FIPS 199

보안의 CIA 개념을 설명하는 NIST의 미국 공식 표준 문서

공식적 정의[편집 | 원본 편집]

  • 기밀성(Confidentiality)
    • Preserving authorized restrictions on information access and disclosure, including means for protecting persona privacy and proprietary information
  • 무결성(Integrity)
    • Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity
  • 가용성(Integrity)
    • Ensuring timely and reliable access to and use of information

3단계 보안성[편집 | 원본 편집]

구분 낮음(Low) 중간(Moderate) 높음(High)
기밀성 The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
무결성 The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
가용성 The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.