Download - Information Asset Classification Strategy
Information Asset Classification Strategy
Community of Practice
Version 1.0
July 23, 2007
Information Asset Classification Objective
• Develop and implement processes that allow an organization to continually assess and classify its information assets.
• Provide information asset classification plans for assessment.
Why Classify Information Assets?
• Information asset classification allows an organization to:– Continually assess what types of precautions that must
be taken to ensure the availability, integrity and confidentiality of its information assets, related to its value.
– Collect documentation on its information assets. • Data Owner• Archive requirements• Compliance requirements• Associated business functions (Business Continuity Planning)
Difficulties
• Organizations vary in complexity and information security maturity.
• Availability of resources.
• Identifying and documenting information assets.
• Determining “What is Good Enough”.
• Determining where to start.
Classification Maturity Stages• 0 - No information assets are classified or assets are
randomly classified.• 1- Assets are classified at a high level or
organizational level, assets are unidentified.• 2- Processes are developed and implemented
allowing assets to be classified in detail.• 3- New assets are classified in detail.• 4 – Legacy assets are classified in detail.• 5 - Assets are classified, and processes exist that
allow for asset reassessment and new asset classification.
Stage 1
• Assets are classified at a high level or organizational level, assets are unidentified.– Using an organizational chart:
• Determine the highest classification level used by the organizational unit.
• Estimate the percentage breakdown of each information classification used by the organizational unit.
– Determine the default information asset classification to be used by the organizational unit based upon the highest classification level and percentages.
– Remember to manage or classify by exception.
Stage 2• Processes are developed and implemented
allowing assets to be classified in detail.– This level indicates that the organization has
sustainable processes that will allow the organization to classify information assets and synchronize with other activities.
• Synch with System Development Life Cycle (SDLC)– For new systems or during upgrades, include classification on
system and report(s).
• Synch with Information Exchange Assessments– Identify Information Asset Classification when receiving or
providing information.
• Synch with forms development– Include classification level on all forms
Stage 2
• Synchronizing with other efforts lessens the impact of resource limitations and improves efficiencies.
• An everyday example is the changing of a smoke detector battery and furnace filter during the semi-annual changing of the clocks.
Stage 3
• New assets are classified in detail.– Synch with System Development Life Cycle (SDLC)
• For new systems include classification on system and report(s).
– Synch with Information Exchange Assessments• Identify information asset classification when receiving
information.
– Synch with forms development• Include classification level on all new forms.
Stage 4
• Legacy assets are classified in detail.– Synch with System Development Life Cycle (SDLC)
• During upgrades, include classification on system and report(s).
– Synch with forms development• Include classification level on all forms being updated.
– Synch with Business Continuity Planning (BCP)• Identify critical records and systems and include
classifications.• Leverage business critical functions to prioritize the
information asset classification efforts (as defined in BCP).
Stage 5
• Assets are classified, and processes exist that allow for asset reassessment and new asset classification.– This is an on-going activity, because business
changes.
Where does an organization start?
• Determine the organization’s information asset classification maturity level.
• Develop documentation methodology and mechanism(s).
• Determine short term and long term goals to demonstrate constant improvement.
• Submit plan to the Enterprise Security Office for assessment.
• Synchronize with other activities.– information asset classification becomes a task and
deliverable to these activities.
Classification Plan ExampleOrganization: Department XYZ
Submitter: Bob Smith, Chief Information Security Officer
Assessment -
Current Information Asset Classification Maturity Stage: Stage 0
Documentation methodology/Mechanism: In-house process - Information Assessment and Control Process Using - Alexsys software
Information Asset Classification Plan(s):
Short Term: Between August 2007 and January 2008, the Information Security Office will Facilitate: Finalize its methodology and documentation processes (level 3). Assess and document data classifications for business units (level 2) using organization structure defined in BCP (eBRP). Coordinate with Office of Document Management to require data classifications be included on all new forms and modified forms.
Synchronization Activities: Business Continuity Planning Forms and Document Management
Classification Plan Example
Long Term: Between January 2008 and January 2009, the Information Security Office will Facilitate: As part of the SDLC, develop processes to include data classification on systems and generated reports for new and upgraded systems (Level 3). Assess, document and classify data associated with business critical functions identified as 0-24 hours. Repeat this process as resources and time permit for the next set of critical functions. After December 2008, the Information Security Office will Facilitate: Continue to repeat the assessment, documentation and classification data process associated with business critical functions not completed todate.
Synchronization Activities: Business Continuity Planning System Development Life Cycle