SlideShare a Scribd company logo

Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)

James W. De Rienzo
James W. De Rienzo

Impact Assessment to determine Sensitivity Level of Information System/Information Types, based on NIST SP 800-60 Volume 2 Release 1

Technology
1 of 8
Download to read offline
Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Appendix C: Management & Support Information & Information Systems Impact Levels I A C I A * Controls and Oversight C System Name  Proposed FIPS 199  Impact Values * Rationale and Factors for Services Delivery Support Information System Name  Current FIPS 199  Impact Values * Corrective Action Information Type L L L Program Evaluation Information Type L L L L (3) L L Program Monitoring Information Type (3) Regulatory Development * Policy and Guidance Development Information Type L L L Public Comment Tracking Information Type L L L Regulatory Creation Information Type L L L Rule Publication Information Type L L L Planning and Budgeting * Budget Formulation Information Type L L L Capital Planning Information Type L L L Enterprise Architecture Information Type L L L Strategic Planning Information Type L L L Budget Execution Information Type L L L Workforce Planning Information Type L L L Management Improvement Information Type L L L Budget and Performance Integration Information Type L L L Tax and Fiscal Policy Information Type L L L Internal Risk Management and Mitigation * Contingency Planning Information Type M M M Continuity of Operations Information Type M M M Service Recovery Information Type L L L Revenue Collection * Debt Collection Information Type M L L User Fee Collection Information Type L L M Federal Asset Sales Information Type L M L Public Affairs * Customer Services Information Type L L L Official Information Dissemination Information Type L L L Print Date: 2/19/2014 Page 1 of 8  Contact: James W. De Rienzo
Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Product Outreach Information Type L L L L C I A System Name  Proposed FIPS 199  Impact Values C I A L Public Relations Information Type System Name  Current FIPS 199  Impact Values L Legislative Relations * Legislation Tracking Information Type L L L Legislation Testimony Information Type L L L Proposal Development Information Type M L L Congressional Liaison Operations Information Type M L L General Government * Central Fiscal Operations Information Type (4) M L L Legislative Functions Information Type L L L Executive Functions Information Type (5) L L L Central Property Management Information Type L (6) L L (7) Central Personnel Management Information Type L L L Taxation Management Information Type M L L Central Records and Statistics Management Information Type M L L Income Information Information Type (8) M M M Personal Identity and Authentication Information Information Type (8) M M M Entitlement Event Information Information Type (8) M M M Representative Payee Information Information Type (8) M M M General Information Information Type (9) L L L Notification of Finding Report Information (General Information Information Type ‐ [9]) L L L Memoranda and Guidelines (General Information Information Type ‐ [9]) L L L Presidential Directives & Executive Orders (General Information Information Type ‐ [9]) L L L Other Executive Office of the President Guidance (General Information Information Type ‐ [9]) L L L Rationale and Factors for Government Resource Management Information * Administrative Management * L (6) L (7) L (7) Facilities, Fleet, and Equipment Management Information Type Help Desk Services Information Type L L L Security Management Information Type M M L Travel Information Type L L L Workplace Policy Development and Management Information Type (Intra‐Agency Only) L L L Financial Management Print Date: 2/19/2014 * Page 2 of 8  Contact: James W. De Rienzo
Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Assets and Liability Management Information Type L L L M M M L M L M L M L M A L Cost Accounting/ Performance Measurement Information Type I L Collections and Receivables Information Type C L Payments Information Type A L Accounting Information Type I L Funds Control Information Type C System Name  Proposed FIPS 199  Impact Values L Reporting and Information Information Type System Name  Current FIPS 199  Impact Values L Human Resource Management * HR Strategy Information Type L L L Staff Acquisition Information Type L L L Organization & Position Management Information Type L L L Compensation Management Information Type L L L Benefits Management Information Type L L L Employee Performance Management Information Type L L L Employee Relations Information Type L L L Labor Relations Information Type L L L Separation Management Information Type L L L Human Resources Development Information Type L L L Supply Chain Management * Goods Acquisition Information Type L L L Inventory Control Information Type L L L Logistics Management Information Type L L L Services Acquisition Information Type L L L Information and Technology Management * System Development Information Type L M L Lifecycle/Change Management Information Type L M L System Maintenance Information Type L M L IT Infrastructure Maintenance Information Type (10) L L L Information Security Information Type L M L Record Retention Information Type L L L Information Management Information Type (11) L M L System and Network Monitoring Information Type M M L Print Date: 2/19/2014 Page 3 of 8  Contact: James W. De Rienzo
Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C Information Sharing Information Type I A * System Name  Current FIPS 199  Impact Values C I A System Name  Proposed FIPS 199  Impact Values C I A N/A N/A N/A Appendix D: Impact Determination for Mission‐Based Information & Infomation Systems * Defense and National Security * N/S N/S N/S Homeland Security * Border and Transportation Security Information Type M M M Key Asset and Critical Infrastructure Protection Information Type H H H Catastrophic Defense Information Type H H H Executive Functions of the Executive Office of the President (EOP) Information Type (23) H M H Intelligence Operations (24) N/S N/S N/S Disaster Management * * Disaster Monitoring and Prediction Information Type L H H Disaster Preparedness and Planning Information Type L L L Disaster Repair and Restoration Information Type L L L Emergency Response Information Type L H H International Affairs and Commerce * Foreign Affairs Information Type H H M International Development and Humanitarian Aid Information Type M L L Global Trade Information Type H H H Natural Resources * Water Resource Management Information Type L L L Conservation, Marine and Land Management Information Type L L L Recreational Resource Management and Tourism Information Type L L L Agricultural Innovation and Services Information Type L L L Energy * L(25) M(26) M(26) Energy Supply Information Type Energy Conservation and Preparedness Information Type L L L Energy Resource Management Information Type M L L Energy Production Information Type L L L Environmental Management * Environmental Monitoring and Forecasting Information Type L M L Environmental Remediation Information Type M L L Pollution Prevention and Control Information Type L L L Print Date: 2/19/2014 Page 4 of 8  Contact: James W. De Rienzo
Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Economic Development System Name  Current FIPS 199  Impact Values C I A System Name  Proposed FIPS 199  Impact Values C I A * Business and Industry Development Information Type L L L Intellectual Property Protection Information Type L L L Financial Sector Oversight Information Type M L L Industry Sector Income Stabilization Information Type M L L Community and Social Services * Homeownership Promotion Information Type L L L Community and Regional Development Information Type L L L Social Services Information Type L L L Postal Services Information Type L M M Transportation * Ground Transportation Information Type L L L Water Transportation Information Type L L L Air Transportation Information Type L L L Space Operations Information Type L H H Education * Elementary, Secondary, and Vocational Education Information Type L L L Higher Education Information Type L L L Cultural and Historic Preservation Information Type L L L Cultural and Historic Exhibition Information Type L L L Workforce Management * Training and Employment Information Type L L L Labor Rights Management Information Type L L L Worker Safety Information Type L L L Health * Access to Care Information Type L M L Population Health Management and Consumer Safety Information Type L M L Health Care Administration Information Type L M L Health Care Delivery Services Information Type L H L Health Care Research and Practitioner Education Information Type L M L Income Security * General Retirement and Disability Information Type Print Date: 2/19/2014 M Page 5 of 8  M M Contact: James W. De Rienzo
Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Unemployment Compensation Information Type L L L L L L L L A C I A L Survivor Compensation Information Type I L Food and Nutrition Assistance Information Type C System Name  Proposed FIPS 199  Impact Values L Housing Assistance Information Type System Name  Current FIPS 199  Impact Values L Law Enforcement * Criminal Apprehension Information Type L L M Criminal Investigation and Surveillance Information Type M M M Citizen Protection Information Type M M M Leadership Protection Information Type M L L Property Protection Information Type L L L Substance Control Information Type M M M Crime Prevention Information Type L L L Trade Law Enforcement Information Type (27) M M M Litigation and Judicial Activities * Judicial Hearings Information Type M L L Legal Defense Information Type M H L Legal Investigation Information Type M M M Legal Prosecution and Litigation Information Type L M L Resolution Facilitation Information Type M L L Federal Correctional Activities * Criminal Incarceration Information Type L M L Criminal Rehabilitation Information Type L L L General Sciences and Innovation * Scientific and Technological Research and Innovation Information Type L M L Space Exploration and Innovation Information Type L M L Knowledge Creation and Management * Research and Development Information Type L M L General Purpose Data and Statistics Information Type L L L Advising and Consulting Information Type L L L Knowledge Dissemination Information Type L L L Regulatory Compliance and Enforcement * Inspections and Auditing Information Type Print Date: 2/19/2014 M Page 6 of 8  M L Contact: James W. De Rienzo
Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Standards Setting/Reporting Guideline Development Information Type L L L L C I A System Name  Proposed FIPS 199  Impact Values C I A L Permits and Licensing Information Type System Name  Current FIPS 199  Impact Values L Public Goods Creation and Management * Manufacturing Information Type L L L Construction Information Type L L L Public Resources, Facility and Infrastructure Management Information Type L L L Information Infrastructure Management Information Type L L L Federal Financial Assistance * Federal Grants (Non‐State) Information Type L L L Direct Transfers to Individuals Information Type L L L Subsidies Information Type L L L Tax Credits Information Type M L L Credit and Insurance * Direct Loans Information Type L L L Loan Guarantees Information Type L L L General Insurance Information Type L L L Transfers to State/Local Governments * Formula Grants Information Type L L L Project/Competitive Grants Information Type L L L Earmarked Grants Information Type L L L State Loans Information Type L L L Direct Services for Citizens * Military Operations Information Type (28) N/A N/A N/A Civilian Operations Information Type (28) N/A N/A N/A APPENDIX E: Legislative & Executive & Executive Sources Establishing Sensitivity/Criticality * Legislative Mandates * Executive Mandates * Office of Management and Budget Memoranda and Guidelines * Presidential Directives and Executive Orders * Other EOP Guidance * OMB and Case Law Interpretations * Print Date: 2/19/2014 Page 7 of 8  Contact: James W. De Rienzo
Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * System Name  Current FIPS 199  Impact Values C I A System Name  Proposed FIPS 199  Impact Values C I A 3  The confidentiality impact assigned to the Program Monitoring Information Type may necessitate the highest confidentiality impact of the information types  processed by the system. 4  Tax‐related functions are associated with the Taxation Management information type. 5  The OMB Business Reference Model “Executive Function has been expanded to include general agency executive functions as well as Executive Office of the  President (EOP) functions. Strictly EOP executive functions are treated in Appendix D, Examples of Impact Determination for Mission‐Based Information and  Information Systems. 6  High where safety of major critical infrastructure components or key national assets is at stake. 7  Moderate or High in emergency situations where time‐critical processes affecting human safety or major assets are involved. 8  The identified information types are not a derivative of OMB’s Business Reference Model and were added to address privacy information. 9  The OMB Business Reference Model does not include a General Information information type. This information type was added as a catch‐all information type.  As such, agencies may use this to identify additional information types not defined in the BRM and assign impact levels. 10  The confidentiality impact assigned to the IT Infrastructure Maintenance Information Type may necessitate the highest confidentiality impact of the information  types processed by the system. 11  The confidentiality impact assigned to the Information Management Information Type may necessitate the highest confidentiality impact of the information  types processed by the system. 20  Impact level is usually moderate to high in emergency situations where time‐critical processes affecting human safety or major assets are involved. 21  A loss of confidentiality that causes a significant degradation in mission capability, places the agency at a significant disadvantage, or results in major damage to  assets, requiring extensive corrective actions or repairs. 23  The identified information types are not a derivative of OMB’s Business Reference Model and were added to address functions of the Executive Office of the  President (EOP). 24  Where foreign intelligence information is involved, the information and information systems are categorized as national security information or systems and are  outside the scope of this guideline. 25  High where safety of radioactive materials, highly flammable fuels, or transmission channels or control processes at risk. 26  Usually Moderate or High where mission‐critical procedures are involved. 27  The identified information types are not a derivative of OMB’s Business Reference Model and were added to address trade law enforcement. 28  As mode of delivery of mission‐based services, the security categorization of Direct Services to Citizens sub‐functions Military Operations and Civilian Operation  is dependent on the mission services delivered to the citizens [e.g., Health Care; Emergency Response, Environmental Remediation] should be categorized in  accordance with the mission‐based information type. Print Date: 2/19/2014 Page 8 of 8  Contact: James W. De Rienzo

