Clairification on levels of CIA

[mr.nasty () ix netcom com]

I'm in the process of working the bugs out of a new security plan.  In the plan (according to NIST) there's a section 
to indicate the type of protection needed for the system.  A system may need protection for one or more of the 
following reasons:

Confidentiality - The system contains information that requires protection from unauthorized disclosure.
Integrity  - The system contains information which must be protected from unauthorized, unanticipated, or unintentional 
modification.
Availability - The system contains information or provides services which must be available on a timely basis to meet 
mission requirements or to avoid substantial losses. 

Describe, in general terms, the information handled by the system and the need for protective measures.

-  Relate the information handled to each of the three basic protection requirements above (confidentiality, integrity, 
and availability).
-  Include a statement of the estimated risk and magnitude of harm resulting from the loss, misuse, or unauthorized 
access to or modification of information in the system.  To the extent possible, describe this impact in terms of cost, 
inability to carry out mandated functions, timeliness, etc.

For each of the three categories (confidentiality, integrity, and availability), indicate if the protection requirement 
is:

High — a critical concern of the system;
Medium— an important concern, but not necessarily paramount in the organization's priorities; or
Low —  some minimal level or security is required, but not to the same degree as the previous two categories.

It seems every organization I've worked at feels their information is at the High level.  How do you explain that that 
anyone who might compromise their data only has access to the following;

1) name (could be a business name)
2) address (probably a business addy)
3) access to the data (which is basically publicly available)
4) phone number

That would be all the personally identifiable information available.  They cannot get credit card, SSN, dob, Drivers 
License or any other personally identifiable information.

Did I miss something here?

My reason for asking is if any of you have had experience with putting together a security plan in accordance with NIST 
you'll know that as you gather together the information you can see a picture of a purpose for a certain level of 
security.

If an organization artificially raises the security level with no justification within the plan and the actual level of 
security is operating at a low to medium, won't that have an adverse affect when it comes to an IT audit?

Common sense tells me that it would.  I cannot get management to provide a statement of the estimated risk and 
magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information in the 
system.  Except to say that ‘look at the page it’s pretty obvious’.

I wouldn’t be asking if it was so obvious.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------