1 / 14

Information Asset Classification Strategy

Information Asset Classification Strategy. Community of Practice Version 1.0 July 23, 2007. Information Asset Classification Objective. Develop and implement processes that allow an organization to continually assess and classify its information assets.

doris
Download Presentation

Information Asset Classification Strategy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Asset Classification Strategy Community of Practice Version 1.0 July 23, 2007

  2. Information Asset Classification Objective • Develop and implement processes that allow an organization to continually assess and classify its information assets. • Provide information asset classification plans for assessment.

  3. Why Classify Information Assets? • Information asset classification allows an organization to: • Continually assess what types of precautions that must be taken to ensure the availability, integrity and confidentiality of its information assets, related to its value. • Collect documentation on its information assets. • Data Owner • Archive requirements • Compliance requirements • Associated business functions (Business Continuity Planning)

  4. Difficulties • Organizations vary in complexity and information security maturity. • Availability of resources. • Identifying and documenting information assets. • Determining “What is Good Enough”. • Determining where to start.

  5. Classification Maturity Stages • 0 - No information assets are classified or assets are randomly classified. • 1- Assets are classified at a high level or organizational level, assets are unidentified. • 2- Processes are developed and implemented allowing assets to be classified in detail. • 3- New assets are classified in detail. • 4 – Legacy assets are classified in detail. • 5 - Assets are classified, and processes exist that allow for asset reassessment and new asset classification.

  6. Stage 1 • Assets are classified at a high level or organizational level, assets are unidentified. • Using an organizational chart: • Determine the highest classification level used by the organizational unit. • Estimate the percentage breakdown of each information classification used by the organizational unit. • Determine the default information asset classification to be used by the organizational unit based upon the highest classification level and percentages. • Remember to manage or classify by exception.

  7. Stage 2 • Processes are developed and implemented allowing assets to be classified in detail. • This level indicates that the organization has sustainable processes that will allow the organization to classify information assets and synchronize with other activities. • Synch with System Development Life Cycle (SDLC) • For new systems or during upgrades, include classification on system and report(s). • Synch with Information Exchange Assessments • Identify Information Asset Classification when receiving or providing information. • Synch with forms development • Include classification level on all forms

  8. Stage 2 • Synchronizing with other efforts lessens the impact of resource limitations and improves efficiencies. • An everyday example is the changing of a smoke detector battery and furnace filter during the semi-annual changing of the clocks.

  9. Stage 3 • New assets are classified in detail. • Synch with System Development Life Cycle (SDLC) • For new systems include classification on system and report(s). • Synch with Information Exchange Assessments • Identify information asset classification when receiving information. • Synch with forms development • Include classification level on all new forms.

  10. Stage 4 • Legacy assets are classified in detail. • Synch with System Development Life Cycle (SDLC) • During upgrades, include classification on system and report(s). • Synch with forms development • