We use three levels of impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). These levels are defined in FIPS PUB 199:
• Low:
The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
For example, the loss of confidentiality, integrity, or availability
might
(i) result in minor damage
to organizational assets;
(ii) result in minor financial loss;
(iii) result in minor harm to individuals.
• Moderate:
The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals.
For example, the loss might
(i) cause a significant degradation in mission capability to an extent and duration that the
organization is able to perform its primary functions, but the effectiveness
of the functions is significantly reduced;
(ii) result in significant damage to organizational assets;
(iii) result in significant financial loss;
(iv) result in significant harm to individuals that does not involve loss of life or serious,
life-threatening injuries.
• High:
The loss could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, or individuals.
For example, the loss might
(i) cause a severe degradation in or loss of mission capability to an extent and
duration that the organization is not able to perform one or more of its primary
functions;
(ii) result in major damage to organizational assets;
(iii) result in major financial loss;
(iv) result in severe or catastrophic harm to individuals involving loss of life or serious, life-threatening injuries.
0 Comments