...
Business Risk in the Permit Context
This system has a FIPS 199 security categorization as follows:
- Low confidentiality requirements -- loss of confidentiality would be expected to have a limited adverse effect on organizational operations, assets, or individuals. A breach of confidentiality would damage our relationship with our constituency and could impact our ability to collect accurate data with which to manage fisheries. This could cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced. It could also expose us to litigation and professional disrepute.
- Moderate integrity requirements -- among other things data from this system could be involved in allocation of individual fishing quotas. Individual fishing quotas have value, and it is critical to maintain access controls, change tracking, and auditability. The moderate level is specified to recognize that loss of integrity could result in significant financial harm to individuals.
- Low availability requirements -- a temporary loss of availability would be expected to have a limited adverse effect. Transactions dependent on this data are not particularly time-sensitive, and business requirements could be met via manual methods during a temporary system outage.
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
...