Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
5.1.1.3 Actively Maintain Inventory<br />
The inventory must be kept up to date at all times to ensure that,<br />
when consulted, the information it contains is complete and accurate:<br />
• When systems or system components are implemented, the<br />
information is to be appended in the inventory.<br />
• When systems or system components are modified in any<br />
way, the information is to be appended in the inventory.<br />
• When systems or system components are removed or<br />
replaced, their information is to be removed from the<br />
inventory.<br />
• When configurations <strong>of</strong> systems or system components are<br />
modified in any way, the information is to be appended in the<br />
inventory.<br />
• When system or system component documentation is<br />
modified in any way, the information is to be appended in the<br />
inventory.<br />
5.1.2. Perform Systems and Data Classification<br />
In order to most efficiently protect information systems and the information<br />
they store and/or process, Agencies should perform security categorization:<br />
5.1.2.1 Identify Systems that Process or Store Information<br />
Determine all systems and system components that process<br />
(including access, input, modify and/or output) or store information<br />
in any form:<br />
• Utilize system and information inventories.<br />
5.1.2.2 Identify the Information Processed or Stored by the System<br />
In order to be able to properly assign a security categorization to the<br />
organization’s information assets, those assets must first be<br />
categorically and definitively identified and grouped by type:<br />
• Identify data that is related to the core services and the<br />
manner in which those services are delivered to the<br />
organization’s clients.<br />
• Identify data that is related to the internal functions or<br />
processes <strong>of</strong> the organization itself.<br />
5.1.2.3 Determine Security Impact Levels for Information<br />
Once information assets have been identified and grouped by type,<br />
the impact to organizational security <strong>of</strong> the potential loss or<br />
destruction <strong>of</strong> those assets must be assessed:<br />
• Use NIST 800-60 Volume 2 to establish baseline impact levels.<br />
• Assess impact across all three security factors (Confidentiality,<br />
Integrity, Availability).<br />
13