The basic definitions of confidentiality, integrity, and availability are listed below.

Assurance Objective	Low	Moderate	High
Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.	The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.	The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.	The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.	The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.	The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.	The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Availability: Ensuring timely and reliable access to and use of information.	The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.	The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.	The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Accountability: Ensuring that individuals and the organization are responsible for systems and the information they contain.	The unauthorized disclosure, modification, or disruption of access to or use of information could be expected to have a limited adverse effect on the organization's reputation and image.	The unauthorized disclosure, modification, or disruption of access to or use of information could be expected to have a serious adverse effect on the organization's reputation and image.	The unauthorized disclosure, modification, or disruption of access to or use of information could be expected to have a severe or catastrophic adverse effect on the organization's reputation and image.

Basics of information classification

This set of standard definitions is less prescriptive for mission based information than it is for standard information classifications. The treatment of mission based information should begin with these standardized guidelines as a reference source and be tailored to suit the undertaking and operations of the system in question. Therefore, the impact assignments listed here are only the first step in impact assignment which should absolutely be adapted based upon a mission and system specific risk assessment. This is not a definitive checklist of information type assignments. It is the responsibility of each department head, along with appropriate IT staff and subject matter experts to further define, and sign off on, their respective systems and information classifications.

Labeling the information control classifications

It is one thing to understand the basics of information classification and something quite different to be able to use those definitions effectively. To that end, we suggest that the organization create a very basic control classification system which they can then expand upon later. The reason that we say very basic control classification system is that this classification system doesn't use certain government or legal labels such as "Top Secret" or "Legal eyes only." Those types of classifications would be sub-classifications of the three restricted categories defined here.

Once information has been properly classified with its confidentiality, integrity, and availability labels, those labels can be combined into one of five basic control classification groups, such as routing restricted, usage restricted, availability sensitive, operational, or unrestricted as shown in the following table.

Confidentiality	Integrity	Availability	Assurance label	Legal label
Low	Low	Low	Unrestricted
Moderate or low	Moderate or low	Moderate or low	S. O. P.
High	High, moderate or low	High, moderate, or low	Access & routing restricted	NISPOM, ITAR, EAR, Personally Identifiable Information, Cardholder Data
Moderate or low	High	High, moderate, or low	Usage restricted
Moderate or low	Moderate or low	High	Keep available	Legal Hold

Classification rationale

Internal unrestricted

If the confidentiality, integrity, and availability of the data is ranked as low across the board, then there is little need for spending the time, effort, and funds to protect the data with a swarm of information controls. Instead, basic information management controls can be left in place to care for this type of data.

Operational restricted (SOP)

If the information has been classified with a mix of both moderate and low confidentiality, integrity, and availability classifications, then the information must have additional operational controls assigned to it.

Access & routing restricted

At the point when the information has been classified with confidentiality as high, it will need both access and routing restrictions assigned to it. High levels of confidentiality can be due to either privacy controls (who can see what), or routing controls (what can be sent where).

Usage restricted

Once information has been classified as having a value of high integrity, that information must have additional integrity and usage controls assigned to it. These would include integrity checking, integrity monitoring and error reporting.

Availability restricted

Once the availability has been classified as high, this type of information must have additional availability controls assigned to it, such as more frequent backups, storage redundancy, or special restrictions regarding disposition processes.

Regulatory restricted with prescriptive labels

Of course if the information has been classified as high in a combination of confidentiality, integrity, or availability, then multiple additional controls will apply (such as both usage restrictions as well as availability sensitivity controls).