The fourth step of the security categorization process is the preparation of the security categorization
report.
Security practitioners should summarize in a report the results of the injury assessment for reporting
purposes and to serve as input to two downstream activities (the IT security function definition process
and the departmental security control profile development process). For each business process and related
information, the security categorization report should include:
• A short description;
• A description of the expected injuries to threat compromise;
• The levels of expected injury as they relate to confidentiality, integrity, and availability; and
• The rational for attributing the levels of injury.