1 1 00:00:00,090 --> 00:00:01,050 In this lesson, 2 2 00:00:01,050 --> 00:00:02,730 we're going to talk about step two 3 3 00:00:02,730 --> 00:00:04,050 of the risk management framework 4 4 00:00:04,050 --> 00:00:05,400 in the real world. 5 5 00:00:05,400 --> 00:00:07,890 Step two is the categorized step. 6 6 00:00:07,890 --> 00:00:09,900 Now, the purpose of the categorized step is 7 7 00:00:09,900 --> 00:00:12,300 to inform organizational risk management processes 8 8 00:00:12,300 --> 00:00:14,850 and tasks by determining the adverse impact 9 9 00:00:14,850 --> 00:00:17,160 with respect to the loss of confidentiality, 10 10 00:00:17,160 --> 00:00:19,677 integrity, and availability of the systems 11 11 00:00:19,677 --> 00:00:21,810 and the information process stored 12 12 00:00:21,810 --> 00:00:24,240 and transmitted by those systems. 13 13 00:00:24,240 --> 00:00:25,980 When we look at the categorized step, 14 14 00:00:25,980 --> 00:00:28,380 we're really focused on three main outcomes. 15 15 00:00:28,380 --> 00:00:31,560 First, the system's characteristics are documented. 16 16 00:00:31,560 --> 00:00:34,350 Second, the security categorization of the system 17 17 00:00:34,350 --> 00:00:36,600 and information has been completed. 18 18 00:00:36,600 --> 00:00:38,850 And third, the categorization decision 19 19 00:00:38,850 --> 00:00:40,230 has been reviewed and approved 20 20 00:00:40,230 --> 00:00:42,120 by the authorizing official. 21 21 00:00:42,120 --> 00:00:43,350 So as you can see, 22 22 00:00:43,350 --> 00:00:45,480 when you're working through the categorized step, 23 23 00:00:45,480 --> 00:00:47,730 it is really your responsibility to look at all 24 24 00:00:47,730 --> 00:00:49,110 of your different systems that are going to 25 25 00:00:49,110 --> 00:00:51,570 be a part of your RMF package and determine 26 26 00:00:51,570 --> 00:00:54,000 what level they're going to be categorized at. 27 27 00:00:54,000 --> 00:00:56,340 Now when we talk about categorizing a system, 28 28 00:00:56,340 --> 00:00:58,620 it's not just based around the confidentiality, 29 29 00:00:58,620 --> 00:01:01,320 integrity and availability of that system, 30 30 00:01:01,320 --> 00:01:03,570 but we also have to ask what's unique 31 31 00:01:03,570 --> 00:01:05,370 about that system and the mission 32 32 00:01:05,370 --> 00:01:07,290 it's been designed to fulfill. 33 33 00:01:07,290 --> 00:01:08,460 When you start thinking about things 34 34 00:01:08,460 --> 00:01:11,130 like weapon systems, internet of things systems, 35 35 00:01:11,130 --> 00:01:12,540 and other devices like this, 36 36 00:01:12,540 --> 00:01:14,430 you have very unique requirements in all 37 37 00:01:14,430 --> 00:01:15,750 of those types of systems. 38 38 00:01:15,750 --> 00:01:17,070 And these can't necessarily 39 39 00:01:17,070 --> 00:01:18,990 be implemented the same way that you might 40 40 00:01:18,990 --> 00:01:20,970 do a baseline categorization based 41 41 00:01:20,970 --> 00:01:23,640 on a server or a website or a workstation 42 42 00:01:23,640 --> 00:01:25,230 or something like that. 43 43 00:01:25,230 --> 00:01:26,250 This is because these systems 44 44 00:01:26,250 --> 00:01:28,620 have unique CIA requirements in terms 45 45 00:01:28,620 --> 00:01:31,080 of confidentiality, integrity and availability 46 46 00:01:31,080 --> 00:01:33,060 as well as a lot of other requirements that goes 47 47 00:01:33,060 --> 00:01:34,590 beyond the standards that are set out 48 48 00:01:34,590 --> 00:01:36,480 in that CIA triad. 