Information Security Governance Papers

Paper Title Impact Analysis
The Abstract of The Paper The third factor used in determining the level of risk to a system is impact. A proper overall impact analysis considers the following factors: impact to the systems, data, and the organization’s mission. Additionally, this analysis should also consider the criticality and sensitivity of the system and its data. FIPS 199 provides a consistent, focused process for categorizing a system’s criticality and sensitivity for the three security domains of confidentiality, integrity, and availability. Using FIPS 199 to determine a security category and applying an assessment of the system’s and organization’s mission using tools such as mission-impact reports, asset criticality assessment reports, and business impact analyses results in a rating describing the estimated impact to the system and organization should a threat successfully exploit a vulnerability. While impact can be described using either a quantitative or qualitative approach, in the context of IT systems and data, impact is generally described in qualitative terms. As with the ratings used to describe likelihood, impact levels are described using the terms of high, moderate, and low. NIST SP 800-30 provides definitions for the impact ratings of low, medium, and high.
Web Link http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf

Back To Information Security Governance Papers List

Database Sections