Data and Asset Categorization (PS-08-012)
PS-08-012.02 Data and Asset Categorization
Issue Date: 3/20/2008
Revision Effective Date: 12/15/2014
Review Date: 7/1/2018
Data is a critical asset of the state. All agencies have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the state, irrespective of the medium on which the data resides and regardless of format (such as in electronic, paper or other physical form). However, to adequately protect the data, there must be an understanding of what to protect, why protect it and how to protect it.
Data and asset categorization is essential in this understanding and enables agencies to proactively implement appropriate information security controls based on the assessed potential impact to the organization should certain events occur that jeopardize information confidentiality, integrity, and availability and in turn to support their mission in a cost-effective manner. An incorrect information system impact analysis (i.e., incorrect FIPS 199 security categorization) can result in the agency either over protecting the information system thus wasting valuable security resources, or under protecting the information system and placing important operations, assets or individuals at risk. The aggregation of such mistakes at the enterprise level can further compound the problem.
SCOPE; ENFORCEMENT; AUTHORITY; EXCEPTIONS
See Enterprise Information Security Charter PS-08-005
Data Owners shall inventory their information systems and assign a security category of HIGH, MODERATE or LOW to each system for which they hold responsibility using the categorization process contained in FIPS 199 Standards for Security Categorization for Federal Information Systems. The information processing systems shall assume a security category equal to the highest level assigned to the data or information in aggregate except where a system function or process is more critical than the data it processes.
NIST Computer Security Resource Center – http://csrc.nist.gov/
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
PM 5 Information System Inventory
RA 2 Security Categorization
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
Data Categorization-Impact Level SS-08-014
Classification of Personal Information SS-08-002
TERMS and DEFINITIONS
Security Categorization - The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.
Security Objective – Confidentiality, Integrity, and Availability
Confidentiality - “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] (A loss of confidentiality is the unauthorized disclosure of information.)
Integrity - “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542] (A loss of integrity is the unauthorized modification or destruction of information.)
Availability - “Ensuring timely and reliable access to and use of information …” [44 U.S.C., SEC. 3542] (A loss of availability is the disruption of access to or use of information or an information system.)