NOTE
As the assessment team works with the customer to fill out the OICM,
it’s normal for the customer to want to change some things. Remember
that this matrix is not static. You could end up changing multiple items
several times in the process. The customer should be in control because
they understand their business. You’re providing expertise to guide their
decision process. You should understand that if your definitions change,
you will need to revisit the OICM to see if any of the ratings have
changed based on the new definitions.
The Customer Perception of the Matrix
Often the customer will end up with misconceptions about the matrix and what
it’s intended to convey to the target audience.These issues typically arise before
the process is complete, so your team will need to reiterate the goal of these
activities. Confront these issues as they arise by explaining why the matrix is
important to upper management.
In putting together the OICM, our goal is to distill the information architec-
ture and its impact on the organization into an easy-to-read matrix. We’ve
defined the critical pieces of information and prioritized them based on their
impact on operations. So now we can understand that the loss of security
attributes to these pieces of information can impact the company in varying
degrees. If the customer can understand the correlation we have drawn between
these things, the matrix should be easy for them to comprehend.
www.syngress.com
Determining the Organization’s Information Criticality • Chapter 3 107
Figure 3.4 Example Completed: Matrix with High-Water Mark
High LowMedium
Medium MediumHigh
High LowHigh
High MediumHigh
Customer
Information

Account
Information
Employee
Information
High Watermark
Confidentiality Integrity
Availability
High MediumHigh
Corporate
Finances
Medium LowMedium
Research &
Development
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 107
One issue that inevitably pops up is the concern that some information types
may be construed as being “not important” because they receive a Low rating in
some impact attribute categories.This is not, in fact, the truth of the matter. In
fact, all information types listed are important to the organization, but the cus-
tomer needs to understand which ones have a greater impact on the mission.
Another key to the OICM is the distinction drawn between the different types
of security required for various information types. Some types may need more
protection from an impact attribute than others. Using this thinking, the cus-
tomer can better determine where to invest their security budget to ensure the
best use of resources.
Explaining the Value of Priorities
If everything were rated as a High impact on operations, the matrix would pro-
vide no value to the customer, because it would not reflect the reality of the situ-
ation. In reality, not all information within a company deserves the same level of
protection. But like a small child with his toys, customers can be defensive about
what is theirs. Priorities provide the mechanism needed to delineate the differ-

ence between information that is merely important and that which is critical.
Case Study: Organizational
Criticality at TOOT
The Transit Organization of Operational Trains (TOOT) is under contract to
manage 27 percent of all North American train traffic. In this capacity,TOOT
schedules, monitors, and enforces the movement of trains from six master control
stations (New York, Miami, Mexico City, San Francisco, Seattle, and Toronto).
TOOT has contracted with our consulting company to perform a complete
NSA IAM-compliant assessment on their organization.They’ve never had an orga-
nizational assessment before, so the customer is relatively ignorant of the processes
and steps involved.The assessment team leader will need to educate the customer
and make sure they really understand the process as the assessment progresses.
Our POC is Anne Jackson,TOOT’s CIO. Anne has only been with the orga-
nization for about six months. She confides that she believes that many different
procedural changes might need to take place before the organization ends up in
the headlines. Our team leader decides that Anne will make a great team repre-
sentative for the customer on the assessment team. Anne is asked to coordinate a
pre-assessment visit in two weeks and is given a list of potential company repre-
sentatives who could provide useful input for this initial step.
www.syngress.com
108 Chapter 3 • Determining the Organization’s Information Criticality
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 108
We know from our talks with Anne on the phone that the TOOT network is
primarily a Windows NT domain network with an IBM AS400 as the primary
monitoring server.The team leader decides to bring two technicians from our
company. One has experience with Windows security; the other has worked
with the AS400 mainframe architecture for years.Together with the team leader,
the consulting pre-assessment visit team is ready to go.
Two weeks later, our team arrives on site at the TOOT location in New
York, where we’ll meet with Anne and her team.The actual meeting room is a

