1. For each CIA concept below, classify each example as having a low, moderate, or high level of impact on organizations or individuals. Justify your classifications.

a. Confidentiality: Student enrollment information; Student grade information; Student directories (name, address, telephone).

b. Integrity: An anonymous online poll; A hospital patients allergy information stored in a database; A Web site that offers a forum to registered users to discuss some specific topic.

c. Availability: A public Web site for a university; An online telephone directory lookup application; A system that provides authentication services for critical systems, applications, and devices.

Three levels of impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability), are defined in FIPS PUB 1991: Low: The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capacity to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; or (iii) result in minor harm to individuals.

Moderate: The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss might (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious, life-threatening injuries.

High: The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss might (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious, life-threatening injuries.

The National Institute of Standards and Technology (NIST) has produced a large number of Federal Information Processing Standards Publications (FIPS PUBs), including FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems). FIPS PUB 199 provides a useful characterization of the three security objectives (the CIA triad) in terms of requirements and the definition of a loss of security in each category (confidentiality, integrity, availability).