Recommended

Soc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-converted
VISTA InfoSec
 
La sécurité de l’information et les auditeurs internes
La sécurité de l’information et les auditeurs internesLa sécurité de l’information et les auditeurs internes
La sécurité de l’information et les auditeurs internes
ISACA Chapitre de Québec
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Donald E. Hester
 
Business Impact Analysis module 3.ppt
Business Impact Analysis module 3.pptBusiness Impact Analysis module 3.ppt
Business Impact Analysis module 3.ppt
MohamedMoustafa91763
 
Guide d'utilisation de l'outil AUDITSec basé sur la nouvelle norme ISO 27002 ...
Guide d'utilisation de l'outil AUDITSec basé sur la nouvelle norme ISO 27002 ...Guide d'utilisation de l'outil AUDITSec basé sur la nouvelle norme ISO 27002 ...
Guide d'utilisation de l'outil AUDITSec basé sur la nouvelle norme ISO 27002 ...
Eric Clairvoyant, Adm.A.,T.P., CRISC
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
ControlCase
 

Recommended

Soc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-converted
VISTA InfoSec
 
La sécurité de l’information et les auditeurs internes
La sécurité de l’information et les auditeurs internesLa sécurité de l’information et les auditeurs internes
La sécurité de l’information et les auditeurs internes
ISACA Chapitre de Québec
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Understanding the Risk Management Framework & (ISC)2 CAP Module 1: Exam
Donald E. Hester
 