boardroom designed for a group of roughly 20 people to sit around a large table
and talk. A large whiteboard hangs on a wall at one end of the room, perfect for
listing information types.
Our meeting has been scheduled for 9:00
A
.M. on Monday in the board-
room. We meet Anne in her office after checking in at the front desk and
receiving our temporary visitor badges. Anne tells us that there should be 11
attendees in the meeting, including those on the assessment team. She says that
the attendees should be a collection of individuals from the information tech-
nology department that administers the systems for TOOT.
TOOT Information Criticality Topics
At 8:50 A
.M. we enter the boardroom with Anne and prepare for the meeting.
The team leader lays out his notes and passes out a presentation for each
attendee.The presentation gives the attendees an overview of the IAM assess-
ment process and describes what the group will be doing.
The rest of the group shows up around 9:00
A.M. At this point, Anne makes
some basic introductions between the team and the TOOT employees in the
room. It appears that all the key players have arrived, so the team leader begins
his presentation. When the presentation is over, he asks for questions and clarifies
the process for a few individuals who seem concerned or confused about the
assessment.
With the basics out of the way, the team leader starts the enumeration of
information types by explaining to the group what we’re trying to do now. One
of the assessment team members is prepared to take notes on a laptop while the
team leader jots down the various information types on the whiteboard.The
process starts immediately with the mainframe administrator naming the infor-
mation types she deals with on a daily basis.

After just a few minutes, the rest of the group chimes in, and we soon have a
list of roughly 35 information types.The group goes back over the list, carefully
www.syngress.com
Determining the Organization’s Information Criticality • Chapter 3 109
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 109
checking for items that don’t really belong. E-mail is removed from the list first,
along with the customer database. When all the information types have been fil-
tered, corrected, or accepted, there are 22 types on the list.
The assessment team leader explains the process of rolling these various
information types into a smaller number of broad categories that encompass the
information in question.The group works together and categorizes the informa-
tion types into eight groups of information that describe all the critical informa-
tion within the organization.The eight information types are as follows:
■
Regular freight-tracking information
■
Sensitive freight-tracking information
■
Passenger information
■
Track condition-monitoring information
■
Customer information
■
Employee information
■
Corporate finance information
■
Network and communications information
Identifying Impact Attributes

After listing all the information types, the group takes a break, and some mem-
bers of the group are told they’re done.This leaves the assessment team with the
senior technology representatives to identify the impact attributes and complete
the OICM. When the break is over, this group returns to complete the work.
Our team leader explains that the group needs to pick attributes that directly
impact the organization and asks for input on legal regulations or requirements
that might influence this decision.The group decides to use the basic set of
impact attributes: confidentiality, integrity, and availability. It’s decided that these
three attributes cover the concerns the organization may have regarding the
security of its information.
Creating Impact Definitions
The group begins working with the definitions that will pinpoint the various
impacts that loss of CIA on the various information types has on the organiza-
www.syngress.com
110 Chapter 3 • Determining the Organization’s Information Criticality
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 110
tion. Anne decides that it’s best to keep this simple and use the basic High /
Medium / Low structure.The rest of the team appears to agree with her.
The group ends up with the definitions listed in Table 3.4.
Table 3.4
TOOT Impact Definitions
High Medium Low
Loss of life Financial penalties in Inconvenience to the
excess of US$100,000 customer
from federal regulatory
agencies
Severe loss of customer Financial losses in excess Inconvenience to the
confidence of US$500,000 passengers
Catastrophic financial Inability to actively Loss of customer
penalties from federal monitor trains and rail confidence

regulatory agencies systems for one hour
or less
Hostile takeover of Widespread loss of Disruption of our railway
railway management customer confidence management
system (possible
terrorist activities)
Financial losses in Loss of reputation
excess of US$2 million
Inability to actively Legal action by the
monitor trains or rail customers
systems for more than
one hour
Creating the Matrix
Now that we’ve finished defining the impact attributes, the team can start filling
in the OICM.This is where most of the conflict will arise, if it exists. In our case
study, however, very little conflict exists, because everyone is on the same sheet of
music. Anne has done a great job of pulling everyone together and getting the
team focused.
The team begins by relating each information type to the impact
attributes in question. For starters, the team leader asks the group to begin by
considering how the loss of confidentiality of the regular freight information
would impact the organization.The team decides what value to put into that box
www.syngress.com
Determining the Organization’s Information Criticality • Chapter 3 111
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 111
on the matrix by reviewing the definitions they’ve created.After about another
hour and a half, the team has filled all the empty blocks in the OICM. By taking
the highest rating in each impact attribute column, the team derives the high-
water mark and calls it a day.The completed OICM is shown in Figure 3.5.
www.syngress.com

112 Chapter 3 • Determining the Organization’s Information Criticality
Figure 3.5 TOOT’s Completed OICM
Medium LowLow
Low LowLow
High MediumMedium
High HighMedium
Reg. Freight
Sens. Freight
Pass Info.
High Watermark
Confidentiality Integrity
Availability
High HighMedium
Track Cond.
Medium LowLow
Cust. Info
High HighMedium
Net & Comms
Medium MediumMedium
Finances
Low LowMedium
Emp. Info
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 112
Summary
The process of creating the Organizational Information Criticality Matrix
(OICM) is one of the most important within the INFOSEC Assessment
Methodology.The OICM provides a basis for everything else in the method-
ology and clarifies the intentions and goals of the assessment process for the cus-
tomer. Poor execution of this portion of the assessment can result in a much
more complex and painful assessment for both the customer and the team.

