2. Information Asset Classification
Information Asset Classification
Information asset classification is a procedure to establish the appropriate information classified labels for
information and how it is handled.
3. Information Asset Classification
Who is responsible for information asset classification:
Classified into 3 types
1. OWNER
2. CUSTODIAN
3. USER
4. Information Asset Classification
OWNER:
The information owner is the individual that initiates the creation or storage of the information.
He is ultimately responsible & liable for the information and how it is used to achieve business goals.
CUSTODIAN:
The information custodian is usually an information technology staff he is responsible for implementing &
monitoring the necessary security safeguard to protect the information assets.
USER:
The information user in one that uses the information to achieve business objectives.
5. Information Asset Classification
Information Classification:
Information classification is the organization of information assets according to their
sensitivity to disclosure.
Classification Systems
Classification systems are labels that we assign to identify the sensitivity levels
6. Information Asset Classification
Government & Military Classification Systems
Top Secret
Secret
Confidential
Unclassified
Top Secret
applied to “any information or material the unauthorized disclosure of which reasonably could be expected to
cause an exceptionally grave damage to the national security”
Secret
applied to “any information or material the unauthorized disclosure of which reasonably could be expected to
cause serious damage to the national security”
Confidential
applied to “any information or material the unauthorized disclosure of which reasonably could be expected to
cause damage to the national security”
Unclassified
applied to “any information that can generally be distributed to the public without any threat to national interest”
7. Information Asset Classification
Commercial classification systems
Most systems revolve around these four classification levels:
Confidential
Sensitive
Restricted
Public
Confidential:
Meant to be kept secret
Only available to a small circle of authorized individuals
Equivalent of Top Secret
Disclosure would cause significant financial loss, reputation loss and/or legal liability.
8. Information Asset Classification
Sensitive:
Does not necessarily imply legal liability and financial loss in case of disclosure
Does imply loss of reputation & personal credibility
May also imply loss of privacy-related information
Access should be granted on a strict need-to-know basis
Restricted:
Business-related information that should only be used and accessed internally
Unauthorized disclosure would result in impairment of the business and/or result in business,
financial or legal loss
Also includes most information subjected to non-disclosure agreements
Public:
Information that does not require protection
Information that is specifically intended for the public
9. Retention and Disposal of Information
Assets:
Data retention is the practice of storing documents, records, and various data
types for a specific period. On the other hand, data destruction is the process of sorting
and shredding data that's no longer useful to an organization.
retention in information security:
Data retention policies concern what data should be stored or archived, where that
should happen, and for exactly how long. Once the retention time period for a
particular data set expires, it can be deleted or moved as historical data to secondary or
tertiary storage, depending on the requirements