1 1 00:00:00,090 --> 00:00:02,130 In this lesson, we'll continue 2 2 00:00:02,130 --> 00:00:05,640 on to step two in the risk management framework, 3 3 00:00:05,640 --> 00:00:08,227 which is called "Categorizing Your System". 4 4 00:00:08,227 --> 00:00:12,510 There are three tasks in this step. 5 5 00:00:12,510 --> 00:00:14,850 By the end of task C1, 6 6 00:00:14,850 --> 00:00:16,470 you'll have a complete system description 7 7 00:00:16,470 --> 00:00:19,920 with all the essential characteristics described. 8 8 00:00:19,920 --> 00:00:22,440 There are many examples of the different types 9 9 00:00:22,440 --> 00:00:25,410 of descriptive information that you could include 10 10 00:00:25,410 --> 00:00:27,780 in your security and privacy plans. 11 11 00:00:27,780 --> 00:00:29,820 Let me give you some examples. 12 12 00:00:29,820 --> 00:00:31,740 There's the name of the system, 13 13 00:00:31,740 --> 00:00:34,290 it's version number or release number, 14 14 00:00:34,290 --> 00:00:37,740 the manufacturer, the owner of the system, 15 15 00:00:37,740 --> 00:00:39,930 the custodian of the system, 16 16 00:00:39,930 --> 00:00:42,690 the organization that manages, owns, 17 17 00:00:42,690 --> 00:00:45,750 or controls the system, there's the location 18 18 00:00:45,750 --> 00:00:48,510 of the system and so on. 19 19 00:00:48,510 --> 00:00:51,360 The system description will later be attached 20 20 00:00:51,360 --> 00:00:54,390 to your security and privacy plans. 21 21 00:00:54,390 --> 00:00:56,433 Now, the outputs of task C2, 22 22 00:00:57,450 --> 00:01:00,450 which is called "Security Categorization" 23 23 00:01:00,450 --> 00:01:02,837 are the impact levels for each type 24 24 00:01:02,837 --> 00:01:05,940 of information in your system. 25 25 00:01:05,940 --> 00:01:08,130 Security categorization considers 26 26 00:01:08,130 --> 00:01:10,290 how the organization will be impacted 27 27 00:01:10,290 --> 00:01:13,740 if there's a loss of confidentiality, integrity, 28 28 00:01:13,740 --> 00:01:17,130 or availability of the information. 29 29 00:01:17,130 --> 00:01:18,390 Note that some organizations 30 30 00:01:18,390 --> 00:01:22,290 use categories like classified and restricted 31 31 00:01:22,290 --> 00:01:25,203 when they're categorizing their information. 32 32 00:01:26,250 --> 00:01:30,510 You'll end the categorized step with task C3, 33 33 00:01:30,510 --> 00:01:33,960 where your security categorization is reviewed 34 34 00:01:33,960 --> 00:01:35,670 and hopefully approved 35 35 00:01:35,670 --> 00:01:38,250 by your key decision makers. 36 36 00:01:38,250 --> 00:01:39,300 As you complete step two, 37 37 00:01:39,300 --> 00:01:42,690 make sure that all key stakeholders are aware 38 38 00:01:42,690 --> 00:01:45,900 of what classifications have been selected 39 39 00:01:45,900 --> 00:01:47,430 for your data types 40 40 00:01:47,430 --> 00:01:49,950 because you'll use this information 41 41 00:01:49,950 --> 00:01:53,280 as a key input into step number three, 42 42 00:01:53,280 --> 00:01:55,197 which is called "Select".