The third step in the security categorization process is to determine the security category of the business
In normal circumstances, the security category of a business activity should express the highest levels of
injury of all related business processes and information assets for each of the security objectives.
Individually, these elements may be attributed different levels of injury for a given protection objective.
For example, a business activity may involve one type of information with an assessed injury level of low
for confidentiality and another type of information with an assessed injury level of medium for the same
security objective (both for non-national interest). These individual values are important and should be
documented. However, the security category of the business activity should reflect the highest level of
injury. For the preceding example, the business activity’s confidentiality would be marked as Protected B.
Notwithstanding, there may be circumstances where more analysis is required to determine the most
appropriate security category. For example, security practitioners may attribute a higher level than the high watermark because of the aggregate effects of threat compromise, or an interdependency involving a
critical process outside of a business activity’s boundary.
The output of this step is the security category of the business activity, which can be expressed using the
same marking format as for individual business processes and information.