Supports the data-gathering activities required to determine the effectiveness of internal and external programs and the extent to which they comply with applicable laws, regulations, and policies. The impact levels should be commensurate with the impact levels of the programs that are being monitored. The overall accountability rating for this information classification is Low.
Confidentiality level = Low
The confidentiality impact level is the effect of unauthorized disclosure of program monitoring information on the ability of responsible entities to perform data-gathering activities required to determine the effectiveness of internal and external programs and the extent to which they comply with related laws, regulations, and policies.
Known mitigating factors toward changing the confidentiality level
There are legislative mandates prohibiting unauthorized disclosure of trade secrets. Trade secrets will generally be assigned a moderate confidentiality impact level. Where the data being collected belongs to one of the information types described in this guideline, the confidentiality impact assigned the data and system is that of the highest impact information type collected. Unauthorized disclosure of program monitoring information can alert personnel associated with programs being monitored to the focus and implications of monitoring activities. Where a major program or human safety is at stake, actions taken based on unauthorized disclosure of program monitoring information can pose a threat to human life or a loss of major assets. In such cases, the confidentiality impact should be high.
Integrity level = Low
The consequences of unauthorized modification or destruction of program monitoring information can compromise the effectiveness of the monitoring program. Although there may be time-sensitive program monitoring situations, the integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information. The damage likely to be caused by unauthorized modification or destruction of program monitoring information may have consequent serious adverse effects on organizational operations or public confidence in the organization.
Known mitigating factors toward changing the integrity level
The consequences can be particularly serious if the destruction or modification of monitoring information invalidates evaluation results concerning major programs or concerning threats to human safety. The integrity impact resulting from unauthorized modification or deletion of program monitoring information depends in part on the nature of the laws or policies with which compliance is being determined and in part on the criticality of the processes being monitored. In the case of safety regulations affecting human life, the integrity impact level should be high.
Availability level = Low
The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to reestablish access to the program monitoring information. Although there may be time-sensitive program monitoring situations, more typically, disruption of access to program monitoring information will have only a limited adverse effect on organizational operations, organizational assets, or individuals.
Known mitigating factors toward changing the availability level
There are a limited number of compliance monitoring operations for which temporary loss of availability is likely to significantly degrade organizational or entity mission capability, place the organization or entity at a significant disadvantage, result in loss of major assets, or pose a threat to human life. This can result in assignment of a moderate impact level to such information.