The objective of this activity is to define the business domains of a department in support of developing
the required departmental security control profiles. A business domain is characterized by the security
categories of its business activities and their relevant IT security threats. Therefore, business domains may
have differing protection needs, leading to differences in security control profiles.
For example, consider a set of business activities involving the distribution of non-sensitive GC
publications and a second set of business activities involving high-value, critical financial transactions. In
the latter scenario, the financial activities would likely have a higher security category and face more
significant threats. This analysis would lead to the definition of two domains requiring two different
domain security control profiles.
Departments have some flexibility in how they define their business domains. However they are defined,
the security categories of the business activities and the significance of the threat environment should be
well documented. Note that the departmental business activities should have been defined earlier (in
whole or in part) during the security categorization activity (see Section 4.2.3).
The outputs of this activity are business domain definitions. For each defined business domain, the
business domain definition should include the following information:
• A description of the business domain’s business objectives, processes and information assets;
• The security category of the business domain;
• A characterization of the threat environment of relevance to the business domain; and
• A statement of the level of risk that the business community deems acceptable when relying on
information systems to support the domain’s business activities.