49 49 00:01:36,480 --> 00:01:38,550 Now, this is really where the tailoring ability 50 50 00:01:38,550 --> 00:01:41,100 of RMF comes into play and gives us a lot 51 51 00:01:41,100 --> 00:01:44,130 of support here because RMF users are expected 52 52 00:01:44,130 --> 00:01:46,860 to adapt RMF to their specific situation. 53 53 00:01:46,860 --> 00:01:49,170 So if you're trying to get an RMF package through 54 54 00:01:49,170 --> 00:01:50,640 for a new weapon system, 55 55 00:01:50,640 --> 00:01:52,200 that is going to be very different 56 56 00:01:52,200 --> 00:01:53,033 than if you're trying to put 57 57 00:01:53,033 --> 00:01:55,080 through an RMF package for a new website 58 58 00:01:55,080 --> 00:01:57,030 or a new cloud-based server. 59 59 00:01:57,030 --> 00:01:58,770 All of those are going to have different requirements 60 60 00:01:58,770 --> 00:01:59,603 and you're going to be able 61 61 00:01:59,603 --> 00:02:00,720 to define those requirements 62 62 00:02:00,720 --> 00:02:02,520 by selecting the right categorization 63 63 00:02:02,520 --> 00:02:04,320 for each of those systems. 64 64 00:02:04,320 --> 00:02:06,210 Now, as we move into the categorized step, 65 65 00:02:06,210 --> 00:02:07,680 this is really where the rubber starts 66 66 00:02:07,680 --> 00:02:09,630 to meet the road in terms of risk management 67 67 00:02:09,630 --> 00:02:11,400 for us as professionals. 68 68 00:02:11,400 --> 00:02:12,510 This is a great time for us 69 69 00:02:12,510 --> 00:02:16,440 to open up the "NIST Special Publication 800-53", 70 70 00:02:16,440 --> 00:02:18,510 which is the security and privacy controls 71 71 00:02:18,510 --> 00:02:20,970 for information systems and organizations. 72 72 00:02:20,970 --> 00:02:22,800 And so once you open up this document, 73 73 00:02:22,800 --> 00:02:23,633 you are going to find 74 74 00:02:23,633 --> 00:02:25,290 that there are several hundred pages 75 75 00:02:25,290 --> 00:02:27,150 of different controls listed here. 76 76 00:02:27,150 --> 00:02:29,220 Now, my goal here is not to have you read 77 77 00:02:29,220 --> 00:02:31,560 and understand every single one of these controls 78 78 00:02:31,560 --> 00:02:33,420 or to memorize all of these controls, 79 79 00:02:33,420 --> 00:02:34,860 but instead I would like you to go 80 80 00:02:34,860 --> 00:02:37,200 through this document and start seeing the types 81 81 00:02:37,200 --> 00:02:38,850 of controls that you can select from. 82 82 00:02:38,850 --> 00:02:40,350 And those controls that you're going to select 83 83 00:02:40,350 --> 00:02:42,180 are going to be based on this categorization 84 84 00:02:42,180 --> 00:02:44,220 that we're doing here in step two. 85 85 00:02:44,220 --> 00:02:46,230 So it really is important for you to understand 86 86 00:02:46,230 --> 00:02:47,880 what type of controls are out there, 87 87 00:02:47,880 --> 00:02:49,770 because as you start categorizing your system 88 88 00:02:49,770 --> 00:02:52,020 at a certain level, you're going to be buying yourself 89 89 00:02:52,020 --> 00:02:54,720 into certain types of controls based on the level 90 90 00:02:54,720 --> 00:02:56,310 of that classification. 91 91 00:02:56,310 --> 00:02:57,420 So as you start going 92 92 00:02:57,420 --> 00:03:00,540 through the "NIST Special Publication 800-53", 93 93 00:03:00,540 --> 00:03:02,580 I want you to really focus on getting comfortable 94 94 00:03:02,580 --> 00:03:05,160 with the terms and the taxonomy of the words 95 95 00:03:05,160 --> 00:03:06,540 and the way things are laid out. 96 96 00:03:06,540 --> 00:03:07,950 And so you can have a better idea 97 97 00:03:07,950 --> 00:03:09,120 of the different types of controls 98 98 00:03:09,120 --> 00:03:10,980 that you can select from as we move 99 99 00:03:10,980 --> 00:03:13,800 into future steps as part of our RMF process, 100 100 00:03:13,800 --> 00:03:16,620 such as the Select step in step three. 