Steps for the identification of the sensitivity of data and the determination of the appropriate security or privacy level are:
- Determine if the data has any confidentiality concerns
- Can an unauthorized individual use the information to do limited, serious, or severe harm to individuals, assets or an organization’s operations as a result of data disclosure?
- Would unauthorized disclosure or dissemination of elements of the data violate laws, executive orders, or agency regulations (i.e., HIPPA or Privacy laws)?
- Does the data have any integrity concerns?
- What would be the impact of unauthorized modification or destruction of the data?
- Would it reduce public confidence in the originating organization?
- Would it create confusion or controversy in the user community?
- Could a potentially life-threatening decision be made based on the data or analysis of the data?
- Are there any availability concerns about the data?
- Is the information time-critical? Will another individual or system be relying on the data to make a time-sensitive decision (i.e. sensing data for earthquakes, floods, etc.)?
- Document data concerns identified and determine overall sensitivity (Low, Moderate, High)
- Low criticality would result in a limited adverse effect to an organization as a result of the loss of confidentiality, integrity, or availability of the data. It might mean degradation in mission capability or result in minor harm to individuals.
- Moderate criticality would result in a serious adverse effect to an organization as a result of the loss of confidentiality, integrity, or availability of the data. It might mean a severe degradation or loss of mission capability or result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
- High criticality would result in a severe or catastrophic adverse effect as a result of the loss of confidentiality, integrity, or availability of the data. It might cause a severe degradation in or loss of mission capability or result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
- Develop data access and dissemination policies and procedures based on sensitivity of the data and need-to-know.
- Develop data protection policies, procedures and mechanisms based on sensitivity of the data.
The identification of the sensitivity and importance of data or information processed on an information system is essential to the determination of the appropriate security and privacy considerations to ensure the confidentiality, integrity, and availability of the data as well as data sharing decisions.
FIPS Pub 199, Standards for Security Categorization of Federal Information and Information Systems: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide Volume 2: Appendices