Business Impact Analysis module 3.ppt
Business Impact Analysis module 3.pptBusiness Impact Analysis module 3.ppt
Business Impact Analysis module 3.ppt
MohamedMoustafa91763
 
Guide d'utilisation de l'outil AUDITSec basé sur la nouvelle norme ISO 27002 ...
Guide d'utilisation de l'outil AUDITSec basé sur la nouvelle norme ISO 27002 ...Guide d'utilisation de l'outil AUDITSec basé sur la nouvelle norme ISO 27002 ...
Guide d'utilisation de l'outil AUDITSec basé sur la nouvelle norme ISO 27002 ...
Eric Clairvoyant, Adm.A.,T.P., CRISC
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
ControlCase
 
Chief information security officer perfomance appraisal 2
Chief information security officer perfomance appraisal 2Chief information security officer perfomance appraisal 2
Chief information security officer perfomance appraisal 2
tonychoper6104
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
PECB
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
Muhammad Mazhar
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist QuestionsISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
himalya sharma
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Stratos Lazaridis
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
AvniJain836319
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information Security
JohnHPazEMCPMPITIL5G
 
RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1) RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1)
Donald E. Hester
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation Slides
SlideTeam
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
BUSINESS IMPACT ‎ANALYSIS- DRM
BUSINESS IMPACT ‎ANALYSIS- DRMBUSINESS IMPACT ‎ANALYSIS- DRM
BUSINESS IMPACT ‎ANALYSIS- DRM
Libcorpio
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
roguelogics
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT Systems
Dam Frank
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
Donald E. Hester
 
CMMI-DEV 1.3 Tool (checklist)
CMMI-DEV 1.3 Tool (checklist)CMMI-DEV 1.3 Tool (checklist)
CMMI-DEV 1.3 Tool (checklist)
Robert Levy
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
HasnolAhmad2
 
National Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanNational Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action Plan
Dr David Probert
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
James W. De Rienzo
 

More Related Content

What's hot

Chief information security officer perfomance appraisal 2
Chief information security officer perfomance appraisal 2Chief information security officer perfomance appraisal 2
Chief information security officer perfomance appraisal 2
tonychoper6104
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
PECB
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Stratos Lazaridis
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation Slides
SlideTeam
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 

What's hot (20)

Chief information security officer perfomance appraisal 2
Chief information security officer perfomance appraisal 2Chief information security officer perfomance appraisal 2
Chief information security officer perfomance appraisal 2
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRC
 
DSS RMF Training.pptx
DSS RMF Training.pptxDSS RMF Training.pptx
DSS RMF Training.pptx
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist QuestionsISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
ISO 27001 Checklist - Internal Audit - Clause 9.2 - 59 checklist Questions
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...
 
27001.pptx
27001.pptx27001.pptx
27001.pptx
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information Security
 
RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1) RMF Roles and Responsibilities (Part 1)
RMF Roles and Responsibilities (Part 1)
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation Slides
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
BUSINESS IMPACT ‎ANALYSIS- DRM
BUSINESS IMPACT ‎ANALYSIS- DRMBUSINESS IMPACT ‎ANALYSIS- DRM
BUSINESS IMPACT ‎ANALYSIS- DRM
 
Soc 2 Compliance.pdf
Soc 2 Compliance.pdfSoc 2 Compliance.pdf
Soc 2 Compliance.pdf
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT Systems
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
 
CMMI-DEV 1.3 Tool (checklist)
CMMI-DEV 1.3 Tool (checklist)CMMI-DEV 1.3 Tool (checklist)
CMMI-DEV 1.3 Tool (checklist)
 
isms-presentation.ppt
isms-presentation.pptisms-presentation.ppt
isms-presentation.ppt
 
National Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanNational Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action Plan
 

Viewers also liked

Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_ExaminationCyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Bill Ross
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
James W. De Rienzo
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 

Viewers also liked (20)

NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
 
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
(4) NIST SP 800-53 Revision 4 (security control enhancements omitted) 20140804
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6aCritical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
 
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
 
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
RMF STEP 2: SELECT (NIST 800-53 Rev. 3 Controls, Enhancements and Supplementa...
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_ExaminationCyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
 
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
RMF Step 4: ASSESS (NIST SP 800-53A Rev.1)
 
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
NIST Policy Mapped to 800-53-800-53A-controls-and-objectives (Legal Size)
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
 
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
(1b) Map CSC v5.0 to NIST SP 800 53 Revision 4 (security control table landsc...
 
