What is the meaning of high-water measurement of impact in ISSMP content ?

The term "high-water measurement of impact" is often associated with determining the impact level of an information system or asset in the context of cybersecurity risk assessments and control selection. This concept is relevant in frameworks such as NIST 800-53 and is also part of the methodology followed by an Information Systems Security Manager (ISSMP) in assessing the potential consequences of a security breach.

Let me break it down for you in the context of both NIST 800-53 and ISSMP.

1. What is the "High-Water Mark" in the Context of NIST 800-53?

The "high-water mark" refers to the highest level of impact (in terms of confidentiality, integrity, and availability) determined when evaluating the potential effects of a security breach on the system. This concept is used during the security categorization process (as defined by FIPS 199) and is essential for selecting the appropriate NIST 800-53 controls for an information system.

In Detail:

• High-water mark in this context is the highest level of impact (Low, Moderate, or High) among the three security objectives (Confidentiality, Integrity, Availability) that is determined during the categorization of a system.
• If one of the security objectives (e.g., Confidentiality) has a high impact, the system will be categorized as having a high-impact level in that area, even if the other two areas (Integrity and Availability) are lower.
• The "high-water mark" dictates the control baseline (Low, Moderate, or High) you use from NIST 800-53. For example:If Confidentiality and Integrity are rated as High but Availability is rated as Moderate, the system would be classified under the High impact level because of the high-water mark for Confidentiality and Integrity. This would trigger the High Baseline set of security controls in NIST 800-53.

Example:

• If a system handles highly sensitive data (e.g., national security information), and a breach of confidentiality would have catastrophic consequences (High impact), while availability and integrity would have a moderate impact, the high-water mark for this system would be set at High. Consequently, the system will require the High Baseline controls from NIST 800-53.

2. The Role of High-Water Mark in ISSMP (Information Systems Security Manager Professional)

In the context of an Information Systems Security Manager Professional (ISSMP), the high-water mark concept plays a crucial role in security categorization and in determining the security controls that are necessary to mitigate risks for an information system.

As an ISSMP, you must ensure that:

• You are categorizing information systems accurately based on their impact on confidentiality, integrity, and availability.
• You use the high-water mark as a method for determining the highest level of impact that could result from a breach of any one of these security objectives.
• Once the impact level is determined, you can then select the appropriate security controls from frameworks such as NIST 800-53, ensuring that the system is adequately protected.

In other words, the high-water mark ensures that security controls are applied holistically based on the worst-case scenario of potential impacts to any security objective.

Practical Example:

Let’s say an ISSMP is managing the security for a government financial system:

• If the system’s Confidentiality is rated as High because of the nature of the financial data it stores, Integrity is rated as Moderate (as modification of the data would be detrimental but not catastrophic), and Availability is rated as Moderate (system downtime would be problematic but not disastrous), then the high-water mark would be High for this system.
• As a result, the ISSMP would ensure that the system uses the High Impact Baseline of controls from NIST 800-53, which provides stronger and more comprehensive security measures (e.g., encryption, multi-factor authentication, advanced auditing) to mitigate the risks associated with the system’s High confidentiality requirements.

3. How "High-Water Mark" Affects Control Selection in NIST 800-53

Once the security categorization is complete, NIST 800-53 provides a set of controls based on the system’s impact level (as determined by the high-water mark). The control selection process works as follows:

• For Low Impact Systems: Only a basic set of controls (Low Baseline) are selected, which are suitable for systems where the loss of confidentiality, integrity, or availability would have a minimal adverse effect.
• For Moderate Impact Systems: A broader set of controls (Moderate Baseline) is selected, which addresses the possibility of a serious adverse effect on operations, assets, or individuals.
• For High Impact Systems: A comprehensive set of controls (High Baseline) is selected, designed to protect against severe or catastrophic impacts.

The high-water mark determines that if any one of the three security objectives (C, I, A) has a high impact, the system must apply the High Baseline controls, which are much more stringent.

4. Why the High-Water Mark Matters in Cybersecurity

• Focuses on the Worst-Case Scenario: The high-water mark methodology ensures that security decisions are made with a focus on the worst possible scenario (i.e., the most critical security objective). This is important because cyber threats often exploit one vulnerability or weakness in a system, and that could potentially lead to a catastrophic failure in terms of confidentiality or integrity, even if availability is less of a concern.
• Effective Risk Mitigation: By applying the high-water mark concept, organizations ensure they are protecting systems adequately, regardless of which individual security objective is the weakest. It helps prioritize investments in security controls where they are most needed.

5. Summary

In NIST 800-53, the high-water mark is the concept of using the highest impact rating (Low, Moderate, or High) among confidentiality, integrity, or availability when categorizing a system. This ensures that the system is protected against the worst-case scenario of any of the three security objectives.

In ISSMP (Information Systems Security Manager Professional) roles, the high-water mark guides the security control selection process to ensure the organization applies the appropriate set of NIST 800-53 controls for a system’s categorization. It helps ensure systems are secured based on the highest risk, providing the right level of defense for the system.

In simple terms, the high-water mark ensures that you apply stronger controls if any of the security objectives pose a high impact on the system, even if the other areas have a lower impact.