Technology Standard
|
|
Technology Standard
|
Contingency Planning and Business Recovery Program
IT System and Data Sensitivity Classification
Version: 1.0
Status: Approved: 2/21/07
Contact: Director, Technology Services
PURPOSE
The IT System and Data Sensitivity Classification is performed in conjunction with the Business Impact Analysis to determine the adverse impact of a security occurrence in terms of loss or degradation of integrity, availability, and confidentiality. This process will must also identify if the types of data are subject to other regulatory requirements.
SCOPE
The IT System and Data Sensitivity Classification Standard of the Contingency Planning and Business Recovery Program covers all VCCS and college business processes and the related Information Technology infrastructure.
APPLICABILITY
The IT System and Data Sensitivity Classification Standard is applicable to the System Office and all Colleges.
STANDARD
The following requirements and recommendations are provided to assist with compliance of the Commonwealth of Virginia (COV) Information Technology Resource Management Standard, COV ITRM 501-01 standards for IT system and Data Sensitivity Classification. Worksheet two of the Business Impact Analysis Template may be used to assist in this process.
Requirement:
Worksheet one of the Business Impact Analysis Template identified the activities and core functions of each business unit. Worksheet two must determine the potential damages to the VCCS or college of a compromise using the sensitivity criteria in the table below.
| Loss of: | May result in: |
| Confidentiality | System and data confidentiality refers to the protection of information from unauthorized disclosure. The impact of unauthorized disclosure of confidential information can range from the jeopardizing of national security to the disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence, embarrassment, or legal action against the organization. |
| Integrity | System and data integrity refers to the requirement that information be protected from improper modification. Integrity is lost if unauthorized changes are made to the data or IT system by either intentional or accidental acts. If the loss of system or data integrity is not corrected, continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. Also, violation of integrity may be the first step in a successful attack against system availability or confidentiality. For all these reasons, loss of integrity reduces the assurance of an IT system. |
| Availability | If a mission-critical IT system is unavailable to its end users, the organization’s mission may be affected. Loss of system functionality and operational effectiveness, for example, may result in loss of productive time, thus impeding the end users’ performance of their functions in supporting the organization’s mission. |
Apply each criterion above to all systems and data and measure the impact using the magnitude of impact table below. This analysis will assist in prioritizing risks and identifying areas for immediate improvement in addressing the vulnerabilities.
|
Magnitude of Impact |
|
Low - May result in the loss of some tangible
assets or resources or may affect mission, reputation, or interest. Note: A system/data should be considered sensitive if any of the three criteria contain a moderate or high rating. |
Recommendation:
It is recommended that the information above be compiled by the Contingency Planning Coordinator in conjunction with the appropriate individual business unit personnel. For example, the activity owner may provide the acceptable down time while the data owner should provide the sensitivity classification. In some cases this may be the same person. Worksheet two of the Business Impact Analysis Template may be used for this process.
The information obtained from this process, as well as, the Business Impact Analysis process will be used in the Risk Assessment process.
FORMS
Contingency Planning and Business Recovery Program, Business Impact Analysis Template
