This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Assurance Level
Assurance Level

Version management

Difference between version and

At line 1 added 210 lines
!!! Overview
[{$pagename}] is the level of [Assurance] or confidence within than [Assertion] and is used within the [Risk Assessment]
Balancing the [Level Of Assurance] with the [Risk Assessment] is complex; However, it must be simplified enough for decision actions to be made in a reasonable time.
!! [{$pagename}] for [Data Classification] [Example]
A [Data Classification] assessment is required to properly determine the sensitivity of [access].
Below is a [Example] of a [Risk Assessment] for an [Organizational Entity].
%%zebra-cccccc
%%sortable
%%table-filter
||Impact of [Authentication] Error||[LOA 1]||[LOA 2]||[LOA 3]||[LOA 4]
|[LoA|Level Of Assurance]|Little or no [Assurance] exists in the asserted [Digital Identity] - usually self-asserted; essentially a persistent identifier|[Assurance] exists that the asserted [Digital Identity] is accurate; used frequently for self service [applications]|High [Assurance] in the asserted [Digital Identity]'s accuracy; used to access [Protected Data]|Very high [Assurance] in the asserted [Digital Identity]'s accuracy; used to access highly [Protected Data].
|Potential Damage to [reputation]|[Low]|[Moderate]|[Moderate]|[High]
|Potential [Financial damage] or liability|[Low]|[Moderate]|[Moderate]|[High]
|Potential for unauthorized [release|Releasability] of sensitive information|N/A
|Potential civil (or [Criminal action]) violations; e.g. out of [compliance] with [Regulatory compliance] rules|N/A|[Low]|[Moderate]|[High]
|Potential harm to Organization's programs or public interests|N/A|[Low]|[Moderate]|[High]
|Potential impact to personal safety|N/A|N/A|[Low]|[Moderate]/[High]
/%
/%
/%
* N/A - can be thought of as "Not Appropriate" for the chart.
!! [NIST.SP.800-63-3] [{$pagename}]
[NIST.SP.800-63-3] sections on Selecting [{$pagename}]s:
The [Risk Assessment] results are the primary factor in selecting the most appropriate [{$pagename}]. This section details how to apply the results of the [Risk Assessment] with additional factors unrelated to [risk] to determine the most advantageous [{$pagename}] selection.
First, compare the risk assessment impact profile to the impact profiles associated with each [{$pagename}], as shown below. To determine the required [{$pagename}], find the lowest [{$pagename}] whose impact profile meets or exceeds the potential impact for every category analyzed in the [Risk Assessment]
Maximum Potential Impacts for Each Assurance Level
%%zebra-table
%%sortable
%%table-filter
||Impact Categories||1||2||3
|Inconvenience, distress or damage to standing or [reputation]|[Low]|[Moderate]|[High]
|Financial loss or agency liability|[Low]|[Moderate]|[High]
|Harm to agency programs or public interests|N/A|[Low]/[Moderate]|[High]
|[Unauthorized] [release|Releasability] of [Sensitive Data]|N/A|[Low]/[Moderate]|[High]
|Personal Safety|N/A|[Low]|[Moderate]/[High]
|Civil or criminal violations|N/A|[Low]/[Moderate]|[High]
/%
/%
/%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop