Data and Asset Categorization

PS-08-012.02 Data and Asset Categorization

Issue Date:  3/20/2008

Revision Effective Date:  12/15/2014

Review Date: 7/1/2018

PURPOSE

Data is a critical asset of the state.  All agencies have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the state, irrespective of the medium on which the data resides and regardless of format (such as in electronic, paper or other physical form).  However, to adequately protect the data, there must be an understanding of what to protect, why protect it and how to protect it.

Data and asset categorization is essential in this understanding and enables agencies to proactively implement appropriate information security controls based on the assessed potential impact to the organization should certain events occur that jeopardize information confidentiality, integrity, and availability and in turn to support their mission in a cost-effective manner. An incorrect information system impact analysis (i.e., incorrect FIPS 199 security categorization) can result in the agency either over protecting the information system thus wasting valuable security resources, or under protecting the information system and placing important operations, assets or individuals at risk. The aggregation of such mistakes at the enterprise level can further compound the problem.

SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS

See Enterprise Information Security Charter PS-08-005

POLICY

Data Owners shall inventory their information systems and assign a security category of HIGH, MODERATE or LOW to each system for which they hold responsibility using the categorization process contained in FIPS 199 Standards for Security Categorization for Federal Information Systems.  The information processing systems shall assume a security category equal to the highest level assigned to the data or information in aggregate except where a system function or process is more critical than the data it processes.

REFERENCES

NIST Computer Security Resource Center – http://csrc.nist.gov/

FIPS  199  Standards for  Security Categorization  of  Federal Information and Information Systems

SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

PM 5 Information System Inventory

RA 2 Security Categorization

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Data Categorization-Impact Level  SS-08-014

Classification of Personal Information  SS-08-002

TERMS and DEFINITIONS

Security Categorization - The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.

Security Objective – Confidentiality, Integrity, and Availability

Confidentiality - “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]   (A loss   of confidentiality is the unauthorized disclosure of information.)

Integrity - “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542]    (A loss of integrity is the unauthorized modification or destruction of information.)

Availability - “Ensuring timely and reliable access to and use of information …” [44 U.S.C., SEC. 3542]   (A loss of availability is the disruption of access to or use of information or an information system.)