C.3.5.4 - IT infrastructure maintenance
IT infrastructure maintenance involves the planning, design, implementation, and maintenance of an IT Infrastructure to effectively support automated needs (i.e.
operating systems, applications software, platforms, networks, servers, printers, etc.). IT infrastructure maintenance also includes information systems configuration and security policy enforcement information. This information includes password files, network access rules and implementing files and/or switch setting, hardware and software configuration settings, and documentation that may affect access to the information system's data, programs, and/or processes. The impact levels associated with IT infrastructure maintenance information are primarily a function of the information processed in and through that infrastructure. The IT Maintenance Information type represents a complex set of data elements that are used to secure the design, implementation, and maintenance of systems and networks. The security of each of these data elements is dependent on the security of the other data elements. Security compromise of one data element type will propagate to others. The recommended security categorization for the IT infrastructure maintenance information type is as follows:
Security category
Confidentiality Low
The confidentiality impact level is the effect of unauthorized disclosure of IT infrastructure maintenance information on the ability of responsible agencies to plan, design, implement, and maintain an IT Infrastructure to effectively support automated needs (i.e. operating systems, 94 applications software, platforms, networks, servers, printers, etc.). [See also Appendices C.3.5.5, IT Security Information and C.3.5.7, Information Management Information.] IT infrastructure maintenance also includes information systems configuration and security policy enforcement information. Unauthorized disclosure of some IT infrastructure maintenance information can lead to confidentiality compromise of information processed by the system (e.g., password files, file access tables, cryptographic keying information, network access rules, and hardware and software configuration settings, and documentation that may affect access to the information system's data, programs, and/or processes). As a result, the confidentiality impact associated with this information is that of the highest impact information processed by the system. Also, a higher confidentiality impact may be associated with information in aggregate than is associated with any single element of information. Recommended Confidentiality Impact Level: Particularly in the case of passwords and cryptographic keys, the provisional impact level recommended for IT infrastructure maintenance information depends on the sensitivity and criticality of system information and processes. Although an individual organization's IT infrastructure maintenance information type base may include data elements that will require a higher rating, the recommended provisional impact is low.
Integrity Low
The integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information. The consequences of unauthorized modification or destruction of IT infrastructure maintenance information usually depends on the urgency with which the data processed in the IT infrastructure is needed or the time-critical nature of the data. In most cases, it is unlikely that the information will be needed urgently or acted upon immediately. In most cases, the consequences of unauthorized modification of IT infrastructure maintenance information will result in limited damage to agency operations or assets. Special Factors Affecting Integrity Impact Determination: Exceptions may include incorrect information used for emergency response aspects of disaster management, criminal apprehension, air traffic control or other time-critical missions. In such cases, a moderate or high integrity impact level might be considered. Recommended Integrity Impact Level: The provisional integrity impact level recommended for IT infrastructure maintenance information is low.
Availability Low
The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to re-establish access to IT infrastructure maintenance information. Functions and processes supported by most IT infrastructure maintenance information are not time-critical. Also, disruption of access will have a limited adverse effect on agency operations (including mission functions and public confidence in the agency), agency assets, or individuals. Special Factors Affecting Availability Impact Determination: Exceptions may include emergency response aspects of disaster management or other high load and time critical functions (e.g., some systems that support air traffic control functions). The effects of disruption of access to 95 IT infrastructure maintenance information or information systems may be to deny missioncritical IT resources to all affected organizations. The availability impact level associated with denial-of-service to IT infrastructure maintenance information needed to respond to emergencies or critical to public safety can be high. Recommended Availability Impact Level: The provisional availability impact level recommended for IT infrastructure maintenance information is low.