Fred Cohen & Associates

10.2 Information Technology System Identification and Planning

Copyright(c), 1995 - Management Analytics - All Rights Reserved

The sensitivity level of all IT systems will be determined based on the sensitivity of the data processed or the importance of the system to mission accomplishment. All systems must include security controls that reflect the true importance of the information processed on the system and/or the government investment embodied in the components of the IT system. The sensitivity level of all DOC IT systems will be identified in one of the following categories:

1. Classified National Security Systems contain information which requires protection against unauthorized disclosure in the interest of national security at either the Top Secret, Secret or Confidential level. Procedural protection requirements for classified systems are contained in DAO 207-2, "DOC National Security Information Manual." Technical protection requirements are contained in Section 10.18 of the "DOC IT Management Handbook" and Section 18 of the "DOC IT Security Manual."
2. Unclassified Sensitive Systems include those that require some degree of protection for confidentiality, integrity or availability. This includes systems and data whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary data, records about individuals requiring protection under the Privacy Act, and data not releasable under the Freedom of Information Act. If the system is required for accomplishment of an agency mission it need not contain any sensitive data.
3. Non-Sensitive Systems are considered "trivial" as they contain only public data, which has no protection required for confidentiality or integrity, and the mission of the agency can be accomplished without the system.

A security plan will be prepared in the format of the "DOC Guidelines for Developing and Evaluating Security Plans for Sensitive and Classified Systems," contained in Section 2 of the "DOC IT Security Manual," and submitted to the Department for all DOC application and general support systems that have been identified as sensitive or classified national security systems. All IT systems will be identified as either application systems or general support systems.

1. Application Systems - Systems that perform clearly defined functions for which there are readily identifiable security considerations and needs. Such a system might actually comprise many individual application programs and hardware, software, and telecommunications components. They can be either a major software application or a combination of hardware/software where the only purpose of the system is to support a specific mission related function. The system may process multiple individual applications, if all are related to a single mission function.
2. General Support Systems - These consist of hardware and software that provide general automated data processing or network support for a variety of users and applications. Individual applications may be less easily distinguishable than in the previous category. Single user systems, such as one or more personal computers may fit into this category if they process data related to more than one function.