ABSTRACT
If it were not for the data that they process, information technology hardware and software could be secured like any other piece of high-value property. We could protect them just as we would safeguard tools, typewriters, merchandise, and other types of physical property. But, in the case of an information technology system made up of hardware, software, and data, it is the data that places them in an altogether
different category for which protection against a distinct set of threats must be provided. And, many of these threats (e.g., unauthorized access) do not pertain to other types of physical property. In terms of determining protection requirements, it is the sensitivity of data and the criticality of systems that are the primary drivers. This chapter explores data sensitivity as it relates to information technology systems and addresses the criticality or importance of computer systems to an organization’s overall mission. It is imperative to determine data sensitivity and criticality to dene requirements for protection of information. The most recent guidance of the NIST (National Institute of Standards and Technology) on information system security authorization refers to this process as categorization.
