Define Consequences
This is a one-time setup step required as part of Determining the Information Asset Value.
Note: Changing the Risk Categories after classifying Information Assets based on a prior Risk Framework can result in those classifications being broken.
Step 2.1 Define Consequences
The classification of Information Assets, and indirectly the System Assets, is based on the potential consequences of a compromise, assessing the impact on confidentiality, integrity, and availability, in accordance with guidelines such as those outlined in NIST FIPS 199 and FIPS 200.
Risk Framework
The consequences are defined in your organisation's Risk Framework. The Risk Framework includes a table of Risk Categories, which outlines the various levels of impact (e.g., Insignificant, Minor, Moderate, Major, Critical) that a compromise could have on different aspects of the organisation's operations, such as Financial, Regulatory Compliance, Customer Experience, and Business Outcomes.
Each organisation may have a different set of categories that are important to them, and a 'critical' outcome for a smaller organisation may be significantly different to a 'critical' outcome for a large organisation. Refer to the 'Financial' category row as an example.
The Business Impact Levels (BILs), however, are consistent across all organisations. The definition of BIL 5, for example, is the same for all organisations of all sizes: "Compromise of the information would be expected to cause exceptionally grave damage to the national interest."
This requires that organisation specific Risk Framework consequences are mapped appropriately to the consistent OVIC BIL definitions. Smaller organisations will map their Critical consequences to BIL 2 or BIL 3, with no possibility that any kind of compromise, no matter how severe, could ever reach BIL 4 or BIL 5.
Information Asset Classification Framework
An Information Asset Classification Framework defines the labels and handling restrictions that are applied to Information and System Assets. In Cybersecurity Office, these are mapped directly to the same consequences defined in the Risk Framework across all of the same Risk Categories. This means that by identifying the potential consequences from a compromise of an Information Asset, the labels and handling restrictions are automatically derived.
OVIC has a specific set of labels, handling caveats and handling restrictions.
Options
There are 2 primary options for defining the Risk Framework & Information Asset Classification Framework:
Related Articles
Define Consequences: Option 1: Use VPDSF BIL
This is a one of the options for Defining the Consequences. Option 1: Use VPDSF BIL If Step 1.1 was performed and the Risk Framework hasn't been changed since, the 'Use VPCSF Bill Risk Framework' button will be disabled. If it is enabled, click the ...Define Information Assets
This follows on from the VPDSF Setup guide, however this step may be revisited multiple times. Step 1.5 Define Information Assets An Information Asset refers to any piece of information or data within an organisation, regardless of its value. This ...Determine the Information Asset Value
This follows on from the VPDSF Setup guide, however this step may be revisited multiple times. Step 2.0 Determine the Information Asset Value The value of an Information Asset is derived from the potential consequences to the organisation that may ...Define Information Assets: Option 2: Cybersecurity Office Excel
This is a one of the options for Defining the Consequences. Cybersecurity Office Excel The Risk & Information Asset Classification Framework can currently only be customised via Excel. If the Options section is not open, click on it to expand the ...Define Platform Teams
This follows on from the VPDSF Setup guide, however this step may be revisited multiple times. Step 1.3 Define Platform Teams These typically align with the teams, departments or organisational units that are responsible for individual systems. The ...