D.21.1 - Inspections and auditing

Inspections and Auditing involves the methodical examination and review of regulated activities to ensure compliance with standards for regulated activity.

The recommended security categorization for the inspections and auditing information type is as follows:

Security category

D.21.1 - Inspections and auditing = {(confidentiality, Moderate), (integrity, Moderate), (availability, Low)}

Confidentiality Moderate

The confidentiality impact level is the effect of unauthorized disclosure of inspections and auditing information on the ability of responsible agencies to methodically examine and review regulated activities to ensure compliance with standards for regulated activity. If the inspections and auditing data belongs to one of the information types described in this guideline, the confidentiality impact assigned the data and system is dependent on the nature of the regulated activity. Special Factors Affecting Confidentiality Impact Determination: Unauthorized disclosure of inspections and auditing information can alert personnel associated with programs being monitored to the focus of inspection or auditing activities. With this information, program personnel may divert attention from questionable program attributes or hide unfavorable information. Where a major program or human safety is at stake, actions taken based on unauthorized disclosure of inspections and auditing information can pose a threat to human life or a loss of major assets. In such cases, the confidentiality impact is high. National security information and national security systems are outside the scope of this guideline. Recommended Confidentiality Impact Level: Although there are many Federal environments in which unauthorized disclosure will have only a limited adverse effect, there are enough circumstances in which serious adverse effects on agency operations, agency assets, or individuals can result to justify recommendation of a moderate provisional confidentiality impact level for inspections and auditing information.

Integrity Moderate

The integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information. The consequences of unauthorized modification or destruction of inspections and auditing information can compromise the effectiveness of the program. The damage likely to be caused by unauthorized modification or destruction may affect inspection or audit results with subsequent serious adverse effects on agency operations or public confidence in the agency. The consequences can be particularly serious if the destruction or modification of information invalidates oversight of major programs or the information threatens human safety. The integrity impact level depends on the laws or policies with which compliance is being determined and on the criticality of the processes being monitored (e.g., correctness of contract expenditure reporting versus safety regulations affecting manned space flight). Recommended Integrity Impact Level: Although there are regulatory environments in which a low impact level is appropriate, the circumstances associated with most inspections and auditing support information require at least a moderate provisional integrity impact level.

Availability Low

The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to re-establish access to inspections and auditing information. In most cases, disruption of access to inspections and auditing information is expected to have only a limited adverse effect on agency operations, agency assets, or individuals. Not many inspection or auditing operations involve activities for which temporary loss of availability is likely to cause significant degradation in mission capability, place the agency at a significant disadvantage, result in major damage to major assets, or pose a threat to human life. Recommended Availability Impact Level: For most inspection and audit functions, the recommended provisional availability impact level is low.