Information Asset Classification Strategy

Community of Practice

Version 1.0

July 23, 2007

Information Asset Classification Objective

• Develop and implement processes that allow an organization to continually assess and classify its information assets.

• Provide information asset classification plans for assessment.

Why Classify Information Assets?

• Information asset classification allows an organization to:– Continually assess what types of precautions that must

be taken to ensure the availability, integrity and confidentiality of its information assets, related to its value.

– Collect documentation on its information assets. • Data Owner• Archive requirements• Compliance requirements• Associated business functions (Business Continuity Planning)

Difficulties

• Organizations vary in complexity and information security maturity.

• Availability of resources.

• Identifying and documenting information assets.

• Determining “What is Good Enough”.

• Determining where to start.

Classification Maturity Stages• 0 - No information assets are classified or assets are

randomly classified.• 1- Assets are classified at a high level or

organizational level, assets are unidentified.• 2- Processes are developed and implemented

allowing assets to be classified in detail.• 3- New assets are classified in detail.• 4 – Legacy assets are classified in detail.• 5 - Assets are classified, and processes exist that

allow for asset reassessment and new asset classification.

Stage 1

• Assets are classified at a high level or organizational level, assets are unidentified.– Using an organizational chart:

• Determine the highest classification level used by the organizational unit.

• Estimate the percentage breakdown of each information classification used by the organizational unit.

– Determine the default information asset classification to be used by the organizational unit based upon the highest classification level and percentages.

– Remember to manage or classify by exception.

Stage 2• Processes are developed and implemented

allowing assets to be classified in detail.– This level indicates that the organization has

sustainable processes that will allow the organization to classify information assets and synchronize with other activities.

• Synch with System Development Life Cycle (SDLC)– For new systems or during upgrades, include classification on

system and report(s).

• Synch with Information Exchange Assessments– Identify Information Asset Classification when receiving or

providing information.

• Synch with forms development– Include classification level on all forms

Stage 2

• Synchronizing with other efforts lessens the impact of resource limitations and improves efficiencies.

• An everyday example is the changing of a smoke detector battery and furnace filter during the semi-annual changing of the clocks.

Stage 3

• New assets are classified in detail.– Synch with System Development Life Cycle (SDLC)

• For new systems include classification on system and report(s).

– Synch with Information Exchange Assessments• Identify information asset classification when receiving

information.

– Synch with forms development• Include classification level on all new forms.

Stage 4

• Legacy assets are classified in detail.– Synch with System Development Life Cycle (SDLC)

• During upgrades, include classification on system and report(s).

– Synch with forms development• Include classification level on all forms being updated.

– Synch with Business Continuity Planning (BCP)• Identify critical records and systems and include

classifications.• Leverage business critical functions to prioritize the

information asset classification efforts (as defined in BCP).

Stage 5

• Assets are classified, and processes exist that allow for asset reassessment and new asset classification.– This is an on-going activity, because business

changes.

Where does an organization start?

• Determine the organization’s information asset classification maturity level.

• Develop documentation methodology and mechanism(s).

• Determine short term and long term goals to demonstrate constant improvement.

• Submit plan to the Enterprise Security Office for assessment.

• Synchronize with other activities.– information asset classification becomes a task and

deliverable to these activities.

Classification Plan ExampleOrganization: Department XYZ

Submitter: Bob Smith, Chief Information Security Officer

Assessment -

Current Information Asset Classification Maturity Stage: Stage 0

Documentation methodology/Mechanism: In-house process - Information Assessment and Control Process Using - Alexsys software

Information Asset Classification Plan(s):

Short Term: Between August 2007 and January 2008, the Information Security Office will Facilitate: Finalize its methodology and documentation processes (level 3). Assess and document data classifications for business units (level 2) using organization structure defined in BCP (eBRP). Coordinate with Office of Document Management to require data classifications be included on all new forms and modified forms.

Synchronization Activities: Business Continuity Planning Forms and Document Management

Classification Plan Example

Long Term: Between January 2008 and January 2009, the Information Security Office will Facilitate: As part of the SDLC, develop processes to include data classification on systems and generated reports for new and upgraded systems (Level 3). Assess, document and classify data associated with business critical functions identified as 0-24 hours. Repeat this process as resources and time permit for the next set of critical functions. After December 2008, the Information Security Office will Facilitate: Continue to repeat the assessment, documentation and classification data process associated with business critical functions not completed todate.

Synchronization Activities: Business Continuity Planning System Development Life Cycle