1 PURPOSE聽
This Standard defines the process for determining the Security Categorization of information technology resources and critical business processes at the 绿巨人视频 (绿巨人视频).聽
2 SCOPE
This standard applies to all 绿巨人视频 business and academic units and 绿巨人视频-owned information systems that collect, store, process, share or transmit institutional data. Personally owned devices connecting to the University Campus Network must meet the Bring Your Own Device standard requirements.聽
3 STANDARD聽
聽Security categories are assigned to specific assets, like information technology resources, or to specific business processes to determine the potential impact of a cybersecurity event in that particular asset or process. The USNH Security Categorization process is based on three factors:聽
-
The classification, per the 绿巨人视频 Information Classification Policy, of the institutional information used in the business process or that is captured, stored, processed, transmitted, or otherwise managed by the information technology resource聽
-
The magnitude of the impact if that information were compromised聽
-
Whether the impact involves a loss of confidentiality, integrity, or availability.聽
3.2 Use Cases聽聽
-
Security Categorization is used in a variety of ways, including but not limited to:聽
-
Determining the security control baseline for a specific information technology resource or business process聽
-
Informing loss magnitude determination as part of the Cybersecurity Risk Assessment process聽
-
Contributing to the risk assessment of cybersecurity exception requests聽
3.3 Information Type Determination
All USNH Security Categories are based on information types defined using two factors.聽
The first factor is information classification, per the 绿巨人视频 Information Classification Policy. The current 绿巨人视频 Information Classifications are:聽
-
Tier 1 鈥 Public聽
-
Tier 2 鈥 Sensitive聽
-
Tier 3 鈥 Protected聽
-
Tier 4 鈥 Restricted聽
Definitions and examples of each classification are available in the 绿巨人视频 Information Classification Policy.聽
The second factor is the breadth of the information. Breadth is determined based on the number of 绿巨人视频 institutions whose information could be impacted. There are two levels used to define breadth 鈥 绿巨人视频 and Institution.聽
-
绿巨人视频: Used when the information that could be impacted includes data from two or more component institutions. Examples of information sets that would be assigned a 绿巨人视频 factor include:聽
-
Human Resources and/or Finance environment, which contains information about all 绿巨人视频 employees聽
-
A business process that involves handling employee PII for all 绿巨人视频 institutions聽
-
Institution: Used when the information that could be impacted includes data from only one 绿巨人视频 Institution. Examples of information sets that would be assigned the Institution factor:聽聽
-
Electronic Personal Health Information (ePHI) used by an institution鈥檚 Student Health Center聽
-
Financial Aid data used by an institution鈥檚 financial aid office to process financial aid applications for that institution鈥檚 students聽
The combination of these two factors results in the following 绿巨人视频 Information Types:聽
-
Public 鈥 绿巨人视频聽
-
Public 鈥 Institution聽
-
Sensitive 鈥 绿巨人视频聽
-
Sensitive 鈥 Institution聽
-
Protected 鈥 绿巨人视频聽
-
Protected 鈥 Institution聽
-
Restricted 鈥 绿巨人视频聽
-
Restricted 鈥 Institution聽
3.4 POTENTIAL IMPACT DETERMINATION
绿巨人视频 uses the following levels to define the potential impact of an adverse cybersecurity event that compromises confidentiality, integrity, and/or availability.聽
3.4.1 Impact = MINIMAL
The security category is minimal if a loss of confidentiality, integrity, or availability could result in a very adverse effect on one or more administrative, academic, or business units, with no real impact at the component institution level.聽
Examples: Loss of confidentiality, integrity, or availability that results in:聽
-
Minimal impact on budget or finances: financial impact can be recovered at the unit level in the current year's budget without a budget/financial variance聽
-
Minimal damage to or loss of information technology resources, like endpoint computers, can be recovered at the unit level without impacting the current year's budget聽
-
No discernible impact on achievement of administrative, academic, or business unit objectives聽
-
No impact on reputation or enrollment聽
-
No impact on life and safety聽
3.4.2 Impact = MODERATE
The security category is moderate if a loss of confidentiality, integrity, or availability could result in minor adverse effects on one or more administrative, academic, or business units, with no real impact at the component institution level.
Examples: Loss of confidentiality, integrity, or availability that results in:
- Minor impact on budget or finances:
聽 聽 聽o Financial impact can be recovered in the current year's budget but may require a small budget variance
聽 聽 聽o Can be handled internally, without requiring assistance at the component institution level
- Minor damage to or loss of information technology resources like endpoints or servers, can be replaced or recovered within the current year's budget
- Minimal impact to ability of an administrative, academic, or business unit to achieve one or more of its objectives, but does not have a discernible impact on achievement of overall mission and does not impact the component institution鈥檚 ability to achieve its objectives
- Limited potential for impact to reputation or enrollment (e.g., local news coverage for a single news cycle)
- No impact to life and safety
3.4.3 Impact = SIGNIFICANT
The security category is significant if a loss of confidentiality, integrity, or availability could result in significant adverse effects on one or more administrative, academic, or business units, as well as the potential for discernible impacts at the component institution level.
