not mobile

Information Technology Handbook

5.6 USG Information System Categorization and Data Classification Standard

Print friendly Version date May 16, 2014

Data is a critical asset of the USG. All USG institutions, the USO, the GPLS, and the Georgia Archives have a responsibility to protect the confidentiality, integrity, and availability of the information and information systems assets utilized. However, to adequately protect the data, there must be an understanding of what to protect, why protect it, and how to protect it.

The Security Objective is to maintain the confidentiality, integrity, and availability of all information and information systems. Security Categorization is the characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organization operations, assets, or individuals, and the USG itself. Confidentiality, integrity, and availability are defined as:

  1. Confidentiality - “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information.
  2. Integrity - “Guarding against improper information modification or destruction, and includes ensuring information non - repudiation and authenticity…” [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information.
  3. Availability - “Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to, or use of, information or an information system.

5.6.1 Security Categories

Security categories are based on the potential impact to an organization should certain events occur that jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.


5.6.2 Scope, Enforcement, Authority, and Exceptions

TBD


5.6.3 Standard

Data Owners shall inventory and assign a security category to the information systems for which they hold responsibility. The security category assigned shall conform to FIPS Publication 199, Standards for Security Categorization for Federal Information Systems, which addresses developing standards for categorizing information and information systems according to the potential impact on organizations should there be a breach in security (CIA).

Note: The definition of Data Owners is covered in Section 9, Data Governance and Management Structure, of this Handbook.

Specifically:

  1. The potential impact is LOW if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
  2. The potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
  3. The potential impact is HIGH if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Security categorization information is shown in the “Nine Box” from FIPS Publication 199, as shown below.

Low Moderate High
Confidentiality The loss of confidentiality could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of confidentiality could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity The loss of integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability The loss of availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The loss of availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

The generalized format for expressing the security category (SC) of an information system is:

  • SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, or HIGH.

The security categorization process is carried out by the information system owner and information owner/steward in cooperation and collaboration with appropriate organizational officials (i.e., senior leaders with mission/business function and/or information security officer/risk management responsibilities).

Note: The definitions of Information System Owner and Information Owner/Steward are covered in Section 9, Data Governance and Management Structure, of this Handbook.

The security categorization process is conducted as an organization-wide activity taking into consideration the enterprise architecture and the information security architecture. This helps to ensure that individual information systems are categorized based on the mission and business objectives of the organization. The results of the security categorization process influence the selection of appropriate security controls for the information system and also, where applicable, the minimum assurance requirements for that system. Security categorization information must be documented in the system identification section of the security plan or included as an attachment to the plan.


5.6.4 References


Return to Top