The process of creating the OICM begins with a group of customer repre-
sentatives sitting in the same room with the assessment team. From here, the cus-
tomer will begin listing all known information types within the company. It’s not
important if the list is relatively long, because the next step rolls these individual
pieces of information into more general groupings.These groupings make more
sense than the individual pieces from an IAM perspective because they give a
more general overview of the information types within the company. Because
the IAM is a top-down assessment approach, we need to ensure that we start
with this more generalized understanding of the customer’s information.
Some conflict can arise during this process simply because some information
types are inherently considered of lesser importance to the organization than
others.The individuals in the room may resent the implication that the informa-
tion that they work with is of less importance. It eventually lies at the feet of
upper management to clarify the company’s beliefs regarding these issues.
When the information types have all been grouped together into fewer
groups of similar or relevant information types, we’ll pick the impact attributes to
use for the assessment process.The most commonly used impact attributes are
confidentiality, integrity, and availability.These three encompass the majority of
what information security professionals around the world attempt to focus on.
Other attributes, such as nonrepudiation or accountability, can be added.The
more impact attributes used during the assessment process, the more complex the
impact definitions need to be.This ensures that definitions relate directly back to
the attributes we’re measuring against.
The standard levels of definitions are High, Medium, and Lows. Although
these are the standards, they’re not mandatory and may be substituted with your
company’s own metric system. Another example of a potentially useful metric is
including a numbering system from 0 to 5, with 0 representing the least impact
on the organization.The system your organization ends up using depends on
your own business processes and your customer’s desires.
www.syngress.com

Determining the Organization’s Information Criticality • Chapter 3 113
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 113
The High definition level can be considered something that has a dramatic
impact on business operations for the customer.This category is normally
reserved for those events that can cause dire harm to the well-being of a com-
pany. Some examples include loss of life, complete loss of customer confidence,
or the need to file for bankruptcy.
The Medium definition level consists of those things that are of significant
impact to the organization. Significant is a subjective term that is up to the cus-
tomer to define. It could consist of large legal penalties, loss of revenue, and a loss
of reputation.
Low importance can be thought of along the lines of those things that will
have less impact on the organization. For instance, customer inconvenience or
the delay of an arrest (for a police organization) could be considered low by the
customer. In the end, all these definitions are subjective and depend heavily on
the customer’s interpretation.
The OICM is a box matrix consisting of columns and rows. We label the
columns across the top of the matrix with the names of the impact attributes
we’ll be using for the assessment.The rows are labeled along the left edge with
the information types that the customer has defined.
Next, the assessment team will sit down with the customer and fill in the
squares in the box.The process is completed by asking questions such as,“The
loss of Integrity for this information type would result in what impact?”This
type of activity will fill in the chart based on customer input.The OICM is not a
static matrix and could change over the course of the assessment, based on new
information or changes in customer opinion.
The final result is an OICM that accurately reflects the customer’s opinions
regarding the critical information types within the organization, the various levels
of impact considered possible for the organization, and the impact attributes that
the customer feels are most important to the organization’s mission. Ratings are

given by the customer with feedback from the team.
www.syngress.com
114 Chapter 3 • Determining the Organization’s Information Criticality
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 114
Best Practices Checklist
Never Underestimate the Amount of
Time Required to Define Information Criticality
 Consider the size of the customer organization.
 Consider the politics of the customer organization.
 Consider the industry of the customer organization.
 Consider the customer understanding of the NSA IAM process.
Ensure That the Right People Are
Present to Determine Information Criticality
 Your customer POC should be an upper management representative.
 Network administrators for the customer network should be part of the
process.
 Systems administrators of the various operating systems should be part
of the process.
 Administrative or project management personnel should be part of the
process, for a business perspective.
Work With Your Customer to List
the Information Types Within the Organization
 Start by brainstorming and listing all the information types the customer
can think of.
 Remove all the superfluous and nonmission-critical information types
from the list.
 Remove all the systems or applications from the list.
 Roll all the smaller information types into broader groups.
www.syngress.com
Determining the Organization’s Information Criticality • Chapter 3 115

286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 115
Avoid Internal Politics During the Definition Process
 Stay objective in the information you offer the customer about security.
 Allow the management representative to management conflict and
politics.
 Try to understand the rationale behind the personal feelings of the
people in the room.
Q: During the course of defining the OICM, how often do you actually find
the process difficult due to internal conflict or personality issues on the cus-
tomer’s team?
A: There is almost always some sort of conflict during this process.The
employees at the customer site usually believe their information or systems
are very important to their company’s overall mission. We often hear state-
ments such as,“If it weren’t for my information, we couldn’t do this.That
would be a huge impact on the company!” Although statements like this are
true at some level, it eventually comes down to what the manager believes is
the truth.The manager, not the employee, decides the real impact.
Q: Is there a limit to the actual number of impact attributes that can be used
during the IAM process?
A: NSA doesn’t actually define a specific number of impact attributes that
should or should not be used during the assessment process.The actual
number will depend heavily on customer desires.This is not to say that your
input as a paid information security expert shouldn’t come into play in the
decision, but ultimately it’s all up to the customer.The largest number of
impact attributes I’ve seen during the assessment process was about 13.The
biggest problem we had with that assessment was creating definitions that
www.syngress.com
116 Chapter 3 • Determining the Organization’s Information Criticality
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book,

are designed to both measure your understanding of the concepts presented in
this chapter and to assist you with real-life implementation of these concepts. To
have your questions about this chapter answered by the author, browse to
www.syngress.com/solutions and click on the “Ask the Author” form. You will
also gain access to thousands of other FAQs at ITFAQnet.com.
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 116
addressed each of these impact attributes so that we could adequately fill in
the matrix.There’s also the chance of some overlap between the definitions
when you get too many impact attributes involved in the process.
Q: You mentioned that some organizations prefer to use a numbered definition
system. Can you provide more detail on the reasons a business might want to
use this system versus the High, Medium, and Low standard?
A: There are a few reasons that an organization might prefer to use a numbering
system instead of the High, Medium, Low system taught by NSA. First, a
numbering system allows a greater degree of granularity when defining
impact to the organization.This granularity allows the customer and the
assessment team to better understand the priority of security impact. Second,
a numbering system allows the team to give an average or mean number on
the OICM instead of the high-water mark. If a customer truly wants to
understand which impact attributes are more important to the organization
and in what order they exist, a numbered average may provide a better view
than a simple high-water mark.
Q: Is the OICM a requirement of the NSA IAM, or is it one of those flexible
pieces that can be developed separately as a business process?
A: The OICM is required for the assessment to be compliant with the NSA
INFOSEC Assessment Methodology. If your organization is considering an
IA-CMM rating from NSA based on your ability to perform the IAM for
customers, you’ll need to ensure that this part of the IAM process exists.
Assessments that do not conform to the IA-CMM as released by NSA should
not be submitted for use or review during the rating process.

Q: Our customers always seem to lean toward very simple impact definitions.
What are your recommendations for how detailed these definitions should
be, and does it really matter?
A: The definitions are an important piece of creating the OICM. Although the
definitions should come directly from the customer, we find it useful to make
recommendations based on our own experience.This could include experi-
ence in information security in general or in the industry specific to the cus-
tomer. In the end, the definitions need to be detailed enough that the
company can legitimately measure the true impact of security incidents on
www.syngress.com
Determining the Organization’s Information Criticality • Chapter 3 117
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 117
the organization. If the definitions are too general, it will be difficult to gauge
actual impact and the matrix will lack total value.
Q: How long does this particular process actually take?
A: The process laid out in this chapter can vary in length based on multiple fac-
tors. How complex and large is the organization you’ll be assessing? Do you
know if a lot of internal personality conflicts or politics might come into
play? Is the management likely to take control of the situation, or do things
tend to get out of hand easily because the company representatives in the
room can’t be brought to a decision? The NSA IAM gives a rough guideline
of about two days to create the OICM. From our perspective, this process
can take as long as a week, depending on the answers to the previous ques-
tions. Regardless of how long it takes, this piece has to be done correctly or
the rest of the assessment results may be skewed.
Q: I see from the information provided in this chapter that we’ll want to list all
the information types we can think of and then roll them into more general-
ized groups, but is there a recommended range or number of groups we need
to stick to when creating the list?
A: In class we use four or five groups of information types in order to simplify

