Security Analysis Methodology

All information flows were analyzed for their Confidentiality, Integrity and Availability (C-I-A) requirements as per FIPS-199. This analysis considered the information contained in the information flow, but also the application or service package context of the information flow. Then, for each physical object in each service package, overall C-I-A requirements were derived by as follows:

There are two exceptions to this process:

All other flows are used in the aggregation. In some cases there is more than one plausible level for the security requirements on an information flow. In this case, we indicate the level we think is most likely to be correct in the default case and, when doing the aggregation, we have used that most plausible level.

FIPS 199 defines LOW, MEDIUM and HIGH requirements as follows. (The text is unchanged but reformatted from the original in FIPS 199):

We provide our own amplification below: