Security Categorization

FIPS PUB 199
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION
Standards for Security Categorization of Federal Information and Information Systems
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8900
February 2004

Security classification by impact and base on Confidentiality, impact, integrity, availability
POTENTIAL IMPACT DEFINITIONS FOR SECURITY OBJECTIVES

Page 1 notes:
Information is categorized according to its information type. An information type is a specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation.

Security Objectives:
The FISMA defines three security objectives for information and information systems:
CONFIDENTIALITY
“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information...” [44 U.S.C., Sec. 3542]
A loss of confidentiality is the unauthorized disclosure of information.
INTEGRITY
“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity...” [44 U.S.C., Sec. 3542]
A loss of integrity is the unauthorized modification or destruction of information.
AVAILABILITY
“Ensuring timely and reliable access to and use of information...” [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system.

Security Categorization Applied to Information Types
The security category of an information type can be associated with both user information and system information3 and can be applicable to information in either electronic or non-electronic form. It can also be used as input in considering the appropriate security category of an information system (see description of security categories for information systems below). Establishing an appropriate security category of an information type essentially requires determining the potential impact for each security objective associated with the particular information type.
The generalized format for expressing the security category, SC, of an information type is:
SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE.4
EXAMPLE 1: An organization managing public information on its web server determines that there is no potential impact from a loss of confidentiality (i.e., confidentiality requirements are not applicable), a moderate potential impact from a loss of integrity, and a moderate potential impact from a loss of availability. The resulting security category, SC, of this information type is expressed as:
SC public information = {(confidentiality, NA), (integrity, MODERATE), (availability, MODERATE)}.


TERMS:
AVAILABILITY: Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542] CONFIDENTIALITY: Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542]
SECURITY CATEGORY: The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals.
SECURITY CONTROLS: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
SECURITY OBJECTIVE: Confidentiality, integrity, or availability.