Information, Data, System Categorization Process

1. Information and Information System Data Categorization Processes

The general process for categorizing information and research data, categorizing information systems, and protecting the information and data pursuant to the policy is as follows:

1. Categorize the institutional information and research data.
2. Categorize the information services that process, transmit and store the data.
   • Determine the appropriate information security controls that apply to the categorized information, data and information services.
   • Document the categorizations and controls in the Service Security Plan (SSP).
3. Determine if the service is capable of meeting the security objectives of the data. i.e. Will the service protect against the potential impact to the confidentiality, integrity and availability of the information and data.

When categorizing, the impact assessment should take into consideration the scope and scale of the impact. An impact to an individual, office, department, college and the entire campus are different levels of scope and scale. For example, Availability (A) of an office file server may be rated as HIGH (H) because it is essential to the function of that office, however, it may not be considered HIGH (H) at an overall campus scope and scale.

2. Security Categorization Applied to Institutional Information and Research Data

The process for categorizing information and data consists of determining the potential impact, LOW (L), MODERATE (M), or HIGH (H), to the Confidentiality (C), Integrity (I) and Availability (A) of the information and data.

The general format for expressing the Security Category (SC) for information is as follows:

Security Category (SC) = {(confidentiality, impact), (integrity, impact), (availability, impact)}

where impact is LOW (L), MODERATE (M), HIGH (H), or not applicable (N/A) 

Example:

Organizations managing public information on a server that has no potential impact for a loss in confidentiality, moderate integrity, and moderate availability:

SC public information = {(confidentiality, N/A), (integrity, M), (availability, M)}.

3. Security Categorization Applied to Information Systems

The potential impact values assigned to the respective security objectives (Confidentiality, Integrity, Availability) shall be the highest values from among those security categories that have been determined for each type of information and data resident on the information system.

The general format for expressing the Security Category (SC) for information systems is as follows:

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}

where impact is LOW (L), MODERATE (M), HIGH (H), or not acceptable (N/A)

Example:

A department file server contains both sensitive personnel information and routine administrative information. The following are possible security categories for the information on the file server.

SC personnel information = {(confidentiality, M), (integrity, M), (availability, L)}

SC administrative information = {(confidentiality, L), (integrity, L), (availability, L)

The resulting categorization of the file server would be the highest level of categorization for each type of information or data on it.

SC file server = {(confidentiality, M), (integrity, M), (availability, L)}

4. Related Documents

• ITS-006: Information Security Policy
• Information Management
• Information Security Controls
• Institutional Information, Research Data and Information System Categorization

The UMass campuses strive to maintain consistent IT policies. The Information Security Policy and related documents have been adopted with permission from UMass Amherst.