Organizational Control: Security Categorization
Control ID: RA-2 Security Categorization | Family: Risk Assessment | Source: NIST 800-53r4 |
Control: The organization:
|
||
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related Controls: CM-8, MP-4, RA-3, SC-7 |
||
Control Enhancements: N/A | ||
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. | ||
Mechanisms: | ||
Protocol Implementation Conformance Statements: N/A |