380 likes | 1.52k Views
Information security. Information protection is something you do, not something you buy. It is not a policy to put in place and forget. Information security requires a strong process and effective technologies all based on a sound understanding of the business the organization is in and how it performs that business." Burton GroupA Systematic, Comprehensive Approach to Information Security" October 15, 2007.
E N D
1. Information Asset Classification What it means to employees
2. Information security “Information protection is something you do, not something you buy. It is not … a policy to put in place and forget. Information security requires a strong process and effective technologies – all based on a sound understanding of the business the organization is in and how it performs that business.”
Burton Group
“A Systematic, Comprehensive Approach to Information Security” October 15, 2007
3. Information security Elements:
Identify
Classify
Protect
Manage
4. What is an information asset? Anything that has value to the agency that can be communicated or documentary material, regardless of its physical form or characteristics.
Includes, but is not limited to, paper, electronic, digital, images, and voice mail.
Information technology hardware and software are not information assets for classification purposes.
5. Information asset classification The purpose is to ensure information assets are identified, properly classified, and protected throughout their lifecycles.
The objective is to develop and implement processes that allow an agency to continually assess and classify its information assets.
6. Why is classification important? Not all information has the same value or importance to an agency, therefore information requires different levels of protection.
Classification enables employees to apply appropriate handling processes to protect client and customer information.
7. Classification levels Level 1 – Published
Information that is not protected from disclosure, that if disclosed will not jeopardize the privacy or security of agency employees, clients, and partners. This includes information regularly made available to the public via electronic, verbal or hard copy media.
8. Classification levels Level 1 – Published
Examples:
Press releases
Brochures
Pamphlets
Public access Web pages
Materials created for public consumption
9. Classification levels Level 2 – Limited
Information that may not be protected from public disclosure but if made easily and readily available, may jeopardize the privacy or security of agency employees, clients, and/or partners. Agencies shall follow their disclosure policies and procedures before providing this information to external parties.
10. Classification levels Level 2 – Limited
Examples
Enterprise risk management planning documents
Published internal audit reports
Names and addresses that are not protected from disclosure
11. Classification levels Level 3 – Restricted
Information intended for limited business use that may be exempt from public disclosure because, among other reasons, such disclosure will jeopardize the privacy or security of agency employees, clients, partners or individuals who otherwise qualify for an exemption.
12. Classification levels Level 3 – Restricted
Information in this category may be accessed and used by external parties. External parties requesting this information for authorized agency business must be under contractual obligation of confidentiality with the agency (for example, confidential/non-disclosure agreement) prior to receiving it.
13. Classification levels Level 3 – Restricted
Examples:
Network diagrams
Personally identifiable information
Other information exempt from public records disclosure
14. Classification levels Level 4 – Critical
Information that is deemed extremely sensitive and is intended for use by named individual(s) only. This information is typically exempt from public disclosure because, among other reasons, such disclosure would potentially cause major damage or injury up to and including death to … (con’t.)
15. Classification levels Level 4 – Critical
(con’t.) … the named individual(s), agency employees, clients, partners or cause major harm to the agency.
16. Classification levels Level 4 – Critical
Examples:
Regulated information with significant penalties for disclosure, such as information covered under HIPAA or IRS regulations
Information that is typically exempt from public disclosure
17. Classification levels Classifying information assets is a business issue and is agency-centric. The classification should be determined by the identified agency information owner for that particular information asset.
18. Management methodology Use information asset classification levels to determine proper processes and procedures for:
Information exchange
Proper and secure handling
Labeling
Secure storage
Proper destruction
19. What you can do Understand and follow agency policies and procedures for classifying and securing information assets
Understand the proper handling required for the different classification levels
Handle agency information securely
Talk to your supervisor
20. Resources Available at http://oregon.gov/DAS/EISPD/ESO
Information Asset Classification Methodology
Information Asset Classification statewide policy 107-004-050
Best practices documents