Supports the internal actions necessary to develop a plan for resuming operations after a catastrophe occurs, such as a fire or earthquake. The overall accountability rating for this information classification is Low.
Confidentiality level = Low
The confidentiality impact level is the effect of the unauthorized disclosure of service recovery information on the ability of responsible entities to develop plans for resuming operations after a catastrophe occurs, such as a fire or earthquake. In the case of service recovery plans for natural catastrophes, the information associated with service recovery planning is not intrinsically sensitive. In the case of catastrophes caused by malicious activity, unauthorized disclosure of service recovery information may inform an adversary regarding what facilities and processes are considered to be critical. Such unauthorized disclosure may also equip an adversary with the information necessary to attack a system in such a way that operations are disrupted, and that recovery is impaired or even blocked. The purpose of most service recovery information is to protect against natural catastrophes rather than against malicious attacks. In most cases, the consequence of loss of confidentiality of service recovery information is not likely to do serious harm to organizational assets, personnel, or missions.
Known mitigating factors toward changing the confidentiality level
Unauthorized disclosure of background information that supports development of organizational service recovery plans can reveal sensitive vulnerabilities, capabilities, intelligence assessments, intelligence sources, or methods employed in trade secret activities. Depending on the information in question, the confidentiality impact can be moderate, high, or involve trade secret information (outside the scope of this guideline). Also, some service recovery plans are themselves trade secret information.
Integrity level = Low
The integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information.
Availability level = Moderate
The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to reestablish access to the service recovery information. The effects of disruption of access to service recovery information or information systems depend on the timing of the disruption. If access to service recovery information is denied because of a power outage, recovery may be delayed and the work of organizational entities disrupted.
Known mitigating factors toward changing the availability level
Service recovery planning processes are usually tolerant of delay. In contrast, the implementation of recovery plans is not tolerant of delays. For service recovery implementation, the consequences of access disruption depend on the time period of the disruption and the criticality of the disrupted processes. The consequent impact level may range from low to high.