• Say What You Do Products
• Change Management
• Information Assurance Compliance Maturity Model Index (IACMMI)
• The Language of Compliance
• Systems and Info Classification
• Administrative Management
• Workplace Policy Development and Management
• Travel
• Help Desk Services
• Facilities, Fleet, and Equipment Management
• Physical Security Management
• Compliance Development and Enforcement
• Inspections and Auditing
• Standards Setting/Reporting Guideline Development
• Regulatory Creation
• Public Comment Tracking
• Policies, Standards, and Procedures Publication
• Policy and Guidance Development
• Controls and Oversight
• Corrective Action
• Program Evaluation
• Program Monitoring
• Credit and Insurance
• Direct Loans
• Loan Guarantees
• General Insurance
• Education
• Higher Education
• Elementary, Secondary, and Vocational Education
• Financial Management
• Accounting
• Budget & Finance
• Financial Reporting Information
• Asset & Liability Management
• Collections and Receivables
• Payments
• General Retirement and Disability Program Management
• Unemployment Compensation
• General Organizational Support
• Records and Statistics Management
• Centralized Personnel Management
• Property Management
• General Executive Functions
• Legal Functions
• Centralized Fiscal Operations
• Taxation management (governmental agencies)
• Staff Income Information
• Strategic Executive Functions
• Representative Payee Information
• Personal Identity and Authentication
• Benefits Entitlement Event Information
• Goods and Services Creation and Management
• Goods and Services Production
• Facilities and Infrastructure Management
• Construction
• Healthcare
• Health Care Services
• Consumer Health and Safety
• Human Resources
• Worker Safety
• Labor Rights Management
• Staff Recruitment and Employment
• Security Clearance Management
• Benefits Management
• Personnel Management
• Resource Training and Development
• Payroll Management and Expense Reimbursement
• Information & Technology Management
• Information Management
• Record Retention
• IT Security
• IT Infrastructure Maintenance
• System Maintenance
• Lifecycle/Change Management
• System Development
• Internal Risk Management and Mitigation
• Emergency Response
• Disaster Preparedness and Planning
• Service Recovery
• Continuity of Operations
• Contingency Planning
• Law Enforcement
• Citizen Protection
• Criminal Investigation and Surveillance
• Crime Prevention
• Property Protection
• Criminal Apprehension
• Legal, Litigation, and Judicial
• Resolution Facilitation
• Permits and Licensing
• Legal Litigation
• Legal Investigation
• Legal Defense
• Judicial Hearings
• Planning and Resource Allocation
• Budget Formulation
• Enterprise Architecture
• Capital Planning
• Strategic Planning
• Research Operations
• Management Improvement
• Workforce Planning
• Budget Execution
• Public Affairs
• Customer Services
• Official Information Dissemination
• Product Outreach
• Public Relations
• Revenue Collection
• Staff Fee Collection
• Debt Collection
• Organizational Asset Sales
• Supply Chain Management
• Logistics Management
• Inventory Control
• Goods Acquisition
• Knowledge Dissemination
• Advising and Consulting
• Services Acquisition
• Third Party Relations
• Third Party Liaison
• Third Party Program Project Information
• Third Party Program Tracking
• Third Party Program Proposal Development

Supports the coordination of information collection, storage, and dissemination, and destruction as well as managing the policies, guidelines, and standards regarding information management. The overall accountability rating for this information classification is Moderate.

Confidentiality level = High

The confidentiality impact level is the effect of unauthorized disclosure of information management information on the ability of responsible entities to perform the day-to-day processes of information collection, storage, dissemination, and destruction and managing the policies, guidelines, and standards regarding information management. The consequences of unauthorized disclosure depend largely on the content and use of the information being managed. The unauthorized disclosure of information management information relevant to most information managed by the organization will have only a limited adverse effect on organizational operations, assets, or individuals. Particularly in the case of passwords and cryptographic keys, the provisional impact level recommended for information management information depends on the sensitivity and criticality of system information and processes. As a result the recommended provisional impact level is “system high.”

Known mitigating factors toward changing the confidentiality level

Information collection and storage involve the day-to-day processes of gathering and storing data from organizational programs, partners, and stakeholders. More sensitive information being managed is usually personal information subject to the various state and international privacy laws or information that is proprietary to a corporation or other organization. The various state and international privacy laws Information provisional impact levels are documented in the Personal Identity and Authentication information type. Such information will often be assigned a moderate confidentiality impact level. Where any of the information to be managed can be expected to have a high confidentiality, impact level, then the information management information must be assigned a high confidentiality impact level. When the data being managed belongs to one of the information types described in this guideline, the confidentiality impact assigned to the system is that of the highest impact information type processed by the system. Depending on the organization and the mission being supported, the sensitivity of the information can range from none (public information) to high. (trade secret information and trade secret systems are outside the scope of this guideline.)

Integrity level = Moderate

The integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information. The consequences of unauthorized modification or destruction of information management information (e.g., configuration settings, passwords, authorization codes, cryptographic keying material) can compromise the effectiveness of the system and impair organizational operations. The level of impact depends on the criticality of system functionality to the organization mission. Potentially serious adverse effects can be expected in most organizational organizations resulting from the unauthorized modification or deletion of information management information. Therefore, the provisional integrity impact level recommended for information management information is moderate.

Known mitigating factors toward changing the integrity level

The loss of integrity for some information management information (e.g., encryption keys) can be very serious for organizational operations and can have serious consequences for public confidence in the organization. The integrity impact level recommended for information management information associated with highly critical information is high.

Availability level = Low

The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to reestablish access to information management information. The effects of disruption of access to information management information may temporarily impair organizational operations. The level of impact depends on the sensitivity of the information being managed and the criticality of the system to the organization mission. Except for information needed by real-time processes (e.g., information that feeds real-time monitoring or audit functions), information management processes are generally tolerant of reasonable delays. In most cases, disruption of access to information management information can be expected to have only a limited adverse effect on organizational operations, organizational assets, or individuals. Not many business management systems perform functions for which loss of availability can cause significant degradation in mission capability, place the organization at a significant disadvantage, result in major damage to assets, or pose a threat to human life.