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedure...
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwdJob aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
 
Nist 800 60 data types catgorization tables
Nist 800 60 data types catgorization tablesNist 800 60 data types catgorization tables
Nist 800 60 data types catgorization tables
 

Similar to Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)

Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action Plan
Tripwire
 
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docx
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docxINSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docx
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docx
dirkrplav
 
Information security risk
Information security riskInformation security risk
Information security risk
Etsegenet Fisseha
 
httpwww.csun.edu~dn58412IS531Lecture 12Informatio.docx
httpwww.csun.edu~dn58412IS531Lecture 12Informatio.docxhttpwww.csun.edu~dn58412IS531Lecture 12Informatio.docx
httpwww.csun.edu~dn58412IS531Lecture 12Informatio.docx
wellesleyterresa
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptx
StevenTharp2
 
Jib inc260425-2
Jib inc260425-2Jib inc260425-2
Jib inc260425-2
Liberteks
 
Risk Assessment In this assignment, you will perform a qualitat.docx
Risk Assessment In this assignment, you will perform a qualitat.docxRisk Assessment In this assignment, you will perform a qualitat.docx
Risk Assessment In this assignment, you will perform a qualitat.docx
SUBHI7
 
Monitoring With Alterpoint And Cs Mars
Monitoring With Alterpoint And Cs MarsMonitoring With Alterpoint And Cs Mars
Monitoring With Alterpoint And Cs Mars
amit_monty
 
Federal government security planning
Federal government security planningFederal government security planning
Federal government security planning
gdobbe
 
It security-plan-template
It security-plan-templateIt security-plan-template
It security-plan-template
jbmills1634
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™
CPaschal
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
stilliegeorgiana
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
Dragos, Inc.
 

Similar to Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1) (20)

Developing a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action PlanDeveloping a Continuous Monitoring Action Plan
Developing a Continuous Monitoring Action Plan
 
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docx
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docxINSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docx
INSERT AGENCY LOGOINSERT SYSTEM NAMESystem Secur.docx
 
Data-Classification-Study (1).pptx
Data-Classification-Study (1).pptxData-Classification-Study (1).pptx
Data-Classification-Study (1).pptx
 
Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015Security Testing Report Hitachi Application Q1 Sep 2015
Security Testing Report Hitachi Application Q1 Sep 2015
 
The art of securing microgrid control systems
The art of securing microgrid control systemsThe art of securing microgrid control systems
The art of securing microgrid control systems
 
Information security risk
Information security riskInformation security risk
Information security risk
 
httpwww.csun.edu~dn58412IS531Lecture 12Informatio.docx
httpwww.csun.edu~dn58412IS531Lecture 12Informatio.docxhttpwww.csun.edu~dn58412IS531Lecture 12Informatio.docx
httpwww.csun.edu~dn58412IS531Lecture 12Informatio.docx
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptx
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
 
Jib inc260425-2
Jib inc260425-2Jib inc260425-2
Jib inc260425-2
 
Risk Assessment In this assignment, you will perform a qualitat.docx
Risk Assessment In this assignment, you will perform a qualitat.docxRisk Assessment In this assignment, you will perform a qualitat.docx
Risk Assessment In this assignment, you will perform a qualitat.docx
 
Monitoring With Alterpoint And Cs Mars
Monitoring With Alterpoint And Cs MarsMonitoring With Alterpoint And Cs Mars
Monitoring With Alterpoint And Cs Mars
 
Federal government security planning
Federal government security planningFederal government security planning
Federal government security planning
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 6: Categorize
Understanding the Risk Management Framework & (ISC)2 CAP Module 6: CategorizeUnderstanding the Risk Management Framework & (ISC)2 CAP Module 6: Categorize
Understanding the Risk Management Framework & (ISC)2 CAP Module 6: Categorize
 
It security-plan-template
It security-plan-templateIt security-plan-template
It security-plan-template
 
RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™RiskWatch for HIPAA Compliance™
RiskWatch for HIPAA Compliance™
 
CRISP evaluation using the STEFi approach
CRISP evaluation using the STEFi approachCRISP evaluation using the STEFi approach
CRISP evaluation using the STEFi approach
 
PhishingBox Overview
PhishingBox OverviewPhishingBox Overview
PhishingBox Overview
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
 

More from James W. De Rienzo

NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
James W. De Rienzo
 

More from James W. De Rienzo (11)

Nist sp 800_r5_baselines_&amp;_attributes
Nist sp 800_r5_baselines_&amp;_attributesNist sp 800_r5_baselines_&amp;_attributes
Nist sp 800_r5_baselines_&amp;_attributes
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
 
NIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisNIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database Analysis
 
SEI CERT Podcast Series
SEI CERT Podcast SeriesSEI CERT Podcast Series
SEI CERT Podcast Series
 
CNDSP Assessment Template
CNDSP Assessment TemplateCNDSP Assessment Template
CNDSP Assessment Template
 
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
(3) Map Council on CyberSecurity's Critical Security Controls (CSC) Version 5...
 
