II. SYSTEM SENSITIVITY

First determine what systems are sensitive and the extent they must be protected. This includes identifying sensitive data.

    1. Criticality:

Evaluate criticality in terms of what would be affected if the system were to become unavailable. First, divide the system into sub-elements (i.e., applications) that are related to users or business functions. Then evaluate each application to define the impact on the user if computer support was lost. Such factors as the effectiveness of the particular function, additional cost of doing business, lost revenue, possible legal problems, and the effect of the loss on the image of the organizations.

    1. Sensitivity:

Sensitivity analysis measures the impact of a non-authorized person gaining access to the information, or of data being altered in any way. Most importantly, private personal data should not be disclosed without specific authorization. Other sensitive areas include trade secrets, formulas, financial data, and company planning information that may be of significant value to competitors.

    1. Source of Sensitivity Information:

Do not consider the MIS group a reliable source of criticality and sensitivity information. Too often the MIS group reacts to an individual or group that most quickly complains in the event of system degradation. The quickness of the complaint may not necessarily be representative of the real importance of these data to the company. The best initial sources are the users of the MIS output. They can best express impact on the operation and potential costs, thus when this information is validated by management the real importance to the organization is captured. This is the foundation for systems security -- validity must be guaranteed.

    1. Level of Sensitivity:

The military expresses the sensitivity of systems through classification such as top secret, secret, confidential, and unclassified. The recent introduction of “unclassified but sensitive” was a reaction to privacy requirements.

The National Computer Security Center, in its Trusted Computer System Evaluation Criteria standard, identifies four divisions of security. Level “D” is the lowest; no security is required. Each higher division represents a major improvement in the confidence one can place in a system for the protection of information. The “C” level is discretionary control, in which identifiable sections of a system are protected, as appropriate, to the information in the section. The “B” level is defined as Mandatory Control in which all data are protected. Although some data may be more easily accessed than others the necessary controls are present. The “A” level is the highest - it represents formally verifiable protection and is the most comprehensive security available.

Commercially, various categorization schemes are employed. Commonly, such terms as highly critical, critical, important, and routine are used. The actual names used are unimportant as long as they are used consistently. The key factor is that levels are defined so they can be used to identify the extent to which security measures should be applied to the system.