Control: The organisation:
Security Categorisation Supplemental Guidance:
Clearly defined authorisation boundaries are a prerequisite for effective security categorisation decisions. Security categories describe the potential adverse impacts to organisational operations, organisational assets, and individuals if organisational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organisations conduct the security categorisation process as an organisation-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organisations also consider the potential adverse impacts to other organisations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorisation processes carried out by organisations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.