RA-2 Security Categorization
Description
Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions.
Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability.
Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards.
Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts.
Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.
Applicability
This Control applies to all information resource owners, custodians, and users. It also applies to information resources storing University Data regardless of ownership of the particular storage device. Other federal, state, or contractual requirements may be more restrictive than the procedures specified in this Control (example: Classified National Security Information). In no situation can procedures regarding security of data be less restrictive than this Control, regardless of the contract or agreement specifications.
Implementation
TAMU-CC categorizes information and information systems owned or managed by the University using a data classification structure that incorporates the guidance provided in in the Texas A&M University System Data Classification Standard, Appendix D [TAMUS Data Classification [PDF]], at a minimum:
- Categorizes information and the information system in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance;
- Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
- Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
Revision History
Last Updated: February 21, 2025
Previous Versions:
- June 29, 2023
- May 31, 2022
- March 25, 2021
- September 16, 2019