the exercises. In a real-life situation, the actual number of types will depend
heavily on how the customer decides to roll up the information. Obviously,
you’ll have some input into the process, so you can steer them toward the
highest level of rollup possible.Typically we end up with anywhere from six
to 12 information types listed on the customer OICM. In a couple of
instances, there were more or fewer, but this appears to be the standard range.
www.syngress.com
118 Chapter 3 • Determining the Organization’s Information Criticality
286_NSA_IAM_03.qxd 12/11/03 3:25 PM Page 118
System Information
Criticality
Solutions in this Chapter:
■
Stepping into System Criticality
■
Determining System Boundaries
■
Defining the Systems
■
Creating the System Criticality Matrix
Chapter 4
119
 Summary
 Frequently Asked Questions
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 119
Introduction
Defining the critical information with the customer, as we just did in Chapter 3,
should have allowed everyone involved in the organizational assessment process
to better understand how the customer’s business operates and the various pieces
of information that play a important role in the completion of the customer’s

mission.To this point, the customer has played a vital role in the assessment pro-
cess by specifically defining the different critical information types and identi-
fying the organization’s mission.They’ve also helped by defining the levels of
impact that they consider important, relative to their business and industry. All
this information has been organized into an easy-to-read matrix that defines (at a
high level) the information criticality of the organization.
The next step is just as critical from an assessment point of view because it
defines those specific systems that process, transmit, or store the customer’s crit-
ical information.These are the key information systems that have the greatest
impact on the customer’s operations. From a technical perspective, these are the
systems that will be most focused on during any technical evaluations that occur
in conjunction with the IAM assessment process. From a purely organizational
perspective, these are the systems that need the deepest scrutiny because the
compromise or complete loss of these particular information systems would most
likely have a distinct and often painful impact on the organization. As in Chapter
3, the activities in this chapter cannot be completed adequately without the
involvement of the customer. We provide some example systems to help you
better understand the diversity of systems you may encounter at customer sites:
■
Human resources systems
■
Help desk system
■
Network monitoring system
■
Inbound order system
■
Customer information system
■
Security and audit system

■
Corporate finance tracking system
■
Research and development system
■
Investment tracking system
■
Command and control system
www.syngress.com
120 Chapter 4 • System Information Criticality
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 120
Remember, this portion of the assessment is still in the pre-assessment phase
and is conducted directly following the creation of the Organizational
Information Criticality Matrix (OICM) described in Chapter 3. We’ve broken
down the concepts to make it easier to understand their individual impact on the
assessment process.
Stepping into System Criticality
Similar to the methodology we used to identify the organizational information
criticality and fill in the OICM, the process of identifying the system criticality is
completed with the customer close at hand.The assessment team will also com-
plete matrices similar to the OICM, but these will focus specifically on each
system we’re able to identify and not necessarily the organization as a whole.
NOTE
It’s important that the reader have a solid grasp on the concepts we dis-
cussed in Chapter 3 before moving on to this chapter and the ones that
follow. Chapters 3 and 4 help lay the foundation of knowledge you’ll use
www.syngress.com
System Information Criticality • Chapter 4 121
Information Criticality Before System Criticality
The NSA IAM is designed to identify the information criticality before the

system criticality with specific intent in mind. Each entity has a mission
that it strives to achieve on a daily basis. This is the entity’s reason for
existence. Within that organization, there are specific pieces of informa-
tion without which the organization will not be able to achieve its mis-
sion goals. By identifying those pieces of information first, we can better
isolate the most critical systems within the organization. Without that
information, we’re left to try to defend every system component within
the organization at the same level, which is not only inefficient but also
wastes valuable time and resources.
Understanding Why…
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 121
when you complete the NSA IAM-compliant assessment on your own
organization or a client. If it’s been a while since you’ve read Chapter 3,
consider reviewing the Summary of that chapter before continuing.
When we addressed organizational information criticality in Chapter 3, we
were trying to take a snapshot in time of the critical information types and their
impact on the organization based on known guidelines, policies, regulations, and
restrictions. Because the NSA IAM is a top-down model, we can consider this
snapshot as having been taken at a very high level, which we refer to the 50,000-
foot picture. As the assessment moves into the identification of the critical sys-
tems and our creation of the System Criticality Matrix, the assessment process
moves down to the 20,000-foot picture. Figure 4.1 shows the approximate levels
of granularity between the various phases of security analysis.
www.syngress.com
122 Chapter 4 • System Information Criticality
Figure 4.1 Security Phase Granularity
50,000
40,000
30,000
20,000

