C.3.5.5 - Information security
IT Security involves all functions pertaining to the securing of Federal data and systems through the creation and definition of security policies, procedures and controls covering such services as identification, authentication, and non-repudiation.
The recommended security categorization for the IT security information type is as follows:
Security category
Confidentiality Low
The confidentiality impact level is the effect of unauthorized disclosure of IT security information on the ability of responsible agencies to secure Federal data and systems through the creation and definition of security policies, procedures and controls covering such services as identification, authentication, and non-repudiation. In most cases, the security policy, procedures, and available controls are not particularly sensitive. Typically, the security information is used in initializing and implementing the controls (e.g., passwords, cryptographic keys) that need to be protected. In general, disclosure of the security policies, procedures, and controls will result in only limited adverse effects on the confidentiality of system information and processes. Recommended Confidentiality Impact Level: The recommended provisional confidentiality impact level recommended for IT security information is low.
Integrity Moderate
The integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information. Recommended Integrity Impact Level: The provisional integrity impact level recommended for IT security information is moderate.
Availability Low
The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to re-establish access to IT security information. Temporary disruption of access to IT security information can usually be expected to have a limited adverse effect on agency operations (including mission functions and public confidence in the agency), agency assets, or individuals. Recommended Availability Impact Level: The provisional availability impact level recommended for IT security information is low.