RA-02-727 Security Categorization

Security Categorization

Control ID

RA-02-727

Control Name

Security Categorization

Control Category

Risk Assessment

Functional Areas

Identify

Sub-Areas

Data Classification

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

February 15, 2018

Agency Implementation

The Agency has adopted the Texas A&M University System data classification standard for all information. Information resources are categorized as mission-critical, production, non-production/utility, test/staging, and development.

Risk Statement

Information is disclosed due to lack of protection based on the need, priorities and expected degree of protection.

Control Description

The organization: a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.

Control Example

a. The organization has a documented data classification policy or standard that guides data owners on data categorization, and associated security requirements of information systems where such information is maintained. b. Information systems have security plans that aligned with the classification of the information system.

State Implementation

State organizations are responsible for defining all information classification categories except the Confidential Information category, which is defined in Subchapter A of this chapter, and establishing the appropriate controls for each.

Testing Procedures

Obtain risk assessment policy; procedures addressing security categorization of organizational information and information systems; security planning policy and procedures; FIPS 199; NIST Special Publication 800-60; security plan; other relevant documents or records and ascertain if : (i)the organization conducts the security categorization of the information system as an organization-wide exercise with the involvement of senior-level officials including, but not limited to, authorizing officials, information system owners, chief information officer, senior agency information security officer, and mission/information owners. (ii)the security categorization is consistent with FIPS 199 and considers the provisional impact levels and special factors in NIST Special Publication 800-60. (iii)the organization considers in the security categorization of the information system, potential impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level impacts. (iv)the organization includes supporting rationale for impact-level decisions as part of the security categorization. (v)designated, senior-level organizational officials review and approve the security categorizations.