Security Categorization Standard

1 PURPOSE 

This Standard defines the process for determining the Security Categorization of information technology resources and critical business processes at the University System of New Hampshire (USNH). 


2 SCOPE

This standard applies to all USNH business and academic units and USNH-owned information systems that collect, store, process, share or transmit institutional data. Personally owned devices connecting to the University Campus Network must meet the Bring Your Own Device standard requirements. 


3 STANDARD 

3.1 Overview

 Security categories are assigned to specific assets, like information technology resources, or to specific business processes to determine the potential impact of a cybersecurity event in that particular asset or process. The USNH Security Categorization process is based on three factors: 

  • The classification, per the USNH Information Classification Policy, of the institutional information used in the business process or that is captured, stored, processed, transmitted, or otherwise managed by the information technology resource 

  • The magnitude of the impact if that information were compromised 

  • Whether the impact involves a loss of confidentiality, integrity, or availability. 

3.2 Use Cases  

  • Security Categorization is used in a variety of ways, including but not limited to: 

  • Determining the security control baseline for a specific information technology resource or business process 

  • Informing loss magnitude determination as part of the Cybersecurity Risk Assessment process 

  • Contributing to the risk assessment of cybersecurity exception requests 

3.3 Information Type Determination

All USNH Security Categories are based on information types defined using two factors. 

The first factor is information classification, per the USNH Information Classification Policy. The current USNH Information Classifications are: 

  • Tier 1 – Public 

  • Tier 2 – Sensitive 

  • Tier 3 – Protected 

  • Tier 4 – Restricted 

Definitions and examples of each classification are available in the USNH Information Classification Policy. 

The second factor is the breadth of the information. Breadth is determined based on the number of USNH institutions whose information could be impacted. There are two levels used to define breadth – USNH and Institution. 

  • USNH: Used when the information that could be impacted includes data from two or more component institutions. Examples of information sets that would be assigned a USNH factor include: 

  • Human Resources and/or Finance environment, which contains information about all USNH employees 

  • A business process that involves handling employee PII for all USNH institutions 

  • Institution: Used when the information that could be impacted includes data from only one USNH Institution. Examples of information sets that would be assigned the Institution factor:  

  • Electronic Personal Health Information (ePHI) used by an institution’s Student Health Center 

  • Financial Aid data used by an institution’s financial aid office to process financial aid applications for that institution’s students 

The combination of these two factors results in the following USNH Information Types: 

  • Public – USNH 

  • Public – Institution 

  • Sensitive – USNH 

  • Sensitive – Institution 

  • Protected – USNH 

  • Protected – Institution 

  • Restricted – USNH 

  • Restricted – Institution 

3.4 POTENTIAL IMPACT DETERMINATION

USNH uses the following levels to define the potential impact of an adverse cybersecurity event that compromises confidentiality, integrity, and/or availability. 

3.4.1 Impact = MINIMAL

The security category is minimal if a loss of confidentiality, integrity, or availability could result in a very adverse effect on one or more administrative, academic, or business units, with no real impact at the component institution level. 

Examples: Loss of confidentiality, integrity, or availability that results in: 

  • Minimal impact on budget or finances: financial impact can be recovered at the unit level in the current year's budget without a budget/financial variance 

  • Minimal damage to or loss of information technology resources, like endpoint computers, can be recovered at the unit level without impacting the current year's budget 

  • No discernible impact on achievement of administrative, academic, or business unit objectives 

  • No impact on reputation or enrollment 

  • No impact on life and safety 

3.4.2 Impact = MODERATE

The security category is moderate if a loss of confidentiality, integrity, or availability could result in minor adverse effects on one or more administrative, academic, or business units, with no real impact at the component institution level.

Examples: Loss of confidentiality, integrity, or availability that results in:

  • Minor impact on budget or finances:

     o Financial impact can be recovered in the current year's budget but may require a small budget variance

     o Can be handled internally, without requiring assistance at the component institution level

  • Minor damage to or loss of information technology resources like endpoints or servers, can be replaced or recovered within the current year's budget
  • Minimal impact to ability of an administrative, academic, or business unit to achieve one or more of its objectives, but does not have a discernible impact on achievement of overall mission and does not impact the component institution’s ability to achieve its objectives
  • Limited potential for impact to reputation or enrollment (e.g., local news coverage for a single news cycle)
  • No impact to life and safety

3.4.3 Impact = SIGNIFICANT

The security category is significant if a loss of confidentiality, integrity, or availability could result in significant adverse effects on one or more administrative, academic, or business units, as well as the potential for discernible impacts at the component institution level.

