PS-08-012.02 Data and Asset Categorization

Issue Date:  3/20/2008

Revision Date:  12/15/2014

Review Date: 8/30/2024

PURPOSE

Data is a critical asset of the state.  All agencies have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored, or used by the state, irrespective of the medium on which the data resides and regardless of format (such as in electronic, paper or other physical form).  However, to adequately protect the data, there must be an understanding of what to protect, why to protect it, and how to protect it.

Data and asset categorization is essential in this understanding and enables agencies to proactively implement appropriate information security controls based on the assessed potential impact on the organization should certain events occur that jeopardize information confidentiality, integrity, and availability and in turn support their mission in a cost-effective manner. An incorrect information system impact analysis (i.e., incorrect FIPS 199 security categorization) can result in the agency either overprotecting the information system thus wasting valuable security resources, or under protecting the information system and placing important operations, assets, or individuals at risk. The aggregation of such mistakes at the enterprise level can further compound the problem.

SCOPE and AUTHORITY

O.C.G.A 50-25-4(a)(10) – State Government, Georgia Technology, General Powers

O.C.G.A 50-25-4(a)(21) - State Government, Georgia Technology, General Powers

PM-04-001 – Information Technology Policies, Standards and Guidelines

PS-08-005 – Enterprise Information Security Policy

TERMS AND DEFINITIONS

Security Categorization – the characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.

Security Objective – Confidentiality, Integrity, and Availability

Confidentiality - “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]   (A loss   of confidentiality is the unauthorized disclosure of information.)

Integrity - “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542]    (A loss of integrity is the unauthorized modification or destruction of information.)

Availability - “Ensuring timely and reliable access to and use of

Information …” [44 U.S.C., SEC. 3542]   (A loss of availability is the disruption of access to or use of information or an information system.)

POLICY

Data Owners shall inventory their information systems and assign a security category of HIGH, MODERATE or LOW to each system for which they hold responsibility using the categorization process contained in FIPS 199 Standards for Security Categorization for Federal Information Systems.  The information processing systems shall assume a security category equal to the highest level assigned to the data or information in aggregate except where a system function or process is more critical than the data it processes.

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Data Categorization-Impact Level  SS-08-014

Classification of Personal Information  SS-08-002

REFERENCES

NIST Computer Security Resource Center – http://csrc.nist.gov/ 

FIPS  199  Standards for  Security Categorization  of  Federal Information and Information Systems https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf )

SP 800-53 Security and Privacy Controls for Information Systems and Organizations