10,000
5,000
1,000
500
Information Assessment Information Evaluation
OICM SCM Network Server/Host Red Teaming
Activities
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 122
Figure 4.1 provides a good depiction of how detailed the process becomes as
the security team progresses.The NSA IAM is covered under the Information
Assessment section.The technical pieces of information evaluation and red
teaming activities are not covered in this book. Suffice it to say that we’ve moved
down to the 20,000-foot level in order to identify the systems responsible for the
organization’s critical information.
TERMINOLOGY
ALERT
Red teaming describes the third tier of information security assessment
and evaluation activities conducted by the National Security Agency. The
term means slightly different things depending on the organization
doing the red teaming, but in all cases it implies that security activities
are conducted in an adversarial and invasive manner. Some commercial
firms refer to these activities as attack and penetration. The goal is to
break into the customer network from a hacker’s perspective, using any
skills necessary to attempt a compromise of the customer network.
Normally, the red teaming activities are conducted after the NSA assess-
ment (IAM) and evaluation activities have occurred to test the security
solutions that have been implemented at the customer organization.
Defining High-Level Security Goals
Now that the customer has defined the critical information types (as discussed in
Chapter 3), they can work on defining the organization’s high-level goals con-

cerning information security.These goals vary greatly between industries and
depend heavily on the customer’s subjectivity as well as local, state, and federal
regulations. Each goal the customer defines should reflect the concerns about
protecting the critical information types from each impact attribute being used
in the assessment process (e.g., confidentiality, integrity, and availability).
Consider a healthcare institution in the United States that now has to take
patient privacy into consideration due to the Health Insurance Portability and
Accountability Act (HIPAA).The institution’s primary security goals may be the
protection of all patient healthcare information used to treat patients and stored
within its information systems.The government imposes stiff penalties and fines
against healthcare agencies that do not adequately protect this information.
www.syngress.com
System Information Criticality • Chapter 4 123
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 123
In contrast, an active military unit engaged in hostile combat activities abroad
may be more concerned with the security of its command and control systems
that guide troop movements, relay strategic and tactical plans, and allow commu-
nication with remote units.The unit’s standards of security are based primarily
on guidelines handed down from the DoD.The military unit’s high-level security
goals are certainly critical to that organization but are completely different from
those defined by the healthcare organization.
Each of these security goals should relate back to the OICM that the assess-
ment team and the customer created during the activities defined in Chapter 3.
Since the OICM lays the customer information types out in a fashion that
defines the high-level impact of each type to the organization, we’re in a better
position to address the protection mechanisms that need to be considered. At the
very least, the assessment team can help the customer better relate to the need
for protection of these information types.
As an example, let’s use the OICM from the previous chapter to create some
generic security goals.This is more an exercise in creative planning than actually

laying out specific security guidelines, but these actions will help focus the cus-
tomer on security and get the entire assessment team thinking along the lines of
protecting information. For instance, in the matrix shown in Figure 4.2, we see
that the customer has rated customer information as High in integrity.This implies
that this information type, added protection should be considered against the loss
of integrity. Failure to provide adequate protections for this information type has
already inherently been defined as having the ability to cripple the organization.
Using this example to further define possible high-level security goals, we
need to think along the lines of solutions that could potentially help protect the
integrity of our information type. For instance, we might be able to consider
some form of encryption on the customer information or perhaps even use some
form of file system hashing function to ensure that files aren’t changed without
our knowledge. We’re not defining specific solutions yet, but we need to keep
these potential solutions in mind as we examine the actual systems more closely.
Some of our hypothetical solutions might not work because they impact the cus-
tomer’s operations, whereas some could be seamless and transparent to the
system’s users.
In counterpoint, the impact rating for account information for the loss of
availability shows a Low impact to the organization. Using common sense, we
derive that the protection mechanisms needed for this information type may not
need to be as stringent as those for integrity of customer information.The loss of
www.syngress.com
124 Chapter 4 • System Information Criticality
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 124
availability of the account information type should not, according to the cus-
tomer’s own definitions; impact the organization as adversely as our first example.
WARNING
Although the previous explanation gets the point across that we’re
looking for the High impact pieces of information criticality and using
those to pinpoint specific components of the customer information

architecture that probably need more protection than others, it does fail
to adequately convey one simple point. Just because something is listed
as a Low impact to the organization, it should not be considered any
less deserving of protection or security. Protection is still needed by all
critical information types listed in our matrix, but some items simply
need more security than others due to the impact they will have on the
organization if they are compromised. Don’t get caught up in the idea
that something is Low and deserves less attention. We simply use Low to
www.syngress.com
System Information Criticality • Chapter 4 125
Figure 4.2 Organizational Information Criticality Matrix
High LowMedium
Medium MediumHigh
High MediumHigh
Medium LowMedium
High LowHigh
High MediumHigh
Customer
Information
Account
Information
Employee
Information
Corporate
Finances
Research &
Development
High Watermark
Confidentiality Integrity
Availability