101 101 00:03:16,620 --> 00:03:18,060 Now, one of the big decisions you're going to 102 102 00:03:18,060 --> 00:03:20,130 have to make when categorizing a system is 103 103 00:03:20,130 --> 00:03:22,110 how to define what type of information 104 104 00:03:22,110 --> 00:03:24,360 is being used in those systems. 105 105 00:03:24,360 --> 00:03:26,550 Now, the concept of an information type is 106 106 00:03:26,550 --> 00:03:28,200 for us to start building and understanding 107 107 00:03:28,200 --> 00:03:29,790 what type of system you have 108 108 00:03:29,790 --> 00:03:31,080 and all the different types of data 109 109 00:03:31,080 --> 00:03:33,270 that are being processed by that system. 110 110 00:03:33,270 --> 00:03:34,770 Really, at the end of the day, 111 111 00:03:34,770 --> 00:03:36,930 data is everything and it's the reason 112 112 00:03:36,930 --> 00:03:38,490 why we have these information systems 113 113 00:03:38,490 --> 00:03:40,620 in the first place to process all that data 114 114 00:03:40,620 --> 00:03:41,730 and information to give us 115 115 00:03:41,730 --> 00:03:43,770 some kind of actionable result. 116 116 00:03:43,770 --> 00:03:46,410 So, the concept here is really simple. 117 117 00:03:46,410 --> 00:03:47,550 We're going to look at a system 118 118 00:03:47,550 --> 00:03:49,500 that's processing some kind of data. 119 119 00:03:49,500 --> 00:03:52,170 Let's say it's medical records in this example. 120 120 00:03:52,170 --> 00:03:54,120 Now, if I have medical records 121 121 00:03:54,120 --> 00:03:55,830 that means I'm going to have to categorize 122 122 00:03:55,830 --> 00:03:59,520 that as Protected Health Information or PHI. 123 123 00:03:59,520 --> 00:04:01,200 That is the information type. 124 124 00:04:01,200 --> 00:04:02,820 Now, based on that, I would then look 125 125 00:04:02,820 --> 00:04:05,670 at my system and categorize what level I need 126 126 00:04:05,670 --> 00:04:07,140 to protect the system to. 127 127 00:04:07,140 --> 00:04:10,080 Is this a low, medium, or high type of system? 128 128 00:04:10,080 --> 00:04:11,880 Well, because we're dealing with something 129 129 00:04:11,880 --> 00:04:14,550 like Protected Health Information or PHI, 130 130 00:04:14,550 --> 00:04:16,500 it's going to probably be a medium system 131 131 00:04:16,500 --> 00:04:19,080 or even possibly, a high system. 132 132 00:04:19,080 --> 00:04:21,330 Now, again, this is going to depend on the system, 133 133 00:04:21,330 --> 00:04:22,980 its requirements and what you're doing 134 134 00:04:22,980 --> 00:04:25,470 with that system and how many controls we're going to 135 135 00:04:25,470 --> 00:04:27,540 need to add in order to get that risk down 136 136 00:04:27,540 --> 00:04:28,740 to an acceptable level. 137 137 00:04:28,740 --> 00:04:30,420 So once again, it's important for us 138 138 00:04:30,420 --> 00:04:31,680 to understand the risk tolerance 139 139 00:04:31,680 --> 00:04:34,350 of our organization so we can determine exactly 140 140 00:04:34,350 --> 00:04:36,990 how much we have to mitigate down that risk 141 141 00:04:36,990 --> 00:04:39,570 to what is considered unacceptable level. 