14 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
most, if not all, information systems. e following are denitions for these three
attributes. e parts within quotes are from SP 800-53; FIPS 200; FIPS 199; or
44 U.S.C., Sec. 3542.
Availability: “Ensuring timely and reliable access to and use of information.”
Availability is impacted by human error, cabling problems, software bugs,
hardware failures, sta absences, malicious code, and the many other threats
that can render a system unusable or unreliable. e requirement for high
availability is a critical requirement for online transactions, ight control,
monitoring, and command and control (C2) systems.
Integrity: “Guarding against improper information modication or destruc-
tion, and includes ensuring information non-repudiation and authenticity.”
is is the requirement to ensure that the accuracy of the information is
maintained when residing on the system, being correctly processed, or being
transmitted from or to the system. e goal is to ensure that the information
is not intentionally or accidentally corrupted. Integrity is critical to commer-
cial and military tracking, safety, production, and nancial systems.
Condentiality: “Preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary
information.” is requirement prevents the unauthorized disclosure of infor-
mation while on the system, during transmission to other systems, and during
the physical transfer of information from one location to another. is property
is a key objective in systems with intellectual property, trade secrets, individual
healthcare and personally identiable information, and classied documents.
It would be totally cost prohibitive for organizations to provide all systems with
a maximum level of protection. Fortunately, dierent systems require dierent lev-
els of these properties depending on levied legal and regulatory requirements and,
most importantly, on the impact that could result if one of these capabilities was
lacking. It is the ISSMP’s responsibility to determine how much protection related
to these three properties is needed to meet legal, regulatory, and business security
requirements. en the ISSMP must gain senior management’s approval to imple-
ment recommended safeguards or accept the risk.
Security Impact Analysis
e need for these properties on diverse systems will vary. Some systems will
require very strong condentiality (High), such as national intelligence systems.
Others may require no condentiality, such as the public information systems in
the Library of Congress. Other systems will require varying degrees of condential-
ity. Similarly, the levels of availability and integrity for a system used for purchasing
shoes online and a system presenting airplane tracks to an air controller will be very
dierent. Identifying the dierence is critical to identifying the level of protection a