The FIPS 199 document defines how to determine if a system should be categorized as low, moderate or high risk.
There are three categories to judge this by
For each of these you need to determine if it is a low risk, moderate risk or a high risk. Once you have done that for each category, you choose the highest one of the three and that is the risk level for the system.
To sum it up
and so on.
The FIPS document (on the Z: drive) says this
FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest.
While the categories of Availability, Confidentiality and Integrity sound logical and are easy to apply, reading the Potential Impact shows that something developed for the US Army, NSA, CIA, FBI, FAA, etc... does not scale well to a University environment.
For Clayton State, we need to make our own definition of LOW, MODERATE, and HIGH impact that match up better with our goals.