142 142 00:04:39,570 --> 00:04:41,520 Now, if you're working in the government sector 143 143 00:04:41,520 --> 00:04:43,680 or particularly the military sector, 144 144 00:04:43,680 --> 00:04:44,520 you're going to have a lot 145 145 00:04:44,520 --> 00:04:45,870 of different information types 146 146 00:04:45,870 --> 00:04:47,430 that are given to you in advance. 147 147 00:04:47,430 --> 00:04:49,710 Things like unclassified, sensitive 148 148 00:04:49,710 --> 00:04:53,310 but unclassified, classified, secret, top secret 149 149 00:04:53,310 --> 00:04:55,890 and then top secret with certain caveats. 150 150 00:04:55,890 --> 00:04:58,050 And all of these have certain levels 151 151 00:04:58,050 --> 00:04:59,550 of controls that are going to be associated 152 152 00:04:59,550 --> 00:05:01,170 with that level of information. 153 153 00:05:01,170 --> 00:05:03,720 So if I have a brand new web application 154 154 00:05:03,720 --> 00:05:06,000 and it's going to be processing top secret data, 155 155 00:05:06,000 --> 00:05:07,620 I already know that because I'm dealing 156 156 00:05:07,620 --> 00:05:09,930 with top secret data, there are certain controls 157 157 00:05:09,930 --> 00:05:11,340 that I'm going to have to select 158 158 00:05:11,340 --> 00:05:13,800 because those are defined by the military 159 159 00:05:13,800 --> 00:05:14,970 and the Department of Defense 160 160 00:05:14,970 --> 00:05:16,740 for that level of information. 161 161 00:05:16,740 --> 00:05:18,150 So once you decide what level 162 162 00:05:18,150 --> 00:05:20,430 of information you have, you can then figure out 163 163 00:05:20,430 --> 00:05:22,257 what things are being dictated to you 164 164 00:05:22,257 --> 00:05:24,150 and what things your organization can add 165 165 00:05:24,150 --> 00:05:26,430 on top of that to give you additional controls 166 166 00:05:26,430 --> 00:05:28,680 and mitigate down the risk further. 167 167 00:05:28,680 --> 00:05:30,270 Now, the biggest challenge I see for people 168 168 00:05:30,270 --> 00:05:32,970 when they're working on this categorization step is 169 169 00:05:32,970 --> 00:05:33,803 that they don't know 170 170 00:05:33,803 --> 00:05:35,880 how to categorize their information. 171 171 00:05:35,880 --> 00:05:37,920 Like I said, some information is really easy 172 172 00:05:37,920 --> 00:05:39,780 because it says this is top secret 173 173 00:05:39,780 --> 00:05:41,490 or this is protected health data. 174 174 00:05:41,490 --> 00:05:43,440 And in those cases, there's a set of controls 175 175 00:05:43,440 --> 00:05:45,000 that most organizations are already going to 176 176 00:05:45,000 --> 00:05:46,440 have set up and you can just select 177 177 00:05:46,440 --> 00:05:47,640 from those controls. 178 178 00:05:47,640 --> 00:05:48,630 But if you're dealing 179 179 00:05:48,630 --> 00:05:50,310 with something a little bit more special, 180 180 00:05:50,310 --> 00:05:52,440 for example in my company, we deal with a lot 181 181 00:05:52,440 --> 00:05:54,390 of information that we collect from our students 182 182 00:05:54,390 --> 00:05:56,310 such as the test scores that they have, 183 183 00:05:56,310 --> 00:05:57,630 which exams they've taken, 184 184 00:05:57,630 --> 00:05:59,010 which certifications they've earned, 185 185 00:05:59,010 --> 00:06:00,330 and things like that. 186 186 00:06:00,330 --> 00:06:01,560 That type of information 187 187 00:06:01,560 --> 00:06:04,020 is not necessarily considered PII 188 188 00:06:04,020 --> 00:06:06,150 or Personally Identifiable Information 189 189 00:06:06,150 --> 00:06:07,770 or it may not be considered 190 190 00:06:07,770 --> 00:06:09,390 something like student records 191 191 00:06:09,390 --> 00:06:11,850 under FERPA because we are not a non-profit 192 192 00:06:11,850 --> 00:06:13,680 or government based organization. 