Q4. a) Based on what the Federal Information Processing Standard 199 (FIPS-199)

Question

Q4. a) Based on what the Federal Information Processing Standard 199 (FIPS-199) requires information owners to classify information and information systems? Provide a detailed answer. b) Are there any differences between classifying governmental information and commercial information? And are there any common levels of classification have been used to classify governmental information and commercial information? Explain your answers and supported them with examples (NOT from the book or slides). c) Can a company make a change on classified information? Assuming now a company feels that such information need higher protection or the company decide to make some information that was classified as secret to be accessed by public. Here, is there any mechanism or process that allows a change in classified information. Explain your answers and supported them with examples (NOT from the book or slides).

Explanation / Answer

a.) FIPS 199 is a United States Federal Government standard that establishes security categories of information systems used by the Federal Government, one component of risk assessment. It requires Federal agencies to assess their information systems in each of the categories of confidentiality, integrity and availability, rating each system as low, moderate or high impact in each category.

Confidentiality— Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.

Integrity — Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.

Availability— Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.

The impact levels are defined as high, moderate and low.

The potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. The potential impact is moderate if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The potential impact is low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

b.) Commercial Information Classifications

Classifying Govenmental information:-

c.) Classified information is material that a government body claims is sensitive information that requires protection of confidentiality, integrity, or availability. Access is restricted by law or regulation to particular groups of people, and mishandling can incur criminal penalties and loss of respect. Changes can be made on classified information. First of all, identify the all threats, risks and cause of risks that is disturbing the security. After, analyzing all the assets and threats that is harmful for company, he should maintain some securiy policies like:- password policies, mail policies, internet and restore policies. Confidential information must be protected and emegency repair disks should be taken in granted.

Related Questions

Navigate

• Browse (All)
• Browse Q
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.