information asset classification community of practicerev. 10/24/2007 information asset...
TRANSCRIPT
Information Asset Classification Community of Practice rev. 10/24/2007
Information Asset Classification
What it means to management
Information Asset Classification 2 rev. 10/24/2007Community of Practice
Information security
“Information protection is something you do, not something you buy. It is not … a policy to put in place and forget. Information security requires a strong process and effective technologies – all based on a sound understanding of the business the organization is in and how it performs that business.”
Burton Group“A Systematic, Comprehensive Approach to Information Security”
October 15, 2007
Information Asset Classification 3 rev. 10/24/2007Community of Practice
Information security
Elements: Identify Classify Protect Manage
Information Asset Classification 4 rev. 10/24/2007Community of Practice
What is an information asset? Anything that has value to the agency that
can be communicated or documentary material, regardless of its physical form or characteristics.
Includes, but is not limited to, paper, electronic, digital, images, and voice mail.
Information technology hardware and software are not information assets for classification purposes.
Information Asset Classification 5 rev. 10/24/2007Community of Practice
Information asset classification
The purpose is to ensure information assets are identified, properly classified, and protected throughout their lifecycles.
The objective is to develop and implement processes that allow an agency to continually assess and classify its information assets.
Information Asset Classification 6 rev. 10/24/2007Community of Practice
Why is classification important? Not all information has the same
value or importance to an agency, therefore information requires different levels of protection.
Information asset classification is critical to ensure assets have a level of protection corresponding to the sensitivity and value of the information asset.
Information Asset Classification 7 rev. 10/24/2007Community of Practice
Five phase approach
1. Management education2. Implementation strategy3. Employee education 4. Implementation5. Maintenance
Information Asset Classification 8 rev. 10/24/2007Community of Practice
Six maturity stages
Stage 0 – No information assets are classified or assets are randomly classified.
Stage 1 – Assets are classified at a high level or organizational level.
Stage 2 – Processes are developed and implemented, allowing assets to be classified in detail
Information Asset Classification 9 rev. 10/24/2007Community of Practice
Six maturity stages
Stage 3 – New assets are classified in detail.
Stage 4 – Legacy assets are classified in detail.
Stage 5 – Assets are classified, and processes exist that allow for asset reassessment and new asset classification.
Information Asset Classification 10 rev. 10/24/2007Community of Practice
Six maturity stages
It is likely many agencies were at Stage 0 at the time the policy was approved.
While Stage 5 is the ultimate goal, most agencies should be able to reach Stage 1 by July 2008.
Information Asset Classification 11 rev. 10/24/2007Community of Practice
Classification methodology
1. Identify information assets2. Identify the owner(s) 3. Conduct an impact assessment4. Determine the classification5. Document classifications6. Provide education and awareness7. Maintain classification and conduct
continuous review
Information Asset Classification 12 rev. 10/24/2007Community of Practice
Classification levels
Level 1 – Published Information that is not protected from
disclosure, that if disclosed will not jeopardize the privacy or security of agency employees, clients, and partners. This includes information regularly made available to the public via electronic, verbal or hard copy media.
Information Asset Classification 13 rev. 10/24/2007Community of Practice
Classification levels
Level 1 – Published Examples:
Press releases Brochures Pamphlets Public access Web pages Materials created for public consumption
Information Asset Classification 14 rev. 10/24/2007Community of Practice
Classification levels
Level 2 – Limited Information that may not be protected
from public disclosure but if made easily and readily available, may jeopardize the privacy or security of agency employees, clients, and/or partners. Agencies shall follow their disclosure policies and procedures before providing this information to external parties.
Information Asset Classification 15 rev. 10/24/2007Community of Practice
Classification levels
Level 2 – Limited Examples
Enterprise risk management planning documents
Published internal audit reports Names and addresses that are not
protected from disclosure
Information Asset Classification 16 rev. 10/24/2007Community of Practice
Classification levels
Level 3 – Restricted Information intended for limited business
use that may be exempt from public disclosure because, among other reasons, such disclosure will jeopardize the privacy or security of agency employees, clients, partners or individuals who otherwise qualify for an exemption.
Information Asset Classification 17 rev. 10/24/2007Community of Practice
Classification levels
Level 3 – Restricted Information in this category may be
accessed and used by external parties. External parties requesting this information for authorized agency business must be under contractual obligation of confidentiality with the agency (for example, confidential/non-disclosure agreement) prior to receiving it.
Information Asset Classification 18 rev. 10/24/2007Community of Practice
Classification levels
Level 3 – Restricted Examples:
Network diagrams Personally identifiable information Other information exempt from public
records disclosure
Information Asset Classification 19 rev. 10/24/2007Community of Practice
Classification levels
Level 4 – Critical Information that is deemed extremely
sensitive and is intended for use by named individual(s) only. This information is typically exempt from public disclosure because, among other reasons, such disclosure would potentially cause major damage or injury up to and including death to … (con’t.)
Information Asset Classification 20 rev. 10/24/2007Community of Practice
Classification levels
Level 4 – Critical (con’t.) … the named individual(s),
agency employees, clients, partners or cause major harm to the agency.
Information Asset Classification 21 rev. 10/24/2007Community of Practice
Classification levels
Level 4 – Critical Examples:
Regulated information with significant penalties for disclosure, such as information covered under HIPAA or IRS regulations
Information that is typically exempt from public disclosure
Information Asset Classification 22 rev. 10/24/2007Community of Practice
Classification levels
Classifying information assets is a business issue and is agency-centric. The classification should be determined by the identified agency information owner for that particular information asset.
Information Asset Classification 23 rev. 10/24/2007Community of Practice
Management methodology
Use information asset classification levels to determine proper processes and procedures for: Information exchange Proper and secure handling Labeling Secure storage Proper destruction
Information Asset Classification 24 rev. 10/24/2007Community of Practice
Where does an agency start?
1. Determine information asset classification maturity stage.
2. Develop documented methodologies and mechanisms for identifying and classifying assets.
3. Determine the need for new or updated agency policies and procedures for classifying and handling information.
Information Asset Classification 25 rev. 10/24/2007Community of Practice
Where does an agency start?
4. Determine short-term and long-term goals to demonstrate constant improvement.
5. Synchronize information asset classification efforts with other business-related activities.
Information Asset Classification 26 rev. 10/24/2007Community of Practice
Resources
Available at http://oregon.gov/DAS/EISPD/ESO Information Asset Classification
Methodology Information Asset Classification
statewide policy 107-004-050 Best practices documents