Due Thursday

Selecting controls is based on the categorization of an organization$$s data. The higher the sensitivity $($Low$,$ Medium, High$)$ of the data, the more protection is required. The CNSSI No$.1253,$ Security Categorization and Control Selection for National Security Systems is a companion document for NIST SP $800-53,$ which is referenced in this week$$s assignment. It describes the processes for data categorization and security control selection.

Within the Risk Assessment $($RA$)$ family of security controls, as listed in Appendix D$-1$ table of CNSSI No$.1253,$ assign those specific security controls required to be assessed for two IT Systems, X and Y$,$ with data categorized as follows:

IT System X:

Confidentiality: High

Integrity: High

Availability: High

IT System Y:

Confidentiality: Low

Integrity: Low

Availability: Low

Discuss the control selection for each IT system.

Which IT system that had more RA security controls required for risk assessment?

What RA security controls that were selected in common for both IT systems?