The FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security; low, medium, and high risk. In general, the potential risk is low if the loss of confidentiality, integrity, or availability could be expected to have limited adverse effect on organizational operations, organizational assets, or individuals. For example, the RRB is able to perform its primary functions but the effectiveness of the functions may be

• noticeably reduced;
• result in minor damage to organizational assets:
• result in minor financial loss; or
• result in minor harm to individuals.

We assigned risk levels to ERS according to the guidelines in FIPS PUB 199. Details are in Summary section.

Potential Impact of a breach of security

There are many checks and balances in the application process to prevent an unauthorized individual from receiving an ERS password. If, through human error or other means, an unauthorized individual or impersonator attains access to ERS, there is a low risk:

• that they will have access to private information;
• that the private information will cause distress to the private party;
• that civil or criminal violations will be enforced; or
• that the individual will cause financial loss to the agency.

See Summary for additional details.

Determining the required assurance level

The generally low risk levels indicate that ERS requires an assurance level 2 authentication. See the table in Summary section for determination of the authentication level based on the risk level.