1 / 25

Information Asset Classification

Information Asset Classification2rev. 10/24/2007Community of Practice. Information security. Information protection is something you do, not something you buy. It is not a policy to put in place and forget. Information security requires a strong process and effective technologies all based on a sound understanding of the business the organization is in and how it performs that business." Burton GroupA Systematic, Comprehensive Approach to Information Security" October 15, 2007.

kelii
Download Presentation

Information Asset Classification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Information Asset Classification Community of Practice rev. 10/24/2007 Information Asset Classification What it means to management

    2. Information Asset Classification 2 rev. 10/24/2007 Community of Practice Information security “Information protection is something you do, not something you buy. It is not … a policy to put in place and forget. Information security requires a strong process and effective technologies – all based on a sound understanding of the business the organization is in and how it performs that business.” Burton Group “A Systematic, Comprehensive Approach to Information Security” October 15, 2007

    3. Information Asset Classification 3 rev. 10/24/2007 Community of Practice Information security Elements: Identify Classify Protect Manage

    4. Information Asset Classification 4 rev. 10/24/2007 Community of Practice What is an information asset? Anything that has value to the agency that can be communicated or documentary material, regardless of its physical form or characteristics. Includes, but is not limited to, paper, electronic, digital, images, and voice mail. Information technology hardware and software are not information assets for classification purposes.

    5. Information Asset Classification 5 rev. 10/24/2007 Community of Practice Information asset classification The purpose is to ensure information assets are identified, properly classified, and protected throughout their lifecycles. The objective is to develop and implement processes that allow an agency to continually assess and classify its information assets.

    6. Information Asset Classification 6 rev. 10/24/2007 Community of Practice Why is classification important? Not all information has the same value or importance to an agency, therefore information requires different levels of protection. Information asset classification is critical to ensure assets have a level of protection corresponding to the sensitivity and value of the information asset.

    7. Information Asset Classification 7 rev. 10/24/2007 Community of Practice Five phase approach Management education Implementation strategy Employee education Implementation Maintenance

    8. Information Asset Classification 8 rev. 10/24/2007 Community of Practice Six maturity stages Stage 0 – No information assets are classified or assets are randomly classified. Stage 1 – Assets are classified at a high level or organizational level. Stage 2 – Processes are developed and implemented, allowing assets to be classified in detail

    9. Information Asset Classification 9 rev. 10/24/2007 Community of Practice Six maturity stages Stage 3 – New assets are classified in detail. Stage 4 – Legacy assets are classified in detail. Stage 5 – Assets are classified, and processes exist that allow for asset reassessment and new asset classification.

    10. Information Asset Classification 10 rev. 10/24/2007 Community of Practice Six maturity stages It is likely many agencies were at Stage 0 at the time the policy was approved. While Stage 5 is the ultimate goal, most agencies should be able to reach Stage 1 by July 2008.

    11. Information Asset Classification 11 rev. 10/24/2007 Community of Practice Classification methodology Identify information assets Identify the owner(s) Conduct an impact assessment Determine the classification Document classifications Provide education and awareness Maintain classification and conduct continuous review

    12. Information Asset Classification 12 rev. 10/24/2007 Community of Practice Classification levels Level 1 – Published Information that is not protected from disclosure, that if disclosed will not jeopardize the privacy or security of agency employees, clients, and partners. This includes information regularly made available to the public via electronic, verbal or hard copy media.

    13. Information Asset Classification 13 rev. 10/24/2007 Community of Practice Classification levels Level 1 – Published Examples: Press releases Brochures Pamphlets Public access Web pages Materials created for public consumption

    14. Information Asset Classification 14 rev. 10/24/2007 Community of Practice Classification levels Level 2 – Limited Information that may not be protected from public disclosure but if made easily and readily available, may jeopardize the privacy or security of agency employees, clients, and/or partners. Agencies shall follow their disclosure policies and procedures before providing this information to external parties.

    15. Information Asset Classification 15 rev. 10/24/2007 Community of Practice Classification levels Level 2 – Limited Examples Enterprise risk management planning documents Published internal audit reports Names and addresses that are not protected from disclosure

    16. Information Asset Classification 16 rev. 10/24/2007 Community of Practice Classification levels Level 3 – Restricted Information intended for limited business use that may be exempt from public disclosure because, among other reasons, such disclosure will jeopardize the privacy or security of agency employees, clients, partners or individuals who otherwise qualify for an exemption.

    17. Information Asset Classification 17 rev. 10/24/2007 Community of Practice Classification levels Level 3 – Restricted Information in this category may be accessed and used by external parties. External parties requesting this information for authorized agency business must be under contractual obligation of confidentiality with the agency (for example, confidential/non-disclosure agreement) prior to receiving it.

    18. Information Asset Classification 18 rev. 10/24/2007 Community of Practice Classification levels Level 3 – Restricted Examples: Network diagrams Personally identifiable information Other information exempt from public records disclosure

    19. Information Asset Classification 19 rev. 10/24/2007 Community of Practice Classification levels Level 4 – Critical Information that is deemed extremely sensitive and is intended for use by named individual(s) only. This information is typically exempt from public disclosure because, among other reasons, such disclosure would potentially cause major damage or injury up to and including death to … (con’t.)

    20. Information Asset Classification 20 rev. 10/24/2007 Community of Practice Classification levels Level 4 – Critical (con’t.) … the named individual(s), agency employees, clients, partners or cause major harm to the agency.

    21. Information Asset Classification 21 rev. 10/24/2007 Community of Practice Classification levels Level 4 – Critical Examples: Regulated information with significant penalties for disclosure, such as information covered under HIPAA or IRS regulations Information that is typically exempt from public disclosure

    22. Information Asset Classification 22 rev. 10/24/2007 Community of Practice Classification levels Classifying information assets is a business issue and is agency-centric. The classification should be determined by the identified agency information owner for that particular information asset.

    23. Information Asset Classification 23 rev. 10/24/2007 Community of Practice Management methodology Use information asset classification levels to determine proper processes and procedures for: Information exchange Proper and secure handling Labeling Secure storage Proper destruction

    24. Information Asset Classification 24 rev. 10/24/2007 Community of Practice Where does an agency start? Determine information asset classification maturity stage. Develop documented methodologies and mechanisms for identifying and classifying assets. Determine the need for new or updated agency policies and procedures for classifying and handling information.

    25. Information Asset Classification 25 rev. 10/24/2007 Community of Practice Where does an agency start? Determine short-term and long-term goals to demonstrate constant improvement. Synchronize information asset classification efforts with other business-related activities.

    26. Information Asset Classification 26 rev. 10/24/2007 Community of Practice Resources Available at http://oregon.gov/DAS/EISPD/ESO Information Asset Classification Methodology Information Asset Classification statewide policy 107-004-050 Best practices documents

More Related