[System Name (system acronym)] fips 199 Security Categorization Version [#] [Month dd, yyyy]




старонка1/4
Дата канвертавання19.04.2016
Памер291.91 Kb.
  1   2   3   4






[System Name (SYSTEM ACRONYM)]

FIPS 199 Security Categorization

Version [#]

[Month DD, YYYY]

Prepared for:

Department of Commerce

United States Patent and Trademark Office

Office of Chief Information Officer

[Insert Contract Number]


Record of Changes/Version History
FIPS 199 Template Version 6.2

October 3, 2008



Change/Version Number

Date of Change

Sections Changed

Description

Person Entering Change












































































Security Categorization Workbook

Instructions

  1. Use the table below to identify the information types collected, processed, maintained, used, shared, disseminated, transmitted, or stored by or through the Automated Information System (AIS). Please mark the ones that apply to the system.

  2. Determine which information types, if any, contain privacy data.

  3. For each information type that has been identified in Step 1, determine the potential security impact that might result from the unauthorized disclosure, modification, or loss of availability of this information. National Institute of Standards and Technology (NIST)-recommended impact levels for confidentiality, integrity, and availability (C, I, A) of each information type are identified in the “Security Objective” columns of the matrix. The NIST definitions of Confidentiality, Integrity, and Availability are:

Confidentiality“Preserving authorized restrictions on Information access and Disclosure, including means for protection personal privacy and Proprietary Information.” [44 USC Sec 3542]

Integrity“Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity” [44 USC Sec 3542]

Availability“Ensuring timely and reliable access to and use of information.” [44 USC Sec 3542]

  1. Review the provisional impact levels (NIST-recommended) for appropriateness based on the organization, environment, mission, use, and connectivity associated with the system. Consider whether the current NIST-recommended impact level is appropriate for the system’s environment or whether the impact level should be modified to a lower or higher impact level. If a determination is made that the impact level should be modified, provide the rational or justification for the adjustment(s).

  2. Low, Moderate, and High impact level definitions are provided below:

The potential impact is LOW if: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

LOW AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.

The potential impact is MODERATE if: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

MODERATE AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.

The potential impact is HIGH if: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

HIGH AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

Example:

Category

Description

Security Objective

Confidentiality

Integrity

Availability

7.0

Legislative Relations



7.3

Proposal Development

Supports drafting proposed legislation that creates or amends laws subject to Congressional legislative action.

MODERATE

LOW

LOW


  1   2   3   4


База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка