System Information Criticality

The process of creating the actual System Criticality Matrix (SCM) is very similar to the process of creating the Organizational Information Criticality Matrix (OICM). Each matrix utilizes the exact same impact attributes that were used to create the OICM. The impact attributes should include confidentiality, integrity, and availability. Each separate system has its own SCM created with all relevant information types listed along the left side. Systems are defined by the customer, based on what network components utilize each of the information types. There should be one SCM per system. If the customer has defined 15 systems, then 15 SCMs need to be created to convey the criticality of each system to the organization. Each SCM is assigned a high-water mark. The high-water mark is the highest rating in each column of the SCM. For example, if the highest rating in the Integrity column is a High, then the high-water mark for Integrity in that system in also High. Once all the SCMs are created, one can move on to the next step in the National Security Agency Assessment Methodology process.