286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 125
imply that the information type would have less impact on the organiza-
tion if lost than others would. This concept is important to convey to the
customer as well since there is a tendency to assume that Low items can
be overlooked in favor of protecting the High impact items.
Locating Additional Sources of Requirements
While the assessment team is working through this process, a secondary continual
process needs to be occurring in the background to help identify any additional
sources of requirements that must be considered. Customers generally tend to
know about the requirements that have the most impact to the organization, from
an information protection perspective. But this might not always be the case.
For instance, schools and colleges will most likely already have a good idea
about relevant regulations concerning the protection of student privacy informa-
tion. In the United States, this privacy guideline is called the Family Educational
Rights and Privacy Act, or FERPA. But the assessment team should be aware
that, in some cases, you may be dealing with a customer that has very little
understanding of the actual requirements or regulations to which they’re required
to adhere. In the majority of these types of situations, you will most likely be
dealing with a smaller customer.Your experience as a collective assessment team
will become extremely useful to these customers.
The goal here isn’t necessarily to come up with regulations of which the cus-
tomer isn’t already aware.The team just needs to ensure that all required security
bases have been covered during the assessment process.There could be local reg-
ulations that directly impact the security or protection of information within the
customer organization. Failure to include these things in the analysis performed
during the assessment process could lead to penalties or fees imposed on the cus-
tomer further down the road in the event of a compromise.
An example of local regulations that could impact your customer is possible
physical security restriction. Let’s consider our healthcare institution again, only
this time we’ll say it’s a small hospital in a local community. Our assessment team

has contacted the town hall and discovered that the local government has
decided that only licensed law enforcement officials are allowed to carry loaded
firearms within local public facilities buildings.This impacts our customer
because they would like to see armed private security guards hired to police the
hospital premises and protect patient information.This local restriction impacts
www.syngress.com
126 Chapter 4 • System Information Criticality
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 126
the customer’s ability to implement a security solution they are interested in
putting in place.
Some potential additional sources of requirements, if the customer is rela-
tively small or inexperienced, could also include something as commonplace as
federal policies or regulations.The experience of the team leader or assessment
team members will be an invaluable resource in helping define these sources. In
the end we are looking to protect the customer from any adverse actions
resulting from the lack of security of information considered critical by any out-
side entity or governing body or due to the inappropriate implementation of
security solutions that may be considered taboo or illegal.
Good ways to start looking for these additional sources might be as simple as
making a phone call to the local city council office. Industry associations often
have a very good understanding of security requirements, so if your customer is
in the utilities industry, for example, perhaps contacting the appropriate utility
member association can shed light on appropriate regulations to consider.The
Internet can also provide a very useful interface for finding regulatory compli-
ance issues that may impact your customer. Most regulations are made public on
special Web sites that focus on that industry. Some popular regulatory Web sites
are listed in Table 4.1.
Table 4.1
Regulatory Web Sites
Category Regulatory Standard URL

Education Family Educational Rights www.ed.gov/policy/gen/
and Privacy Act guid/fpco/ferpa/index.html
Healthcare Health Insurance Portability www.hhs.gov/ocr/hipaa
and Accountability Act
Financial and Gramm-Leach-Bliley www.senate.gov/
banking Act of 1999 ~banking/conf
Financial Sarbanes Oxley Act www.aicpa.org/info/
of 2002 sarbanes_oxley_
summary.htm
Federal or military National Security Agency www.nsa.gov/snac.
Guidelines index.html
www.syngress.com
System Information Criticality • Chapter 4 127
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 127
Determining System Boundaries
One of the biggest concerns that any assessment team will confront while trying
to define systems in a customer’s organization will be locating known or per-
ceived boundaries for the system. Boundaries provide a delineation of the system
in much the same way as a state line or country border defines each specific gov-
ernment body. Boundaries limit the scope of each system.And remember from
our previous definition, a system in the context of our assessment activities is
something that transmits, stores, or processes the critical information types within
the customer organization. When we define boundaries, we define them based
on the physical aspect of the boundary or the logical transfer of the information
from one responsible hand to another.
Physical Boundaries
Physical boundaries are often the easiest for the customer and the assessment
team to understand.The physical boundary of a system may be as simple as the
network jack on the wall, a port on the switch, or an interface on the perimeter
firewall. In a more metropolitan-based system, the system could be delineated by

