>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

RA-2Security Categorization

PBMM (P1)
Secret (P1)
Management

>Control Description

(A) The organization categorizes information and the information system in accordance with applicable GC legislation and TBS . (B) The organization documents the security categorization results (including supporting rationale) in the security plan for the information system. (C) The organization ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official’s designated representative.

>Supplemental Guidance

Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are compromised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards.

Organizations also consider the potential adverse impacts to other organizations and, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7

Ask AI

Configure your API key to use AI features.