Examples: Loss of confidentiality, integrity, or availability that results in:
鈥 Significant impact on budget or finances
聽 聽o Financial losses may be recoverable within current year, but will require reprioritization of funds within internal budget
聽 聽 o Financial losses may require a budget variance that needs assistance or approval at the component institution level
鈥 Significant damage to or loss of information technology resources that cannot be recovered in the current fiscal year by the impacted unit, requires assistance at the component institution level
鈥 Significant impact to ability of an administrative, academic, or business unit to achieve its mission, potential for a discernible impact on achievement of the component institution's objectives
鈥 Discernible impact to reputation with potential for a discernible impact to enrollment (e.g., persistent local news coverage lasting longer than a week, numerous calls/complaints to component institution leadership)
鈥 Potential for minimal harm to individuals due to losses that impact life and safety systems or processes
3.4.4 Impact = MAJOR
The security category is major if a loss of confidentiality, integrity, or availability could result in substantial adverse effects on several administrative, academic, or business units and at the at the component institution level.
Examples: Loss of confidentiality, integrity, or availability that results in:
-
Substantial impact on budget/finances聽
-
Substantial losses that are not recoverable within the current fiscal year at the institutional level require assistance at the system level聽
-
Requires budget variance for current and next fiscal year聽
-
Substantial damage to or loss of information technology resources cannot be recovered in the current fiscal year by the impacted institution requires assistance at the system level聽
-
Substantial impact on the ability of an administrative, academic, or business unit AND impacted institution(s) to achieve objectives and overall mission聽
-
Major impact on reputation with expected discernible impact on enrollment or hiring (e.g., national news coverage)聽
-
Actual harm to individuals due to loss impacting life and safety systems or processes that includes life-threatening injuries or loss of life or resulting from a data loss that leads to real-world safety concerns聽
3.4.5 Impact = CATASTROPHIC
The security category is catastrophic if a loss of confidentiality, integrity, or availability could result in unacceptable adverse effects on several component institutions and at the University System level:
Examples: Loss of confidentiality, integrity, or availability that results in:
鈥 Severe impact to budget/finances:
聽 聽 o Unacceptable financial losses that cannot be recovered in this or the next fiscal year
聽 聽 o Endangers financial sustainability of one or more component institutions
鈥 Severe damage to or loss of information technology resources, restoration requires diversion of funds at the system level
鈥 Severe impact to institution(s) ability to achieve mission, potentially institution-ending impact
鈥 Catastrophic impact to reputation with expected significant impact on enrollment and hiring (e.g., Persistent national news coverage)
鈥 Grave harm to individuals due to loss impacting life and safety systems or processes that includes life threatening injuries and loss of life
3.5 SECURITY CATEGORIZATION OF INFORMATION TYPES
The potential impact for all three security objectives shall be assessed to determine the appropriate security categorization of an information type. ET&S uses the formula provided in FIPS 199 to make this determination.聽
鈥淪ecurity Category (SC): 鈥淚nformation Type鈥 = (Confidentiality, 鈥淚mpact鈥) (Integrity, 鈥淚mpact鈥) (Availability, 鈥淚mpact鈥)鈥澛
All 绿巨人视频 Information Types were assessed and assigned impact scores for each security objective using this formula. In determining which categorization is appropriate, it was assumed that all institutional information available to be adversely impacted within each information type would be adversely affected. For example, if there was a loss of confidentiality for the Protected 鈥 绿巨人视频 information type, the categorization assumes that all institution student records would be impacted.聽
3.5.1 Security Categorization for each information type:聽
Information Type | Confidentiality Impact | Integrity Impact | Availability Impact | Security Category |
聽Public 鈥 Institution | Minimum | Minimum | Minimum | Minimum |
Public-绿巨人视频 | Minimum | Minimum | Minimum | Minimum |
Sensitive- Institution | Moderate | Moderate | Moderate | Moderate |
Sensitive- 绿巨人视频 | Moderate | Moderate | Moderate | Moderate |
Protected- Institution | Significant | Significant | Significant | Significant |
Protected- 绿巨人视频 | Major | Major | Major | Major |
Restricted- Institution | Significant | Significant | Significant | Significant |
Restricted- 绿巨人视频 | Catastrophic | Major | Major | Catastrophic |
The chart above indicates that the highest category applies when the three impact designations differ. This means that a Security Category of MIN can only be assigned when all three security objective impacts are MINIMUM and a CATASTROPHIC. Any security objective impacts always result in a Security Category of CATASTROPHIC.聽
3.5.2 Controlled Unclassified Information (CUI)
If a U.S. Federal Government entity requests safeguards for Controlled Unclassified Information (CUI), the required security measures will be aligned with federal government Cybersecurity Maturity Model Certification (CMMC) guidelines.
DOCUMENT HISTORY
- Approved by:聽Tom Nudd, Chief Information Security Office V1.3, September 14, 2022聽
- Reviewed by:聽Dr. David Yasenchock, Director, Cybersecurity GRC聽
- Revision History:聽Review Draft Finalized, R Boyce-Werner, March 5, 2020聽
- V 1.1 Dr. David Yasenchock September 14, 2022聽
- V 1.2 Cybersecurity GRC Working Group, April 23, 2024聽
- Revised formatting, K SWEENEY, May 30, 2024
-
Added section 3.5.2, K SWEENEY, Sept 17, 2024