193 193 00:06:13,680 --> 00:06:14,700 And because we're not, 194 194 00:06:14,700 --> 00:06:16,620 we don't have to follow FERPA rules 195 195 00:06:16,620 --> 00:06:18,630 because those only apply to colleges 196 196 00:06:18,630 --> 00:06:20,280 and universities and high schools 197 197 00:06:20,280 --> 00:06:21,630 and things like that. 198 198 00:06:21,630 --> 00:06:23,670 So as you look at your information, 199 199 00:06:23,670 --> 00:06:25,230 you have to look at it and figure out 200 200 00:06:25,230 --> 00:06:27,690 what level does it need to be protected to. 201 201 00:06:27,690 --> 00:06:30,120 If it's something defined like patient records 202 202 00:06:30,120 --> 00:06:32,580 or a presidential testimony or some kind 203 203 00:06:32,580 --> 00:06:33,780 of top secret information, 204 204 00:06:33,780 --> 00:06:35,400 that becomes pretty clear. 205 205 00:06:35,400 --> 00:06:37,080 But when you're dealing with other things, 206 206 00:06:37,080 --> 00:06:39,060 it's going to really be based on your organization 207 207 00:06:39,060 --> 00:06:40,950 and how you classify your data. 208 208 00:06:40,950 --> 00:06:42,630 So it's important for you to start looking 209 209 00:06:42,630 --> 00:06:45,000 at that and then categorizing your systems based 210 210 00:06:45,000 --> 00:06:47,550 on the information it's going to be processing. 211 211 00:06:47,550 --> 00:06:49,500 Now, once you know your information types 212 212 00:06:49,500 --> 00:06:51,090 and you've made a list of all the different types 213 213 00:06:51,090 --> 00:06:53,160 of information that you're going to be categorizing 214 214 00:06:53,160 --> 00:06:54,600 as part of this system, 215 215 00:06:54,600 --> 00:06:56,700 you then are going to identify for each of those 216 216 00:06:56,700 --> 00:06:59,040 which categorization level it's going to be. 217 217 00:06:59,040 --> 00:07:01,170 For example, you might look at a piece of data 218 218 00:07:01,170 --> 00:07:02,077 or information and say, 219 219 00:07:02,077 --> 00:07:04,200 "This is going to be a confidential item. 220 220 00:07:04,200 --> 00:07:05,280 This other one over here, 221 221 00:07:05,280 --> 00:07:06,660 this is going to be a secret item. 222 222 00:07:06,660 --> 00:07:07,650 This other one over here, 223 223 00:07:07,650 --> 00:07:09,390 this is going to be credit card data. 224 224 00:07:09,390 --> 00:07:10,260 This other one over here, 225 225 00:07:10,260 --> 00:07:11,340 it's going to be health data." 226 226 00:07:11,340 --> 00:07:12,810 And then once you've listed out each 227 227 00:07:12,810 --> 00:07:15,015 of those different types of information 228 228 00:07:15,015 --> 00:07:16,410 and categorize them, we'll then be able to move 229 229 00:07:16,410 --> 00:07:18,570 into step three where we'll start putting controls 230 230 00:07:18,570 --> 00:07:20,790 against those different types of information 231 231 00:07:20,790 --> 00:07:22,230 as a way to protect that information 232 232 00:07:22,230 --> 00:07:24,030 inside of our new system. 233 233 00:07:24,030 --> 00:07:25,230 Now, one of the things you're going to see 234 234 00:07:25,230 --> 00:07:27,510 in the real world is that oftentimes, 235 235 00:07:27,510 --> 00:07:29,790 the classification of that information 236 236 00:07:29,790 --> 00:07:32,520 is going to be a negotiation and not a clear black 237 237 00:07:32,520 --> 00:07:33,690 and white decision. 