3-3 Determination of the Categorization of Information Resources

3-3.1 Business Impact Assessment

The Business Impact Assessment (BIA) is a process for determining the categorization of Postal Service information resources. A BIA must be completed for all information resources, whether the information resource is developed in house, outsourced or hosted in non-Postal Service facilities. The BIA must be updated periodically as required (every one or three years depending on its sensitivity designation), whenever a significant change is made to the information resource, or whenever the certification and accreditation (C&A) process is re-initiated.

The criteria for initiating a recertification are defined in Handbook AS-805-A, Information Resource Certification and Accreditation (C&A) Process, 6-2.

Various stakeholders [e.g., management, operational personnel, and information systems security officers (ISSOs)] need to be involved in the BIA process. An information resource may process several information types. Each information type is subject to security categorization. The stakeholders must consider the consequences of unauthorized disclosure of sensitive-enhanced or sensitive information with respect to violations of federal policy and law. The impact of the violations will depend in part on the penalties associated with violation of the relevant statutes and policies. A privacy impact assessment (PIA) is included in the BIA.

The impact level for an information resource will normally be the highest impact level for the following security objectives associated with the information types:

  1. Confidentiality — Preserving authorized restrictions on information access and disclosure.
  2. Integrity — Guarding against improper information modification or destruction.
  3. Availability — Ensuring timely and reliable access to information.

However in some cases, the security category for a system may be higher than any impact level for any information type processed by the system. Variations in sensitivity/criticality with respect to time may also need to be factored into the impact assessment process. Some information loses its sensitivity in time (e.g., a Postal Service rate increase becomes nonsensitive after it has been published). Some applications are particularly critical at some point in time (e.g., the payroll application on the day for normal processing).

3-3.1.1 Aggregation

Some information may have little or no sensitivity in isolation but may have high sensitivity in aggregate. In some cases, aggregation of large quantities of a single information type can reveal patterns and/or plans, or facilitate access to sensitive or critical systems. In other cases, aggregation of information of several different and seemingly innocuous information types can have similar effects. In general, the sensitivity of a given data element is likely to be greater in context than in isolation (e.g., association of a bank account number with the identity of an individual and/or institution).

The availability, routine operational employment, and sophistication of data aggregation and inference tools are all increasing rapidly. If review reveals increased sensitivity or criticality associated with information aggregates, then the system categorization may need to be adjusted to a higher level than would be indicated by the impact associated with any individual information type.

3-3.1.2 System Functionality

Compromise of some information types may have low impact in the context of a system’s primary function but may have much more significance when viewed in the context of the potential impact of compromising:

  1. Other systems to which the system in question is connected, or
  2. Other systems which are dependent on that system’s information.

Access control information for a system that processes only low-impact information might initially be thought to have only low-impact attributes. However, if access to that system might result in some form of access to other systems (e.g., over a network), the sensitivity and criticality attributes of all systems to which such indirect access can result needs to be considered.

Similarly, some information may, in general, have low-sensitivity or criticality attributes. However, that information may be used by other systems to enable sensitive-enhanced, sensitive, or critical functions. Loss of data integrity, availability, temporal context, or other context can have severe consequences.

3-3.1.3 Critical National Infrastructure

Where the mission served by an information system, or the information that the system processes affects the security of the critical national infrastructure, the loss of confidentiality, integrity, or availability could result in a higher designation.