department the system owners are in. The information must also
            be protected in transit between systems or between the system
            and the client. The importance of enforcing consistent rules for
            protection is seen in regulations. Even an incident where an
            employee accesses information that is not required to perform
            their job function is a security breach. This is where the
            principles of “least privilege” and “need to know” apply most
            vigorously.

            There are two main factors in classifying information -
            sensitivity, and criticality. Sensitivity refers to the issues of
            confidentiality and integrity. How sensitive is the information to
            disclosure (confidentiality) or modification (integrity)?
            Criticality is linked to availability. What effect would the loss of
            the data have on the organization? What impact would a delay in
            promptly having the correct information have on decision
            making or mission success?

            The more sensitive or critical information is, the higher the level
            of protection that must be provided for it.

            The classification of the information will often be based on the
            impact (consequence) of a breach of the information, and the
            frequency of an attack to determine the correct classification of
            the data. These are generally calculated using qualitative values
                                           1
            such as Low, Moderate, or High .
            The organization will usually handle many different types of
            information, and the protection required will vary according to
            the information type. The classification of the data is done first
            by looking at the various elements (types) of information the


            1  For an example of this see NIST SP800-60 http://csrc.nist.gov