Appendix 1
Information and System Categorization
The categorization of systems and information is an essential component to any cybersecurity plan. UTSA shall categorize all systems and information based on the FIPS 199 Standard for Security Categorization of Federal Information and Information Systems. The categorization definitions based on the security objectives of confidentiality, integrity, and availability and the impact to each are shown below.
Information Categorization:
- The potential impact is LOW if the loss of confidentiality and integrity could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. For example the loss of confidentiality and integrity might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.
- The potential impact is MODERATE if the loss of confidentiality and integrity could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. For example, the loss of confidentiality and integrity might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
- The potential impact is HIGH if the loss of confidentiality and integrity could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. For example, the loss of confidentiality and integrity might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
System Categorization:
All systems shall be categorization based on the availability requirements using the following definitions.
- The potential impact is LOW if the system is offline for 2 weeks or more and it could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
- The potential impact is MODERATE if the system is offline for 72 hours to 2 weeks and it could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
- The potential impact is HIGH if the system is offline for 72 hours or less and it could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.