Application/Data Assessment

This document provides information to help readers determine whether compromise of data will have a high, medium, or low impact on the organization. The purpose of this information is to help the reader categorize their data and application security needs.

Data associated with applications and its requirements are categorized into three areas of functionality which are:

  • Confidentiality - The need for the data to be kept secret to unauthorized people.
  • Integrity - The need for the data to be accurate and not changed by those without authorization.
  • Availability - The need for the data to be available to authorized users. Sometimes the data may be unavailable for limited periods of time without significant damage. The amount of time the data may be unavailable withoout significant damage should be determined early in the project life cycle to help determine the system design.

In each of these areas, the amount of damage that may occur is rated as shown below:

Data Confidentiality

This section describes and gives some examples of damage ratings based on loss of data confidentiality when unauthorized individuals may obtain access to the data. The sections below provide a data classification area and describe the damage when the data is compromised.

  • Critical is high damage. The unauthorized data access would have a critical negative effect on the organization either impacting organizational activities critically or costing a critical amount of money or resources. The organization must decide the limits to damage here such as $200000 or more in damage. Events of a critical nature may cause loss of life or threaten to destroy the organization. Examples of damage in this category would include something that could cause loss of life, loss of public or organizational safety, violation of law, or compromise of many social security numbers, credit card numbers, or driver's license numbers.
  • Important is medium damage. The event unauthorized data access would have a substantial negative effect on the organization either impacting organizational activities substantially or costing a substantial amount of money or resources. The organization must decide the limits to damage here such as $10000 to $200000 in damage. Different damage amounts will affect different organizations differently. Examples of damage in this category would include the compromise of a single individual's social security number, credit card number, or driver's license number.
  • Standard is low damage. The event unauthorized data access would have a limited negative effect on the organization either impacting organizational activities minimally as an inconvenience or costing a relatively small amount of money or resources. The organization must decide the limits to damage here such as $100 to $10000 in damage.
  • Common is no damage

Data Integrity

This section describes and gives some examples of damage ratings based on loss of data integrity when unauthorized individuals may modify the data or errors are made. The sections below provide a data classification area and describe the damage when the data is compromised.

  • Critical is high damage. Loss of data integrity would have a critical negative effect on the organization either impacting organizational activities critically or costing a critical amount of money or resources. The organization must decide the limits to damage here such as $200000 or more in damage. Events of a critical nature may cause loss of life or threaten to destroy the organization. Examples of damage in this category would include something that could cause loss of life, loss of public or organizational safety, errors on information affecting security or safety on a large scale.
  • Important is medium damage. Loss of data integrity would have a substantial negative effect on the organization either impacting organizational activities substantially or costing a substantial amount of money or resources. The organization must decide the limits to damage here such as $10000 to $200000 in damage. An example in this area would include damage that affects the organization's reputation.
  • Standard is low damage. Loss of data integrity would have a limited negative effect on the organization either impacting organizational activities minimally as an inconvenience or costing a relatively small amount of money or resources. The organization must decide the limits to damage here such as $100 to $10000 in damage.
  • Common is no damage

Data Availability

This section describes and gives some examples of damage ratings based on loss of data availability to the authorized users. The sections below provide a data classification area and describe the damage when the data is not available when needed. Consideration must be given to the length of time the data may not be available before damage would occur when designing the system.

  • Critical is high damage. The loss of data access would have a critical negative effect on the organization either impacting organizational activities critically or costing a critical amount of money or resources. The organization must decide the limits to damage here such as $200000 or more in damage. Events of a critical nature may cause loss of life or threaten to destroy the organization. Examples of damage in this category would include something that could cause loss of life, serious safety hazards, violation of law, serious loss of trust to the organization, or prevent required important transactions.
  • Important is medium damage. The event (unauthorized data compromise, loss of data integrity, loss of data access) would have a substantial negative effect on the organization either impacting organizational activities substantially or costing a substantial amount of money or resources. The organization must decide the limits to damage here such as $10000 to $200000 in damage. An example in this area would include damage that affects the organization's reputation, inability to conduct significant transactions, significant loss of sales.
  • Standard is low damage. The loss of data access would have a limited negative effect on the organization either impacting organizational activities minimally as an inconvenience or costing a relatively small amount of money or resources. The organization must decide the limits to damage here such as $100 to $10000 in damage.
  • Common is no damage