Instructions for Security Categorization (Due 11/9/15)

The first step in the risk management framework, also called Assessment and Authorization (A&A), is to categorize an information system. The security categorization process involves a review of the information types, as defined by NIST SP 800-60, processed, stored or transmitted by an information system, and assigning a low, moderate or high impact value to the confidentiality, integrity and availability of those information types. Additionally, security control RA-2 requires a security categorization be conducted by all USGS Systems and S&SS Assets.

While USGS Systems and S&SS Assets have previously completed security categorizations, most activities were conducted several years ago. In order to ensure the security categorizations are still correct, the Information Security Office is requiring all Systems and S&SS Assets to conduct a new security categorization by November 9, 2015 using the Information Types Workbook available at http://internal.usgs.gov/oei/security/docs/Information_Types_Workbook_v1.3.xlsx.

Instructions for completion are provided on the first tab of the workbook, ‘Instructions’ (in yellow). Once the workbook is completed, Information System Security Officers and S&SS Asset Security Managers should:

· Go to their existing folder on the A&A SharePoint portal;

· Create a new ‘FY16 Activity’ folder;

· Upload the completed workbook to the FY16 Activity folder; and

· Send email to gs-i_ana@usgs.gov.

The Information Security Office will review the completed workbooks and coordinate with Systems and S&SS Assets as needed, to revise or adjust any resulting categorization values. Progress on activities will be captured on the Continuous Monitoring Dashboards at http://internal.usgs.gov/oei/security/continuous_monitoring.html.

Please send any questions or concerns to gs-i_ana@usgs.gov.

Thank you.