the particular building within a city in which the system is used exclusively. On a
more global basis, perhaps the system is defined by a particular set of replicated
servers and workstations at each of 12 global sites that all share the same infor-
mation database. Again, physical boundaries tend to be more tangible than logical
boundaries because those things can be “touched” in some physical manner.The
following list gives common examples of some physical boundaries you’ll see
during information assessments:
■
Switch port
■
Firewall interface
■
Perimeter router
■
Subnet router interface
■
Building entrances and exits
Logical Boundaries
Logical boundaries are less tangible and often more difficult for the customer to
define outright.These types of boundaries refer to where the critical information
www.syngress.com
128 Chapter 4 • System Information Criticality
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 128
changes hands to another entity that then becomes the responsible party for con-
trolling access to the data. A good example of something like this is where a bank
transfers information on customer transactions to a partner bank. Once the infor-
mation leaves the hands of the local bank and moves into the customer’s own
bank, the information then becomes the responsibility of the partner bank.Thus
the security of that information passes to the partner bank as well.These types of
relationships are the best way to view logical boundaries.

From an internal customer perspective, maybe we’re dealing with multiple
entities or branches within the organization that control the same information in
different phases of its life cycle. Information may arrive in the system via a Web
environment that is strictly controlled by the Web or IT teams and then passed
from this network to the procurement department. When the information
changes hands and the originating party loses control of and responsibility for the
information, we’ve located a logical boundary for the system at hand.
The easiest method of locating these logical boundaries is by creating a data
flow diagram with the customer. Data flow diagrams emulate the flow of critical
information types within the network.This includes flows from primary servers
to workstations or hosts that use the information. Network components are also
considered during this process.
From Figure 4.3 you can see that the customer has decided that the network
components within the red circle are considered a full system. From the cus-
tomer perspective, this means that the highlighted servers, workstations, and net-
work components are the single realm within which one or more multiple
information types reside.The system could be restricted to a single information
type, but it should include all components that have access to the information. In
the network diagram shown in Figure 4.3, the physical and logical boundaries of
the system would be the external IP address of the firewall. It’s at this point that
direct control over the information is lost to the larger network.
www.syngress.com
System Information Criticality • Chapter 4 129
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 129
NOTE
At times the entire customer network becomes a single system. This
most often occurs when all information types are utilized across the
entire network. Although the customer needs to make the decision on
the delineation of the information systems in the organization, the
assessment team leader might need to help better define a “system.” We

have also found it beneficial to provide examples for the customer that
can help direct their thought processes.
Defining the Systems
The actual definition of the various systems at the customer location must be left
mostly to the care of the customer. But similar to other activities that have
occurred to this point, the assessment team will act as an experienced guide for
the customer. However, it is worth repeating that the assessment team cannot
make decisions for the customer. Fortunately, since we’re at the point in the
assessment process where the majority of critical information types have already
www.syngress.com
130 Chapter 4 • System Information Criticality
Figure 4.3 Sample System Definition
Internet
Router
Firewall
Router
External Web Server
Hub
WinNT 4
WinNT 4
WinNT 4
WinNT 3.5 WinNT 4
WinNT 3.5
UNIX Server
HP UX
WinNT 4
WinNT 4
LINUX RH 5.0
UNIX
Win95

IBM AIX
Laptop computer
Win95
Laser printer
Bridge
VAX
Dialin
Maintenance
Port (open)
Firewall
Minicomputer
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 130
been defined for the customer, the process of defining the specific systems should
not be terribly painful. Information lives in systems, and all we’re attempting to
do is define the systems and the information types that live in each one.
Defining systems can be either simple or confusing. It depends on how much
the customer understands about the process and what the team is trying to
achieve.The customer’s opinions about what a system actually is will impact the
definition process as well. Individuals within the organization may have varying
views on what a system consists of, but in the end the final decision still rests
with the power broker.
As we walk through the following process of defining the critical systems,
we’ll be analyzing several key areas such as:
■
Understanding what makes a system critical
■
Identifying critical paths that define specific systems
■
Creating the System Criticality Matrix
We first need to understand what makes the system critical or not critical.

Next, we need to view the entire network in a logical flow so that we can better
understand the flow of information within the network.This process helps iden-
tify any critical paths that help define specific systems.The last step is the actual
creation of the System Criticality Matrix.
www.syngress.com
System Information Criticality • Chapter 4 131
Constant Changes
The reason we mention that the majority of information types will have
been defined up to this point is that often customer will forget or over-
look critical pieces of information. From an assessment team point of
view, you need to remember that changes will happen. Customers will
forget to mention things until later in the process. Maintaining your
calm and flexibility will make the entire process flow more smoothly, and
the results will provide much more benefit to the customer.
From the Trenches…
286_NSA_IAM_04.qxd 12/11/03 3:27 PM Page 131