1 / 19

Information Asset Classification

Information security. Information protection is something you do, not something you buy. It is not a policy to put in place and forget. Information security requires a strong process and effective technologies all based on a sound understanding of the business the organization is in and how it performs that business." Burton GroupA Systematic, Comprehensive Approach to Information Security" October 15, 2007.

akamu
Download Presentation

Information Asset Classification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Information Asset Classification What it means to employees

    2. Information security “Information protection is something you do, not something you buy. It is not … a policy to put in place and forget. Information security requires a strong process and effective technologies – all based on a sound understanding of the business the organization is in and how it performs that business.” Burton Group “A Systematic, Comprehensive Approach to Information Security” October 15, 2007

    3. Information security Elements: Identify Classify Protect Manage

    4. What is an information asset? Anything that has value to the agency that can be communicated or documentary material, regardless of its physical form or characteristics. Includes, but is not limited to, paper, electronic, digital, images, and voice mail. Information technology hardware and software are not information assets for classification purposes.

    5. Information asset classification The purpose is to ensure information assets are identified, properly classified, and protected throughout their lifecycles. The objective is to develop and implement processes that allow an agency to continually assess and classify its information assets.

    6. Why is classification important? Not all information has the same value or importance to an agency, therefore information requires different levels of protection. Classification enables employees to apply appropriate handling processes to protect client and customer information.

    7. Classification levels Level 1 – Published Information that is not protected from disclosure, that if disclosed will not jeopardize the privacy or security of agency employees, clients, and partners. This includes information regularly made available to the public via electronic, verbal or hard copy media.

    8. Classification levels Level 1 – Published Examples: Press releases Brochures Pamphlets Public access Web pages Materials created for public consumption

    9. Classification levels Level 2 – Limited Information that may not be protected from public disclosure but if made easily and readily available, may jeopardize the privacy or security of agency employees, clients, and/or partners. Agencies shall follow their disclosure policies and procedures before providing this information to external parties.

    10. Classification levels Level 2 – Limited Examples Enterprise risk management planning documents Published internal audit reports Names and addresses that are not protected from disclosure

    11. Classification levels Level 3 – Restricted Information intended for limited business use that may be exempt from public disclosure because, among other reasons, such disclosure will jeopardize the privacy or security of agency employees, clients, partners or individuals who otherwise qualify for an exemption.

    12. Classification levels Level 3 – Restricted Information in this category may be accessed and used by external parties. External parties requesting this information for authorized agency business must be under contractual obligation of confidentiality with the agency (for example, confidential/non-disclosure agreement) prior to receiving it.

    13. Classification levels Level 3 – Restricted Examples: Network diagrams Personally identifiable information Other information exempt from public records disclosure

    14. Classification levels Level 4 – Critical Information that is deemed extremely sensitive and is intended for use by named individual(s) only. This information is typically exempt from public disclosure because, among other reasons, such disclosure would potentially cause major damage or injury up to and including death to … (con’t.)

    15. Classification levels Level 4 – Critical (con’t.) … the named individual(s), agency employees, clients, partners or cause major harm to the agency.

    16. Classification levels Level 4 – Critical Examples: Regulated information with significant penalties for disclosure, such as information covered under HIPAA or IRS regulations Information that is typically exempt from public disclosure

    17. Classification levels Classifying information assets is a business issue and is agency-centric. The classification should be determined by the identified agency information owner for that particular information asset.

    18. Management methodology Use information asset classification levels to determine proper processes and procedures for: Information exchange Proper and secure handling Labeling Secure storage Proper destruction

    19. What you can do Understand and follow agency policies and procedures for classifying and securing information assets Understand the proper handling required for the different classification levels Handle agency information securely Talk to your supervisor

    20. Resources Available at http://oregon.gov/ DAS/EISPD/ESO Information Asset Classification Methodology Information Asset Classification statewide policy 107-004-050 Best practices documents

More Related