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
 
Information Security Fundamentals
Information Security FundamentalsInformation Security Fundamentals
Information Security Fundamentals
 
Information Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual FrameworkInformation Assurance, A DISA CCRI Conceptual Framework
Information Assurance, A DISA CCRI Conceptual Framework
 
VDI and Application Virtualization
VDI and Application VirtualizationVDI and Application Virtualization
VDI and Application Virtualization
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Information System Sensitivity Level Impact Assessment (NIST SP 800-60v2r1)

  • 1. Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Appendix C: Management & Support Information & Information Systems Impact Levels I A C I A * Controls and Oversight C System Name  Proposed FIPS 199  Impact Values * Rationale and Factors for Services Delivery Support Information System Name  Current FIPS 199  Impact Values * Corrective Action Information Type L L L Program Evaluation Information Type L L L L (3) L L Program Monitoring Information Type (3) Regulatory Development * Policy and Guidance Development Information Type L L L Public Comment Tracking Information Type L L L Regulatory Creation Information Type L L L Rule Publication Information Type L L L Planning and Budgeting * Budget Formulation Information Type L L L Capital Planning Information Type L L L Enterprise Architecture Information Type L L L Strategic Planning Information Type L L L Budget Execution Information Type L L L Workforce Planning Information Type L L L Management Improvement Information Type L L L Budget and Performance Integration Information Type L L L Tax and Fiscal Policy Information Type L L L Internal Risk Management and Mitigation * Contingency Planning Information Type M M M Continuity of Operations Information Type M M M Service Recovery Information Type L L L Revenue Collection * Debt Collection Information Type M L L User Fee Collection Information Type L L M Federal Asset Sales Information Type L M L Public Affairs * Customer Services Information Type L L L Official Information Dissemination Information Type L L L Print Date: 2/19/2014 Page 1 of 8  Contact: James W. De Rienzo
  • 2. Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Product Outreach Information Type L L L L C I A System Name  Proposed FIPS 199  Impact Values C I A L Public Relations Information Type System Name  Current FIPS 199  Impact Values L Legislative Relations * Legislation Tracking Information Type L L L Legislation Testimony Information Type L L L Proposal Development Information Type M L L Congressional Liaison Operations Information Type M L L General Government * Central Fiscal Operations Information Type (4) M L L Legislative Functions Information Type L L L Executive Functions Information Type (5) L L L Central Property Management Information Type L (6) L L (7) Central Personnel Management Information Type L L L Taxation Management Information Type M L L Central Records and Statistics Management Information Type M L L Income Information Information Type (8) M M M Personal Identity and Authentication Information Information Type (8) M M M Entitlement Event Information Information Type (8) M M M Representative Payee Information Information Type (8) M M M General Information Information Type (9) L L L Notification of Finding Report Information (General Information Information Type ‐ [9]) L L L Memoranda and Guidelines (General Information Information Type ‐ [9]) L L L Presidential Directives & Executive Orders (General Information Information Type ‐ [9]) L L L Other Executive Office of the President Guidance (General Information Information Type ‐ [9]) L L L Rationale and Factors for Government Resource Management Information * Administrative Management * L (6) L (7) L (7) Facilities, Fleet, and Equipment Management Information Type Help Desk Services Information Type L L L Security Management Information Type M M L Travel Information Type L L L Workplace Policy Development and Management Information Type (Intra‐Agency Only) L L L Financial Management Print Date: 2/19/2014 * Page 2 of 8  Contact: James W. De Rienzo
  • 3. Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Assets and Liability Management Information Type L L L M M M L M L M L M L M A L Cost Accounting/ Performance Measurement Information Type I L Collections and Receivables Information Type C L Payments Information Type A L Accounting Information Type I L Funds Control Information Type C System Name  Proposed FIPS 199  Impact Values L Reporting and Information Information Type System Name  Current FIPS 199  Impact Values L Human Resource Management * HR Strategy Information Type L L L Staff Acquisition Information Type L L L Organization & Position Management Information Type L L L Compensation Management Information Type L L L Benefits Management Information Type L L L Employee Performance Management Information Type L L L Employee Relations Information Type L L L Labor Relations Information Type L L L Separation Management Information Type L L L Human Resources Development Information Type L L L Supply Chain Management * Goods Acquisition Information Type L L L Inventory Control Information Type L L L Logistics Management Information Type L L L Services Acquisition Information Type L L L Information and Technology Management * System Development Information Type L M L Lifecycle/Change Management Information Type L M L System Maintenance Information Type L M L IT Infrastructure Maintenance Information Type (10) L L L Information Security Information Type L M L Record Retention Information Type L L L Information Management Information Type (11) L M L System and Network Monitoring Information Type M M L Print Date: 2/19/2014 Page 3 of 8  Contact: James W. De Rienzo
