organization handles, including items such as personally
            identifiable information, trade secrets or intellectual property,
            financial data. Then looking at each of the confidentiality,
            integrity, and availability factors separately by answering the
            following questions, "If there was a breach of confidentiality of
            this type of information we handle, would the impact on the
            business be low, moderate or high?"
            "What would the impact on the business be if there was a breach
            of the integrity of this type of information?" And, finally, "What
            would the impact on the business be if this type of information
            was not available?"

            Low would represent a limited level of impact - some cost, but
            the business would still be able to meet its core goals.
            Moderate would be a more severe level of impact - higher cost
            and perhaps injury to a person, and a degraded level of service.
            High would be a severe or catastrophic level of impact - loss of
            life or severe injury, high cost, or inability to meet core mission
            goals.

            Once the impact has been calculated for each type of
            information the organization handles, the organization will
            group the data into categories and label the information
            accordingly. This effort of information classification will
            determine the controls necessary to protect each information
            classification or division. The rating of the information type will
            usually be based on the highest of the three levels of impact that
            were determined earlier. In other words, an information type that
            has an effect of the Confidentiality (moderate), Integrity (low),
            and Availability (Low) would be classified as Moderate since
            that was the highest of the three factors.