I am trying to describe the different types of information systems at my job with definitions. Right now, we have "parent", "component", "instance", "stand alone", "shared services" and "stand alone" and it doesn't make sense at all.
Does anyone have any ideas on categories or types of information systems with some NIST or other backing?
"An information system is a discrete set of information resources organized for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of information" -NIST 800-53r5
"Input devices include desktop and notebook computers, keyboards, tablets, and smart phones.
Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers,
and audio devices." -NIST 800-53r5
@tackage you may not find an exhaustive list because it encompasses any system within the CSUSAD data lifecycle (Create, Store, Use, Share, Archive, and Destroy). There may be other devices listed throughout the NIST library though. I'm familiar with those terms you shared when talking about software but not when classifying info. systems.
In the US government we used to classify like this:
1) General Support System (GSS) - usually the main company network (router, switches, servers, and workstations) Usually included email and normally installed applications/software
2) Major/Minor Applications (MA) - This could be in house applications or business divisions that may have their own subsystems or could actually be applications (DevOps, etc.)
Usually the MA's would inherit certain controls from the GSS and might have other controls that differed from the GSS. This made it easier when doing security documentation for the MA's as since they inherited certain controls from the GSS they didn't have to include them in their security documentation but just point back to the GSS' documentation. Standalone systems that did not ride on the GSS would be more like a Major Application or could even be it's own system, depending on agency.
This was also very helpful when looking at dependencies for business continuity. If a MA relied on the GSS then the GSS had priority in restoration procedures. Restore the GSS and then bring up the MA's. Standalone systems could begin the restoration on their own without waiting for the GSS to return to full functionality.
Here are some NIST references:
Abbreviation(s) and Synonym(s):
General Support System show sources
An interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.
NIST SP 800-18 Rev. 1 under General Support System from OMB Circular A-130, Appendix III
NIST SP 800-60 Vol. 1 Rev. 1 under General Support System from OMB Circular A-130, Appendix III
NIST SP 800-60 Vol. 2 Rev. 1 under General Support System from OMB Circular A-130, Appendix III
Abbreviation(s) and Synonym(s):
Major Application show sources
An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information in them, however, require special management oversight and should be treated as major. Adequate security for other applications should be provided by security of the systems in which they operate.
NIST SP 800-18 Rev. 1 under Major Application from OMB Circular A-130, Appendix III
Here is the link to the NIST Glossary : https://csrc.nist.gov/glossary
Tom ( @tackage ) asked,
"I am trying to describe the different types of information systems at my job with definitions. Right now, we have "parent", "component", "instance", "stand alone", "shared services" and "stand alone" and it doesn't make sense at all.
Does anyone have any ideas on categories or types of information systems with some NIST or other backing?"
Why are you trying to set up a taxonomy of info system types? That is, what do you plan to do with the "System Type" field in your info system inventory database?
I ask this because it appears you might be trying to set up a single dimension list, that every system in your inventory is assigned to one and only one type.
Consider, instead, various dimensions for the systems, based on things you must do to support them. For instance:
Classification level (sensitivity) of the stored information, such as privacy, HIPPA, entrprise proprietary, etc.
Access breadth, such as internal users only, shared with contracted associates, and public facing.
Legal storage and archiving requirements.
Infrastructure management such as HVAC, elevators control, network management.
Continuity of Operations requirements for backup, fail over, offsite storage, etc.
... and so on.
The NIST categories already suggested should be helpful, but not the only aspect you will need to track.
@CraginS Just a thought these days, surely you would dealing with Data, and organising in preparation for Artificial Intelligence using an AI Ladder approach for Neural Networks, or Natural Language Processing (NLP) or even Machine Learning approaches?
But would Government systems, be able to use such approaches, given that access to the data required is across the entire organisations - the more data the better the decisions?
@CISOScott Were there any categories further into the GSS? It seems really broad, which is good when referencing the top level security requirements for the GSS but what did you use when specifically referencing the email server in documentation as an example? Some type of numbering system after the GSS designation?