  • 4. Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C Information Sharing Information Type I A * System Name  Current FIPS 199  Impact Values C I A System Name  Proposed FIPS 199  Impact Values C I A N/A N/A N/A Appendix D: Impact Determination for Mission‐Based Information & Infomation Systems * Defense and National Security * N/S N/S N/S Homeland Security * Border and Transportation Security Information Type M M M Key Asset and Critical Infrastructure Protection Information Type H H H Catastrophic Defense Information Type H H H Executive Functions of the Executive Office of the President (EOP) Information Type (23) H M H Intelligence Operations (24) N/S N/S N/S Disaster Management * * Disaster Monitoring and Prediction Information Type L H H Disaster Preparedness and Planning Information Type L L L Disaster Repair and Restoration Information Type L L L Emergency Response Information Type L H H International Affairs and Commerce * Foreign Affairs Information Type H H M International Development and Humanitarian Aid Information Type M L L Global Trade Information Type H H H Natural Resources * Water Resource Management Information Type L L L Conservation, Marine and Land Management Information Type L L L Recreational Resource Management and Tourism Information Type L L L Agricultural Innovation and Services Information Type L L L Energy * L(25) M(26) M(26) Energy Supply Information Type Energy Conservation and Preparedness Information Type L L L Energy Resource Management Information Type M L L Energy Production Information Type L L L Environmental Management * Environmental Monitoring and Forecasting Information Type L M L Environmental Remediation Information Type M L L Pollution Prevention and Control Information Type L L L Print Date: 2/19/2014 Page 4 of 8  Contact: James W. De Rienzo
  • 5. Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Economic Development System Name  Current FIPS 199  Impact Values C I A System Name  Proposed FIPS 199  Impact Values C I A * Business and Industry Development Information Type L L L Intellectual Property Protection Information Type L L L Financial Sector Oversight Information Type M L L Industry Sector Income Stabilization Information Type M L L Community and Social Services * Homeownership Promotion Information Type L L L Community and Regional Development Information Type L L L Social Services Information Type L L L Postal Services Information Type L M M Transportation * Ground Transportation Information Type L L L Water Transportation Information Type L L L Air Transportation Information Type L L L Space Operations Information Type L H H Education * Elementary, Secondary, and Vocational Education Information Type L L L Higher Education Information Type L L L Cultural and Historic Preservation Information Type L L L Cultural and Historic Exhibition Information Type L L L Workforce Management * Training and Employment Information Type L L L Labor Rights Management Information Type L L L Worker Safety Information Type L L L Health * Access to Care Information Type L M L Population Health Management and Consumer Safety Information Type L M L Health Care Administration Information Type L M L Health Care Delivery Services Information Type L H L Health Care Research and Practitioner Education Information Type L M L Income Security * General Retirement and Disability Information Type Print Date: 2/19/2014 M Page 5 of 8  M M Contact: James W. De Rienzo
  • 6. Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Unemployment Compensation Information Type L L L L L L L L A C I A L Survivor Compensation Information Type I L Food and Nutrition Assistance Information Type C System Name  Proposed FIPS 199  Impact Values L Housing Assistance Information Type System Name  Current FIPS 199  Impact Values L Law Enforcement * Criminal Apprehension Information Type L L M Criminal Investigation and Surveillance Information Type M M M Citizen Protection Information Type M M M Leadership Protection Information Type M L L Property Protection Information Type L L L Substance Control Information Type M M M Crime Prevention Information Type L L L Trade Law Enforcement Information Type (27) M M M Litigation and Judicial Activities * Judicial Hearings Information Type M L L Legal Defense Information Type M H L Legal Investigation Information Type M M M Legal Prosecution and Litigation Information Type L M L Resolution Facilitation Information Type M L L Federal Correctional Activities * Criminal Incarceration Information Type L M L Criminal Rehabilitation Information Type L L L General Sciences and Innovation * Scientific and Technological Research and Innovation Information Type L M L Space Exploration and Innovation Information Type L M L Knowledge Creation and Management * Research and Development Information Type L M L General Purpose Data and Statistics Information Type L L L Advising and Consulting Information Type L L L Knowledge Dissemination Information Type L L L Regulatory Compliance and Enforcement * Inspections and Auditing Information Type Print Date: 2/19/2014 M Page 6 of 8  M L Contact: James W. De Rienzo
