Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Asset Classification

Published byJeffry Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Asset Classification"— Presentation transcript:

1 Information Asset Classification
What it means to management Information Asset Classification Community of Practice rev. 10/24/2007

2 Information security “Information protection is something you do, not something you buy. It is not … a policy to put in place and forget. Information security requires a strong process and effective technologies – all based on a sound understanding of the business the organization is in and how it performs that business.” Burton Group “A Systematic, Comprehensive Approach to Information Security” October 15, 2007 Information Asset Classification 2 rev. 10/24/2007 Community of Practice

3 Information security Elements: Identify Classify Protect Manage
Information Asset Classification 3 rev. 10/24/2007 Community of Practice

4 What is an information asset?
Anything that has value to the agency that can be communicated or documentary material, regardless of its physical form or characteristics. Includes, but is not limited to, paper, electronic, digital, images, and voice mail. Information technology hardware and software are not information assets for classification purposes. Information Asset Classification 4 rev. 10/24/2007 Community of Practice

5 Information asset classification
The purpose is to ensure information assets are identified, properly classified, and protected throughout their lifecycles. The objective is to develop and implement processes that allow an agency to continually assess and classify its information assets. Information Asset Classification 5 rev. 10/24/2007 Community of Practice

6 Why is classification important?
Not all information has the same value or importance to an agency, therefore information requires different levels of protection. Information asset classification is critical to ensure assets have a level of protection corresponding to the sensitivity and value of the information asset. Information Asset Classification 6 rev. 10/24/2007 Community of Practice

7 Five phase approach Management education Implementation strategy
Employee education Implementation Maintenance Information Asset Classification 7 rev. 10/24/2007 Community of Practice

8 Six maturity stages Stage 0 – No information assets are classified or assets are randomly classified. Stage 1 – Assets are classified at a high level or organizational level. Stage 2 – Processes are developed and implemented, allowing assets to be classified in detail Information Asset Classification 8 rev. 10/24/2007 Community of Practice

9 Six maturity stages Stage 3 – New assets are classified in detail.
Stage 4 – Legacy assets are classified in detail. Stage 5 – Assets are classified, and processes exist that allow for asset reassessment and new asset classification. Information Asset Classification 9 rev. 10/24/2007 Community of Practice

10 Six maturity stages It is likely many agencies were at Stage 0 at the time the policy was approved. While Stage 5 is the ultimate goal, most agencies should be able to reach Stage 1 by July 2008. Information Asset Classification 10 rev. 10/24/2007 Community of Practice

11 Classification methodology
Identify information assets Identify the owner(s) Conduct an impact assessment Determine the classification Document classifications Provide education and awareness Maintain classification and conduct continuous review Information Asset Classification 11 rev. 10/24/2007 Community of Practice

12 Classification levels
Level 1 – Published Information that is not protected from disclosure, that if disclosed will not jeopardize the privacy or security of agency employees, clients, and partners. This includes information regularly made available to the public via electronic, verbal or hard copy media. Information Asset Classification 12 rev. 10/24/2007 Community of Practice

13 Classification levels
Level 1 – Published Examples: Press releases Brochures Pamphlets Public access Web pages Materials created for public consumption Information Asset Classification 13 rev. 10/24/2007 Community of Practice

14 Classification levels
Level 2 – Limited Information that may not be protected from public disclosure but if made easily and readily available, may jeopardize the privacy or security of agency employees, clients, and/or partners. Agencies shall follow their disclosure policies and procedures before providing this information to external parties. Information Asset Classification 14 rev. 10/24/2007 Community of Practice

15 Classification levels
Level 2 – Limited Examples Enterprise risk management planning documents Published internal audit reports Names and addresses that are not protected from disclosure Information Asset Classification 15 rev. 10/24/2007 Community of Practice

16 Classification levels
Level 3 – Restricted Information intended for limited business use that may be exempt from public disclosure because, among other reasons, such disclosure will jeopardize the privacy or security of agency employees, clients, partners or individuals who otherwise qualify for an exemption. Information Asset Classification 16 rev. 10/24/2007 Community of Practice

17 Classification levels
Level 3 – Restricted Information in this category may be accessed and used by external parties. External parties requesting this information for authorized agency business must be under contractual obligation of confidentiality with the agency (for example, confidential/non-disclosure agreement) prior to receiving it. Information Asset Classification 17 rev. 10/24/2007 Community of Practice

18 Classification levels
Level 3 – Restricted Examples: Network diagrams Personally identifiable information Other information exempt from public records disclosure Information Asset Classification 18 rev. 10/24/2007 Community of Practice

19 Classification levels
Level 4 – Critical Information that is deemed extremely sensitive and is intended for use by named individual(s) only. This information is typically exempt from public disclosure because, among other reasons, such disclosure would potentially cause major damage or injury up to and including death to … (con’t.) Information Asset Classification 19 rev. 10/24/2007 Community of Practice

20 Classification levels
Level 4 – Critical (con’t.) … the named individual(s), agency employees, clients, partners or cause major harm to the agency. Information Asset Classification 20 rev. 10/24/2007 Community of Practice

21 Classification levels
Level 4 – Critical Examples: Regulated information with significant penalties for disclosure, such as information covered under HIPAA or IRS regulations Information that is typically exempt from public disclosure Information Asset Classification 21 rev. 10/24/2007 Community of Practice

22 Classification levels
Classifying information assets is a business issue and is agency-centric. The classification should be determined by the identified agency information owner for that particular information asset. Information Asset Classification 22 rev. 10/24/2007 Community of Practice

23 Management methodology
Use information asset classification levels to determine proper processes and procedures for: Information exchange Proper and secure handling Labeling Secure storage Proper destruction Information Asset Classification 23 rev. 10/24/2007 Community of Practice

24 Where does an agency start?
Determine information asset classification maturity stage. Develop documented methodologies and mechanisms for identifying and classifying assets. Determine the need for new or updated agency policies and procedures for classifying and handling information. Information Asset Classification 24 rev. 10/24/2007 Community of Practice

25 Where does an agency start?
Determine short-term and long-term goals to demonstrate constant improvement. Synchronize information asset classification efforts with other business-related activities. Information Asset Classification 25 rev. 10/24/2007 Community of Practice

26 Resources Available at http://oregon.gov/DAS/EISPD/ESO
Information Asset Classification Methodology Information Asset Classification statewide policy Best practices documents Information Asset Classification 26 rev. 10/24/2007 Community of Practice

Download ppt "Information Asset Classification"

Similar presentations

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.

1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
Information Asset Classification Communications Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services.

Information Asset Classification Communications Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Environmental Management System (EMS)

Environmental Management System (EMS)
Auditing Concepts.

Auditing Concepts.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
SIU School of Medicine Identity Protection Act and Associated SIU Policy.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:

Similar presentations

Ads by Google