Information necessary to ensure that all persons who are potentially entitled to receive any organizational benefit are enumerated and identified so that organizational entities can have reasonable assurance that they are paying or communicating with the right individuals. This information include individual citizen’s Social Security Numbers, names, dates of birth, places of birth, parents’ names, credit card information, protected health information, etc. The overall accountability rating for this information classification is Moderate.
Confidentiality level = Moderate
The confidentiality impact level is based on the effects of unauthorized disclosure of personal identity and authentication information on the ability of organizational entities to determine that communications with and payments to individuals are being made with or to the correct individuals - and to protect individuals against identity theft and the organization against fraud. Unauthorized disclosure of raw data and other source information for identity authentication operations is likely to violate the various state and international privacy laws and other regulations applicable to the dissemination of personal and organizational information. There are many cases in which unauthorized disclosure of personal identity and authentication information will have only a limited adverse effect on organizational operations, assets, or individuals. However, the potential for use of such information by criminals to perpetrate identity theft and related fraud can do serious harm to individuals. Unauthorized disclosure of centrally managed personal identity and authentication information, such as health information, cardholder data, or passport and visa control databases can have a serious adverse effect on organizational missions.
Known mitigating factors toward changing the confidentiality level
Very large aggregate tort awards can result from large-scale disclosure of personal identity and authentication information. For entities that manage large income information involving records of the general public, the provisional confidentiality impact level can be expected to be at least moderate. Where personal identity and authentication information is used in controlling access to facilities (e.g., organizational facilities, critical infrastructure facilities, key organizational assets) or for border control purposes, the consequences of unauthorized disclosure that permits credentials forgery can justify a high impact assignment.
Integrity level = Moderate
The integrity impact level is based on the specific purpose to which personal identity and authentication information is put; and not on the time required to detect the modification or destruction of information. In the case of very large databases containing personal identity and authentication information relating to the general public, there is a significant probability that erroneous actions will be taken affecting benefits entitlements of or access to facilities by large numbers of individuals. In the case of benefits, this can result in at least short-term financial hardship for staff and/or clients. It can also be expected to result in very serious disruption of the organization operations due to large time and resource requirements for taking corrective actions.
Known mitigating factors toward changing the integrity level
In the case of smaller organizations, and where the information affected is limited to employees, there will still be an impact, but the consequences may justify only a low provisional impact rating. Where a data modification permits access to facilities by individuals to whom access should be prohibited, the integrity impact could be high.
Availability level = Moderate
The availability impact level is based on the specific purpose to which personal identity and authentication information is put; and not on the time required to reestablish access to the personal identity and authentication information. Benefits determination processes are generally tolerant of reasonable delays. In many cases, disruption of access to personal identity and authentication information can be expected to have only a limited adverse effect on organizational operations, organizational assets, or individuals.
Known mitigating factors toward changing the availability level
In the case of very large data bases containing personal identity and authentication information relating to staff and/or clients and suppliers, there is a significant probability that processing delays will affect the benefits entitlements of or access to facilities by large numbers of individuals. The larger the number of records affected, the longer the delays that can be expected to result. This can result in financial hardship for staff and/or clients and suppliers and in serious disruption of the organization operations due to large time and resource requirements for backlog processing. In such cases, the availability impact level would be at least moderate. In the case of permanent loss of records or access to facilities by emergency personnel, the impact might even be high.