  • 7. Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * Standards Setting/Reporting Guideline Development Information Type L L L L C I A System Name  Proposed FIPS 199  Impact Values C I A L Permits and Licensing Information Type System Name  Current FIPS 199  Impact Values L Public Goods Creation and Management * Manufacturing Information Type L L L Construction Information Type L L L Public Resources, Facility and Infrastructure Management Information Type L L L Information Infrastructure Management Information Type L L L Federal Financial Assistance * Federal Grants (Non‐State) Information Type L L L Direct Transfers to Individuals Information Type L L L Subsidies Information Type L L L Tax Credits Information Type M L L Credit and Insurance * Direct Loans Information Type L L L Loan Guarantees Information Type L L L General Insurance Information Type L L L Transfers to State/Local Governments * Formula Grants Information Type L L L Project/Competitive Grants Information Type L L L Earmarked Grants Information Type L L L State Loans Information Type L L L Direct Services for Citizens * Military Operations Information Type (28) N/A N/A N/A Civilian Operations Information Type (28) N/A N/A N/A APPENDIX E: Legislative & Executive & Executive Sources Establishing Sensitivity/Criticality * Legislative Mandates * Executive Mandates * Office of Management and Budget Memoranda and Guidelines * Presidential Directives and Executive Orders * Other EOP Guidance * OMB and Case Law Interpretations * Print Date: 2/19/2014 Page 7 of 8  Contact: James W. De Rienzo
  • 8. Information System Name:                                                          _________________________________ Official Use Only (When Filled) National Security (N/S) Information Out of Scope IMPACT ASSESSMENT (Determines the Sensitivity Level of an Information System/Information Type) Sensitivity Level of Information System (IS)/Information Type (Perceived impact from the loss to the three fundamental security attributes of information: confidentiality, integrity and availability. Impact Value Highest Water Mark: Current = BLANK; Proposed = BLANK Information Types Provisional  View  SP 800‐60v2r1  Impact Values Headers Enter System Name <‐‐‐‐‐‐‐ C I A * System Name  Current FIPS 199  Impact Values C I A System Name  Proposed FIPS 199  Impact Values C I A 3  The confidentiality impact assigned to the Program Monitoring Information Type may necessitate the highest confidentiality impact of the information types  processed by the system. 4  Tax‐related functions are associated with the Taxation Management information type. 5  The OMB Business Reference Model “Executive Function has been expanded to include general agency executive functions as well as Executive Office of the  President (EOP) functions. Strictly EOP executive functions are treated in Appendix D, Examples of Impact Determination for Mission‐Based Information and  Information Systems. 6  High where safety of major critical infrastructure components or key national assets is at stake. 7  Moderate or High in emergency situations where time‐critical processes affecting human safety or major assets are involved. 8  The identified information types are not a derivative of OMB’s Business Reference Model and were added to address privacy information. 9  The OMB Business Reference Model does not include a General Information information type. This information type was added as a catch‐all information type.  As such, agencies may use this to identify additional information types not defined in the BRM and assign impact levels. 10  The confidentiality impact assigned to the IT Infrastructure Maintenance Information Type may necessitate the highest confidentiality impact of the information  types processed by the system. 11  The confidentiality impact assigned to the Information Management Information Type may necessitate the highest confidentiality impact of the information  types processed by the system. 20  Impact level is usually moderate to high in emergency situations where time‐critical processes affecting human safety or major assets are involved. 21  A loss of confidentiality that causes a significant degradation in mission capability, places the agency at a significant disadvantage, or results in major damage to  assets, requiring extensive corrective actions or repairs. 23  The identified information types are not a derivative of OMB’s Business Reference Model and were added to address functions of the Executive Office of the  President (EOP). 24  Where foreign intelligence information is involved, the information and information systems are categorized as national security information or systems and are  outside the scope of this guideline. 25  High where safety of radioactive materials, highly flammable fuels, or transmission channels or control processes at risk. 26  Usually Moderate or High where mission‐critical procedures are involved. 27  The identified information types are not a derivative of OMB’s Business Reference Model and were added to address trade law enforcement. 28  As mode of delivery of mission‐based services, the security categorization of Direct Services to Citizens sub‐functions Military Operations and Civilian Operation  is dependent on the mission services delivered to the citizens [e.g., Health Care; Emergency Response, Environmental Remediation] should be categorized in  accordance with the mission‐based information type. Print Date: 2/19/2014 Page 8 of 8  Contact: James W. De Rienzo