ABSTRACT
If it were not for the data that they process, information technology hardware and software could be secured like any other piece of high-value property. We could protect them just as we would safeguard tools, typewriters, merchandise, and other types of physical property. But in the case of an information technology system made up of hardware, software, and data, it is the data that places them in an altogether different category where protection against a distinct set of threats must be provided. And many of these threats (e.g., unauthorized access) do not pertain to other types of physical property. In terms of determining protection requirements, it is the sensitivity of data and the criticality of systems that are the primary drivers. This chapter will explore data sensitivity as it relates to information technology systems, and will also address the criticality or importance of computer systems to an organization’s overall mission. It is imperative to determine data sensitivity and criticality in order to define requirements for protection of information.