@tmekelburg1 The GSS was the "main" system that almost everyone used. It almost always encapsulated email, network connectivity, Internet access, VPN, and workstations used for "normal" use. DevOps was a Major Application. Even though most of the functionality was provided for by the GSS, they had some particulars and special stuff that only affected DevOps. So when doing security paperwork like System Security Plan (SSP) they would only have to document what was different from the GSS and not have to recreate the whole wheel. Conversely the GSS would not have to document the security stuff for the MA in their documentation. Also, DevOps had no control over the network and workstations provided by the GSS, or network controls including DNS, DHCP, etc. so when documenting those items they just clicked the box that said "Inherited controls from the GSS". Usually the GSS was the main system for the government agency. I never saw an agency with more than one GSS as it was the system that provided general support to most of the agency. Keep in mind that back when this was created everything was not an App like we use today.
Standalone systems and networks were usually smaller and therefore fell into a Major Application category even if they were quite small. If they had email or other network connectivity that was not provided by the GSS, then they had to fill out those items in their security documentation. So if there was a separate email server running under a MA, then they would have to fill out (and be responsible for) how it was being secured, maintained, etc. in the MA's security documentation, otherwise they would inherit the controls from the GSS. Standalone systems, that did not touch any of the GSS' infrastructure usually had a lot more to fill out in their security docs.
Smaller networks or applications, sometimes it could even be programs fell into Minor Applications, even if they were not technically an "application" (as we commonly use today).
By doing it this way it simplified the security paperwork that the Major and Minor applications would have to fill out. They would not have to regurgitate what was already in the security docs of the GSS. It also helped define who had control over what. If there was a restriction imposed by the GSS (i.e USB restrictions) and the MA had a need to be excepted from that restriction, they would have to go to the system owner of the GSS and request the exception. The GSS would have to document in their security documentation the business need and the preventative measures they took to reduce risk or accept the risk for that MA.
Comparing it to today's cloud technology the GSS would be the Azure or AWS or (IaaS). Anything built on top of the infrastructure would be like Platform as a service (PaaS) and would be like a Major application and Software as a Service (SaaS) would be like a Minor Application. The only place this description doesn't fit would be for standalone networks or services that used none of the GSS infrastructure. Since they can't be their own GSS (since they do not provide general support to the entire agency) they would be a Major Application on their own cloud instance, separate from the GSS cloud instance.
I hope this makes sense...
"Just a thought these days, surely you would dealing with Data, and organising in preparation for Artificial Intelligence using an AI Ladder approach for Neural Networks, or Natural Language Processing (NLP) or even Machine Learning approaches?"
I am not sure what you are suggesting here. AI and NLP processes should be using data (including free-form text entires) in the system that are themselves meaningful to the system's environment. My comment was a suggestion that a category or taxonomy be established only if that distinction among systems would be used for some specific purpose. We can spend all day coming up with buckets to drop systems into that are mutually exclusive but have no discernible purpose.
Could you please clarify your comment?
You also said,
"But would Government systems, be able to use such approaches, given that access to the data required is across the entire organisations - the more data the better the decisions?"
It is not a given that all data in a system be universally available. Row security in database access has been pretty well established. As for applying AI or NLP routines to the database, it may be possible to filter the AI or NPL outputs based on the access levels and restrictions of the user (or linked system) seeking the analysis.
Looking forward to more dialog here.
Hi Craig, Thanks for the comments. I too have had a long career within UK Government systems, and the classification of information and associated controls. What I am talking about is the move towards the use of Augmented Intelligence (Note Artificial Intelligence based on the Turing Test none have passed as yet, although the claim to have. We are in a different world, information and data whether it is structured or unstructured, metadata is power and the new economy. Having access to that information on a protectively marked system i.e. with one protective marking with all people with authorised access provides the opportunities to make better decisions, a lot of different spheres including information security management, intelligence in terms of preparing such accessible systems for information collection. There is a saying here : There is no AI without IA or Information Architecture. There is an oxymoron and a conflict with having access to information created using different sources, data types, etc, which provide invaluable data for businesses and governments alike, and not having access to such information due to insufficient clearance or unauthorised access due one's background etc. Understanding the Information Architecture is absolutely vital for more efficient, more effective decisions to be obtained, without access they lay dormant in archives, silo's providing value only to those who are permitted access.
Happy to discuss in due course.