238 238 00:07:33,690 --> 00:07:35,250 Now, the reason I say that is 239 239 00:07:35,250 --> 00:07:36,780 because we're going to be negotiating 240 240 00:07:36,780 --> 00:07:38,670 with other people in our team to determine 241 241 00:07:38,670 --> 00:07:40,710 what categorization we're going to apply 242 242 00:07:40,710 --> 00:07:42,660 to a given type of information. 243 243 00:07:42,660 --> 00:07:45,450 This is because if you use high for everything, 244 244 00:07:45,450 --> 00:07:47,190 which a lot of people tend to do, 245 245 00:07:47,190 --> 00:07:48,390 you're going to be buying yourself 246 246 00:07:48,390 --> 00:07:49,800 into a lot of extra work 247 247 00:07:49,800 --> 00:07:51,480 and a lot of extra controls 248 248 00:07:51,480 --> 00:07:52,950 that are going to be mandated based 249 249 00:07:52,950 --> 00:07:54,720 on that high classification. 250 250 00:07:54,720 --> 00:07:55,553 On the other hand, 251 251 00:07:55,553 --> 00:07:56,940 if you categorize everything as low, 252 252 00:07:56,940 --> 00:07:58,500 you're going to have a lot less controls 253 253 00:07:58,500 --> 00:07:59,333 which makes getting 254 254 00:07:59,333 --> 00:08:00,900 through the RMF process easier. 255 255 00:08:00,900 --> 00:08:02,880 But you may be accepting additional risk 256 256 00:08:02,880 --> 00:08:04,650 by setting those information types 257 257 00:08:04,650 --> 00:08:06,300 as a low categorized item. 258 258 00:08:06,300 --> 00:08:07,380 And this is one of those things you're going to 259 259 00:08:07,380 --> 00:08:08,820 have to go back and think about 260 260 00:08:08,820 --> 00:08:10,950 as you're negotiating what level each type 261 261 00:08:10,950 --> 00:08:12,120 of information should be. 262 262 00:08:12,120 --> 00:08:13,860 Because as you go higher in levels, 263 263 00:08:13,860 --> 00:08:15,180 you're going to have additional controls, 264 264 00:08:15,180 --> 00:08:17,190 additional costs and additional time added 265 265 00:08:17,190 --> 00:08:18,210 to that system. 266 266 00:08:18,210 --> 00:08:20,730 And for that reason, most people who do RMF 267 267 00:08:20,730 --> 00:08:23,550 don't really want to list anything as a high item, 268 268 00:08:23,550 --> 00:08:25,860 because if you look at that as a high item, 269 269 00:08:25,860 --> 00:08:27,630 this means it's a lot more work 270 270 00:08:27,630 --> 00:08:28,770 for us to get there. 271 271 00:08:28,770 --> 00:08:29,603 For example, 272 272 00:08:29,603 --> 00:08:31,350 if you have something labeled as a medium, 273 273 00:08:31,350 --> 00:08:33,540 it may take 50% of the work, 274 274 00:08:33,540 --> 00:08:35,280 but if you label something as a high, 275 275 00:08:35,280 --> 00:08:37,320 it may take a 100% of the work. 276 276 00:08:37,320 --> 00:08:39,000 On the other hand, if you label as a low, 277 277 00:08:39,000 --> 00:08:40,800 it may be 25% of the work. 278 278 00:08:40,800 --> 00:08:42,370 And so you're going to have a lot more controls 279 279 00:08:42,370 --> 00:08:45,090 and a lot more cost associated with a high item 280 280 00:08:45,090 --> 00:08:46,830 than you are with a medium item and a lot more 281 281 00:08:46,830 --> 00:08:48,570 with a medium than you will the low. 282 282 00:08:48,570 --> 00:08:50,250 And for this reason, people will try 283 283 00:08:50,250 --> 00:08:52,110 to negotiate downward the level they're 284 284 00:08:52,110 --> 00:08:53,610 going to categorize that information 285 285 00:08:53,610 --> 00:08:55,710 so they can get through the process easier. 