Assets Classification and Control

The Guidelines Of The Assets Classification And Control To Help Information Owner Or The Organization Implement The Classification System

In the previous article regarding management of information security, it was discussed about employee security guideline. This article will discuss about the classification and control of the corporate assets regarding the information. Information is the corporate assets that need to be suitably protected.

For significant information assets, Information Owners must be established and information must be classified to indicate the need, priorities and degree of protection required. The Objective is to ensure that appropriate information security controls are applied to the the organization’s significant information assets.

The guidance covers:

• Classification of information and appropriate marking or labeling to show the information is sensitive. This should ensure that recipients know to employ appropriate protective measures.
• Protection of information in an appropriate, practical and cost-effective way, that is proportionate to the business risk of disclosure. The need for protection is indicated by the classification marking, which is used within the organization or when shared with other commercial or Government organizations.

The security measures outlined here represents a minimum baseline for each level of classification. Extra security measures may be necessary in some circumstances.

Security Classification and Marking

Classified information is marked so that people know to apply appropriate security protection. The classification is dependent upon the impact or damage likely to occur if the information is leaked or disclosed to the wrong people. This will include four levels of classification:

• Highly Confidential (Protected)
• Confidential
• Internal Use Only
• Public

Information Owner Responsibilities

The Information Owner is responsible for allocating a suitable classification level for all information within their control based upon a current risk assessment. The Information Owner should ensure that the protection requirements per classification level are applied to all levels of classified information and conduct regular reviews to ensure that the requirements are being met.

Regular reviews will also help ensure that information that has been downgraded is not being protected at the previous classification level, which involves unnecessary and costly protection requirements.

Downgrading

Some information is only sensitive for a specific period of time. In this case, the Information Owner should therefore indicate a date, or event, after which the information can be de-classified. This avoids unnecessary protection of information.

Highly Confidential (Protected)

Impact

Unauthorized disclosure or loss or unauthorized changes of information (even within the organization) would cause serious damage to the interests of the organization. It would normally inflict harm by virtue of serious financial loss, severe loss of profitability or opportunity, grave embarrassment or loss of reputation.

Highly Confidential is the highest level of classification within the organization. Types of information that should be classified to this level include:

• Details of major acquisitions, divestments and mergers
• High-level business and competition strategy
• Very sensitive competitor, partner or contractor assessments
• High-level business plans and potential options
• Patent secrecy information
• Material protectively-marked “Highly Confidential” by the organization

All information classified “Highly Confidential” must be marked with the classification level. This includes; all documents (every folio), files, binders, media and equipment etc, and should be protected properly.

CONFIDENTIAL

Impact

Unauthorized disclosure or loss or unauthorized changes of information (even within the organization) would cause significant harm to the interests of the organization. This would normally inflict harm by virtue of financial loss, loss of profitability or opportunity, embarrassment or loss of reputation. Types of information that should be classified to this level include:

• Negotiating positions
• Marketing information
• Competitor assessments
• Personnel information
• Customer information
• Material protectively marked “Confidential” by the organization.

All information classified “Confidential” must be marked clearly with the classification level. This includes all documents, files, binders, media and equipment etc, and must be marked clearly with the classification level.

“Internal Use Only” Classification

Impact

Unauthorized disclosure or loss or unauthorized changes of information particularly outside the organization, would be inappropriate and inconvenient. This is routine information, which the organization simply wishes to keep private.

This classification may not need to be marked on information; it refers to the majority of information and should be the default classification unless otherwise warranted on a per document basis.

Default

By default, all information is initially classified “Internal Use Only”. For example on the following statement that should appear in the footer of all Internal Use Only business documents.

Copyright Statement

© 2009 The Organization

Internal Use Only

“Public” Classification

The Public classification level applies to the organization information that is authorized to be released into the public forum by Public Relations. There is no requirement to mark this information with the classification level.

This guideline is to help Information Owners / the organization implement the classification system in managing the information security.

Suggested readings:

• Business continuity and disaster recovery planning
• A case study about risk assessment
• networking security threats

Search More Information Here: