jspωiki
Assurance Level

Overview#

Assurance Level is the level of Assurance or confidence within than Assertion and is used within the Risk Assessment

Balancing the Level Of Assurance with the Risk Assessment is complex; However, it must be simplified enough for decision actions to be made in a reasonable time.

Assurance Level for Data Classification Example#

A Data Classification assessment is required to properly determine the sensitivity of access. Below is a Example of a Risk Assessment for an Organizational Entity.
Impact of Authentication ErrorLOA 1LOA 2LOA 3LOA 4
LoALittle or no Assurance exists in the asserted Digital Identity - usually self-asserted; essentially a persistent identifierAssurance exists that the asserted Digital Identity is accurate; used frequently for self service applicationsHigh Assurance in the asserted Digital Identity's accuracy; used to access Protected DataVery high Assurance in the asserted Digital Identity's accuracy; used to access highly Protected Data.
Potential Damage to reputationLowModerateModerateHigh
Potential Financial damage or liabilityLowModerateModerateHigh
Potential for unauthorized release of sensitive informationN/A
Potential civil (or Criminal action) violations; e.g. out of compliance with Regulatory compliance rulesN/ALowModerateHigh
Potential harm to Organization's programs or public interestsN/ALowModerateHigh
Potential impact to personal safetyN/AN/ALowModerate/High
  • N/A - can be thought of as "Not Appropriate" for the chart.

NIST.SP.800-63-3 Assurance Level#

NIST.SP.800-63-3 sections on Selecting Assurance Levels:

The Risk Assessment results are the primary factor in selecting the most appropriate Assurance Level. This section details how to apply the results of the Risk Assessment with additional factors unrelated to risk to determine the most advantageous Assurance Level selection.

First, compare the risk assessment impact profile to the impact profiles associated with each Assurance Level, as shown below. To determine the required Assurance Level, find the lowest Assurance Level whose impact profile meets or exceeds the potential impact for every category analyzed in the Risk Assessment

Maximum Potential Impacts for Each Assurance Level

Impact Categories123
Inconvenience, distress or damage to standing or reputationLowModerateHigh
Financial loss or agency liabilityLowModerateHigh
Harm to agency programs or public interestsN/ALow/ModerateHigh
Unauthorized release of Sensitive DataN/ALow/ModerateHigh
Personal SafetyN/ALowModerate/High
Civil or criminal violationsN/ALow/ModerateHigh

More Information#

There might be more information for this subject on one of the following: