10.2 Information Technology System Identification and Planning
10.2 Information Technology System Identification and Planning
Copyright(c), 1995 - Management Analytics - All Rights Reserved
The sensitivity level of all IT systems will be determined based on
the sensitivity of the data processed or the importance of the system to
mission accomplishment. All systems must include security controls that
reflect the true importance of the information processed on the system
and/or the government investment embodied in the components of the IT
system. The sensitivity level of all DOC IT systems will be identified
in one of the following categories:
-
1. Classified National Security Systems contain
information which requires protection against
unauthorized disclosure in the interest of national
security at either the Top Secret, Secret or
Confidential level. Procedural protection requirements
for classified systems are contained in DAO 207-2, "DOC
National Security Information Manual." Technical
protection requirements are contained in Section 10.18
of the "DOC IT Management Handbook" and Section 18 of
the "DOC IT Security Manual."
-
2. Unclassified Sensitive Systems include those that
require some degree of protection for confidentiality,
integrity or availability. This includes systems and
data whose improper use or disclosure could adversely
affect the ability of an agency to accomplish its
mission, proprietary data, records about individuals
requiring protection under the Privacy Act, and data
not releasable under the Freedom of Information Act.
If the system is required for accomplishment of an
agency mission it need not contain any sensitive data.
-
3. Non-Sensitive Systems are considered "trivial" as they
contain only public data, which has no protection
required for confidentiality or integrity, and the
mission of the agency can be accomplished without the
system.
A security plan will be prepared in the format of the "DOC
Guidelines for Developing and Evaluating Security Plans for Sensitive
and Classified Systems," contained in Section 2 of the "DOC IT Security
Manual," and submitted to the Department for all DOC application and
general support systems that have been identified as sensitive or
classified national security systems. All IT systems will be identified
as either application systems or general support systems.
-
1. Application Systems - Systems that perform clearly
defined functions for which there are readily
identifiable security considerations and needs. Such a
system might actually comprise many individual
application programs and hardware, software, and
telecommunications components. They can be either a
major software application or a combination of
hardware/software where the only purpose of the system
is to support a specific mission related function. The
system may process multiple individual applications, if
all are related to a single mission function.
-
2. General Support Systems - These consist of hardware and
software that provide general automated data processing
or network support for a variety of users and
applications. Individual applications may be less
easily distinguishable than in the previous category.
Single user systems, such as one or more personal
computers may fit into this category if they process
data related to more than one function.