Examples: Loss of confidentiality, integrity, or availability that results in:

• Significant impact on budget or finances

   o Financial losses may be recoverable within current year, but will require reprioritization of funds within internal budget

    o Financial losses may require a budget variance that needs assistance or approval at the component institution level

• Significant damage to or loss of information technology resources that cannot be recovered in the current fiscal year by the impacted unit, requires assistance at the component institution level

• Significant impact to ability of an administrative, academic, or business unit to achieve its mission, potential for a discernible impact on achievement of the component institution's objectives

• Discernible impact to reputation with potential for a discernible impact to enrollment (e.g., persistent local news coverage lasting longer than a week, numerous calls/complaints to component institution leadership)

• Potential for minimal harm to individuals due to losses that impact life and safety systems or processes

3.4.4 Impact = MAJOR

The security category is major if a loss of confidentiality, integrity, or availability could result in substantial adverse effects on several administrative, academic, or business units and at the at the component institution level.

Examples: Loss of confidentiality, integrity, or availability that results in:

  • Substantial impact on budget/finances 

  • Substantial losses that are not recoverable within the current fiscal year at the institutional level require assistance at the system level 

  • Requires budget variance for current and next fiscal year 

  • Substantial damage to or loss of information technology resources cannot be recovered in the current fiscal year by the impacted institution requires assistance at the system level 

  • Substantial impact on the ability of an administrative, academic, or business unit AND impacted institution(s) to achieve objectives and overall mission 

  • Major impact on reputation with expected discernible impact on enrollment or hiring (e.g., national news coverage) 

  • Actual harm to individuals due to loss impacting life and safety systems or processes that includes life-threatening injuries or loss of life or resulting from a data loss that leads to real-world safety concerns 

3.4.5 Impact = CATASTROPHIC

The security category is catastrophic if a loss of confidentiality, integrity, or availability could result in unacceptable adverse effects on several component institutions and at the University System level:

Examples: Loss of confidentiality, integrity, or availability that results in:

• Severe impact to budget/finances:

    o Unacceptable financial losses that cannot be recovered in this or the next fiscal year

    o Endangers financial sustainability of one or more component institutions

• Severe damage to or loss of information technology resources, restoration requires diversion of funds at the system level

• Severe impact to institution(s) ability to achieve mission, potentially institution-ending impact

• Catastrophic impact to reputation with expected significant impact on enrollment and hiring (e.g., Persistent national news coverage)

• Grave harm to individuals due to loss impacting life and safety systems or processes that includes life threatening injuries and loss of life

3.5 SECURITY CATEGORIZATION OF INFORMATION TYPES

The potential impact for all three security objectives shall be assessed to determine the appropriate security categorization of an information type. ET&S uses the formula provided in FIPS 199 to make this determination. 

“Security Category (SC): “Information Type” = (Confidentiality, “Impact”) (Integrity, “Impact”) (Availability, “Impact”)” 

All USNH Information Types were assessed and assigned impact scores for each security objective using this formula. In determining which categorization is appropriate, it was assumed that all institutional information available to be adversely impacted within each information type would be adversely affected. For example, if there was a loss of confidentiality for the Protected – USNH information type, the categorization assumes that all institution student records would be impacted. 

3.5.1 Security Categorization for each information type: 

Information Type Confidentiality Impact Integrity Impact Availability Impact Security Category
 Public – Institution Minimum Minimum Minimum Minimum
Public-USNH Minimum Minimum Minimum Minimum
Sensitive- Institution Moderate Moderate Moderate Moderate
Sensitive- USNH Moderate Moderate Moderate Moderate
Protected- Institution Significant Significant Significant Significant
Protected- USNH Major Major Major Major
Restricted- Institution Significant Significant Significant Significant
Restricted- USNH Catastrophic Major Major Catastrophic

The chart above indicates that the highest category applies when the three impact designations differ. This means that a Security Category of MIN can only be assigned when all three security objective impacts are MINIMUM and a CATASTROPHIC. Any security objective impacts always result in a Security Category of CATASTROPHIC. 

3.5.2 Controlled Unclassified Information (CUI)

If a U.S. Federal Government entity requests safeguards for Controlled Unclassified Information (CUI), the required security measures will be aligned with federal government Cybersecurity Maturity Model Certification (CMMC) guidelines.


DOCUMENT HISTORY

  • Approved by: Tom Nudd, Chief Information Security Office V1.3, September 14, 2022 
  • Reviewed by: Dr. David Yasenchock, Director, Cybersecurity GRC 
  • Revision History: Review Draft Finalized, R Boyce-Werner, March 5, 2020 
    • V 1.1 Dr. David Yasenchock September 14, 2022 
    • V 1.2 Cybersecurity GRC Working Group, April 23, 2024 
    • Revised formatting, K SWEENEY, May 30, 2024
    • Added section 3.5.2, K SWEENEY, Sept 17, 2024