286 286 00:08:55,710 --> 00:08:57,630 Now, if I was king for a day, 287 287 00:08:57,630 --> 00:08:59,160 I would actually change RMF 288 288 00:08:59,160 --> 00:09:01,020 to be a little bit more specific 289 289 00:09:01,020 --> 00:09:03,390 in what they consider low, medium, and high. 290 290 00:09:03,390 --> 00:09:05,550 So it would be easier for us as practitioners 291 291 00:09:05,550 --> 00:09:07,560 to decide what it's going to be. 292 292 00:09:07,560 --> 00:09:09,420 But because RMF is a framework 293 293 00:09:09,420 --> 00:09:11,250 and it's designed to be very tailor able 294 294 00:09:11,250 --> 00:09:12,450 they leave this up to each 295 295 00:09:12,450 --> 00:09:13,950 and every organization based 296 296 00:09:13,950 --> 00:09:15,960 on their organizational risk appetite 297 297 00:09:15,960 --> 00:09:18,240 as well as their place in the larger ecosystem 298 298 00:09:18,240 --> 00:09:19,200 that they're involved with, 299 299 00:09:19,200 --> 00:09:20,700 such as the Department of Defense 300 300 00:09:20,700 --> 00:09:22,560 or the overall US government 301 301 00:09:22,560 --> 00:09:24,360 or wherever else they fit into based 302 302 00:09:24,360 --> 00:09:26,040 on their organization type. 303 303 00:09:26,040 --> 00:09:27,300 Basically what I'm saying is 304 304 00:09:27,300 --> 00:09:29,400 that as you work with RMF over time, 305 305 00:09:29,400 --> 00:09:31,260 you're going to start creating your own list 306 306 00:09:31,260 --> 00:09:32,550 of where you think different types 307 307 00:09:32,550 --> 00:09:34,050 of information should be. 308 308 00:09:34,050 --> 00:09:35,340 For example, if I'm dealing 309 309 00:09:35,340 --> 00:09:37,830 with Protected Health Information or PII 310 310 00:09:37,830 --> 00:09:39,840 I may categorize that as a medium, 311 311 00:09:39,840 --> 00:09:41,310 but if I'm dealing with secret 312 312 00:09:41,310 --> 00:09:43,590 or top secret information, I might categorize 313 313 00:09:43,590 --> 00:09:45,510 that as a high level of information 314 314 00:09:45,510 --> 00:09:46,380 that needs to be protected 315 315 00:09:46,380 --> 00:09:47,640 with additional controls. 316 316 00:09:47,640 --> 00:09:50,250 And based on those and based on my organization, 317 317 00:09:50,250 --> 00:09:52,230 we may have certain controls that will apply 318 318 00:09:52,230 --> 00:09:55,320 to all medium systems or all high level systems 319 319 00:09:55,320 --> 00:09:56,970 that we're going to be processing data on. 320 320 00:09:56,970 --> 00:09:57,930 And because of that, 321 321 00:09:57,930 --> 00:09:59,910 that then tells us which controls we're going to add 322 322 00:09:59,910 --> 00:10:01,710 to each and every package that we move forward 323 323 00:10:01,710 --> 00:10:03,240 with based on whether we classify 324 324 00:10:03,240 --> 00:10:05,310 that data as low, medium, or high 325 325 00:10:05,310 --> 00:10:09,420 or PII, PHI, confidential, secret, top secret 326 326 00:10:09,420 --> 00:10:10,560 and things like that. 327 327 00:10:10,560 --> 00:10:11,610 And that's really what we're talking 328 328 00:10:11,610 --> 00:10:14,040 about here in step two in the categorized step. 329 329 00:10:14,040 --> 00:10:16,470 We're deciding how we're going to categorize the information 330 330 00:10:16,470 --> 00:10:18,570 in the system and the system that processes 331 331 00:10:18,570 --> 00:10:20,310 that information so we know what level 332 332 00:10:20,310 --> 00:10:22,140 of controls we're going to have to add later 333 333 00:10:22,140 --> 00:10:23,673 on in the RMF process.