Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 5: Asset Classification. 2 Objectives  Assign information ownership responsibilities  Develop and use information classification guidelines.

Similar presentations


Presentation on theme: "Chapter 5: Asset Classification. 2 Objectives  Assign information ownership responsibilities  Develop and use information classification guidelines."— Presentation transcript:

1 Chapter 5: Asset Classification

2 2 Objectives  Assign information ownership responsibilities  Develop and use information classification guidelines  Understand information handling and labeling procedures  Manage an information classification program  Identify and inventory information systems  Recognize the goal and methodology of criticality assessments  Create and implement asset classification policies

3 3 Introduction What is an information asset?  A definable piece of valuable information to an organization stored in any form  The information is used by the company (regardless of size) to fulfill its mission or goal

4 4 What Are We Trying to Protect? Information Systems  Provide a way and a place to process, store, transmit and communicate the information  Usually a combination of both hardware and software assets  ASPs: Application Service Providers. A way to outsource applications to avoid internal hosting and management When using an ASP, proper due diligence should be conducted to insure the protection of the data

5 5 What Are We Trying to Protect? Cont. Information Ownership  ISO stands for Information Security Officer  The ISO is accountable for the protection of the organization. Compare this with: The information owner is responsible for his/her information The information custodian is responsible for implementing the actual controls that protect the information assets  The ISO is the central repository of security information

6 6 Information Classification Definitions:  Information Classification Information classification is the organization of information assets according to their sensitivity to disclosure  Classification Systems Classification systems are labels that we assign to identify the sensitivity levels

7 7 Information Classification Cont. Government & Military Classification Systems  Top Secret  Secret  Confidential  Unclassified

8 8 Information Classification Cont.  Top Secret applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause an exceptionally grave damage to the national security”  Secret applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security”

9 9 Information Classification Cont.  Confidential applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security”  Unclassified applied to “any information that can generally be distributed to the public without any threat to national interest”

10 10 Information Classification Cont. Commercial classification systems:  No standard: each company can choose its own system that matches its culture and needs  Usually less complex than the government system  The more regulated a company, the more complex the classification system they adopt

11 11 Information Classification Cont. Commercial classification systems  Most systems revolve around these four classification levels:  Confidential  Sensitive  Restricted  Public

12 12 Information Classification Cont. Commercial classification systems  Confidential: Meant to be kept secret Only available to a small circle of authorized individuals Equivalent of Top Secret Disclosure would cause significant financial loss, reputation loss and/or legal liability

13 13 Information Classification Cont. Commercial classification systems  Sensitive: Does not necessarily imply legal liability and financial loss in case of disclosure Does imply loss of reputation & personal credibility May also imply loss of privacy-related information Access should be granted on a strict need-to-know basis

14 14 Information Classification Cont. Commercial classification systems  Restricted: Business-related information that should only be used and accessed internally Unauthorized disclosure would result in impairment of the business and/or result in business, financial or legal loss Also includes most information subjected to non- disclosure agreements

15 15 Information Classification Cont. Commercial classification systems  Public: Information that does not require protection Information that is specifically intended for the public

16 16 Information Classification Cont. Commercial classification systems  Criteria used to classify information:  The info is not public knowledge or public domain  The info has demonstrated value to the organization  The info needs to be protected from the outside of the organization  The info is subject to government regulation Question a company should ask:  What’s the worst impact that would result from the unauthorized disclosure of this bit of information?

17 17 Information Classification Labeling and Handling Information labeling:  Labeling is the vehicle for communicating the sensitivity level Familiar labels:  Labels must be clear & self-explanatory  In electronic form, the label should be made part of the file name  In printed form, the label should be clearly visible on the outside and in the header and/or footer

18 18 Information Classification Labeling and Handling Cont. Information handling:  Information must be handled in accordance with its classification  The information user is responsible for using the information in accordance with its classification level

19 19 Information Classification Program Lifecycle The lifecycle starts with assigning a classification level, and ends with declassification Information classification Procedure:  A nine-step process: Define the information asset and the supporting information system Characterize the criticality of the information system Identify the information owner and information custodian Assign a classification level to the information

20 20 Information Classification Program Lifecycle Cont. Information classification Procedure  A nine-step process (cont.): Determine & implement the corresponding level of security controls Label the information & information system Document handling procedures, including disposal Integrate the handling procedures into an information user security awareness program Declassify information when (and if) appropriate

21 21 Reclassification / Declassification  The need to protect information may change  With that change, the label assigned to that information may change as well  The process of downgrading sensitivity levels is called declassification  The process of upgrading sensitivity levels is called reclassification

22 22 Value and Criticality of Information Systems  Information is assigned a classification level for protection purposes  Classification is only one of the elements in determining the overall value & criticality of the information to the organization  The asset’s value must be determined before a cost can be associated with protecting this asset

23 23 Value and Criticality of Information Systems Cont. Calculating the value of an asset:  Cost to acquire or develop asset  Cost to maintain & protect asset  Cost to replace asset  Importance of asset to owner  Competitive advantage of the information  Marketability of information  Impact on deliver of services  Reputation  Liability issues  Regulatory compliance requirements

24 24 Value and Criticality of Information Systems Cont. An organization should always keep an updated information asset inventory  You can’t protect what you don’t know you have! Asset Inventory Methodology:  Hardware assets include (but are not limited to): Computer equipment Communication equipment Storage media Infrastructure equipment

25 25 Value and Criticality of Information Systems Cont. Asset Inventory Methodology  Software assets include (but are not limited to): Operating System software Productivity software Application software

26 26 Value and Criticality of Information Systems Cont. Asset Inventory characteristics & attributes:  Each asset should have a unique identifier Create a naming convention so that all assets are consistently named throughout the company  Each asset should have a description What is this asset used for?  Manufacturer imprint: Hardware: Manufacturer name, model & serial numbers Software: publisher name, version number, revision number, patch level

27 27 Value and Criticality of Information Systems Cont. Asset Inventory characteristics & attributes:  Physical address: geographical location of the asset  Logical address: where the asset can be found in the organization’s network  Controlling entity: the department that funded the purchase/development of this asset

28 28 System Characterization  Articulates the understanding of the system, including the boundaries of the system being assessed, the system’s hardware and software, and the information that is stored, processed and transmitted.  Assets should be ranked based on their protection level and importance to the organization

29 29 System Characterization Cont.  Two criteria used to rank information: System impact  How vital is this information to the organization? Protection level  The level of protection/safeguards required

30 30 System Characterization Cont.  Three levels used to characterize information assets (system impact): High: breach or disruption of information would have major business processing or customer impact Medium: breach or disruption of information would have minor business processing or customer impact Low: breach or disruption of information would have no business processing or customer impact

31 31 System Characterization Cont.  Three levels used to characterize information assets (Information protection): High: Compromise / disclosure / loss would have a significant negative impact Medium: Compromise / disclosure / loss would have some negative impact Low: Compromise / disclosure / loss would have a minimal negative impact

32 32 System Characterization Cont.  Criticality ratings: provide the basis on which to prioritize and allocate resources to protect information assets Also used during risk analysis and management, disaster recovery planning and business continuity planning Should be revised at least once a year and anytime a change driver is introduced

33 33 Summary  A company cannot defend its information assets unless it knows what they are and where they are. Furthermore, the company must also identify how critical these assets are to the business process.  Companies need an inventory of their assets and a classification system for those assets.  Companies should run critical analyses at least once a year.


Download ppt "Chapter 5: Asset Classification. 2 Objectives  Assign information ownership responsibilities  Develop and use information classification guidelines."

Similar presentations


Ads by Google