Question

A) Based on what the Federal Information Processing Standard 199 (FIPS-199) requires information owners to classify information and information systems? Provide a detailed answer.

B) Are there any differences between classifying governmental information and commercial information? And are there any common levels of classification have been used to classify governmental information and commercial information? Explain your answers and supported them with examples (NOT from the book or slides).

C) Can a company make a change on classified information? Assuming now a company feels that such information need higher protection or the company decide to make some information that was classified as secret to be accessed by public. Here, is there any mechanism or process that allows a change in classified information. Explain your answers and supported them with examples (NOT from the book or slides).

Answer 1

(A) Information owners require to classify information and information systems based on their:

1. Confidentiality - “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
2. Integrity - Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
3. Availability - Ensuring timely and reliable access to and use of information.

Based on the above three parameters, every information and information system is categorized. This forms the basis of classification

(B) There is no difference in classification of government or commercial information. Some government and commercial information can be highly confidential, and some may be public. The level of categorization based on the above 3 parameters can be equally applied to both cases.

Common level of classification can be restricted access, highly confidential and public.

For example, military policies of a government can have restricted access and sales strategy in commercial cases can have restricted access

(C) A company can change a classified information based on requirement. For example, a company can have future marketing plans as secret but it can share this across various markets during implementation. Such decisions to change the classification needs approval and review by committees consisting of several members