the position or assumption as follows:

• The triad of the CIA is a regulatory requirement (FISMA) and security objective.
• Risk is the effect of uncertainty on objectives. (ISO 31000); specifically, the objectives refer to the CIA (confidentiality, integrity, and availability) in the context of security.
• The policy is the expression of management intent that imposes business requirements to direct and drive security programs; it’s a crucial part of strategy implementation.
• Controls mitigate risk to security objectives.

When is prioritizing the CIA necessary?

My suggested answer is B. developing a controls policy.

The question option, “assessing overall system risk,” implies objectives have been defined because it has moved to the phase when risk assessment is conducted, which means identifying risk (to objectives) is underway. “determining treatment options” is conducted after risk assessment. So, options A and C are not good answers.

A classification scheme is needed or necessary when classifying assets where evaluation in terms of CIA can be conducted to determine sensitivity, criticality, or business value of assets. So, “developing a classification scheme” (we do it one time only) is not necessary when prioritizing objectives.

Prioritization of Objectives

Objectives are hierarchical. Parent objectives drive the child’s objectives. Objectives at the same level should be prioritized. The MOST important objective is determined after prioritization. However, we define objectives first, then move on to prioritize objectives.

Security Policy

As a policy is the expression of management intent, it has a purpose or purposes that will be elaborated as requirements and addressed and measured by objectives. Not all policies have the same level of granularity. Some are high-level and broad, while others can be specific to issues or systems. Purpose (requirements and objectives), scope, and roles and responsibilities are typically described in a policy document.

Controls Policy

A policy stands for the management intent. The policy itself is a control, administrative, management, or directive control. A policy can be general, program-directing, issue-specific, or system-specific.

I treat the term “controls policy” mentioned in the question option as one form of the security policy that directs how the security controls are determined, implemented, assessed, authorized, and monitored. In other words, its purpose is to establish the so-called “security control framework” (SCF) and communicate control objectives.

OMB Circular A-130

“OMB Circular A-130, titled Managing Information as a Strategic Resource, is one of many Government circulars produced by the United States Federal Government to establish policy for executive branch departments and agencies.” (Wikipedia)

‘Adequate security’ means security protections commensurate with the risk resulting
from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability protections through the application of cost-effective security controls.

Source: OMB Circular A-130

System Categorization in RMF

The NIST RMF (SP 800-37 R2) is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.

References

• Types of Policies
• Access Control Policy and Implementation Guides (ACP&IG)
• Access & Security Control Policy
• IT Security Control Policy
• What are Control Objectives and How are They Used in a SOC 1 Audit Report?
• Control Objectives & Activities: What Are They & What’s Appropriate?
• Illustrative Control Objectives for Service Organizations
• The Office of Management and Budget (OMB) Circular A-130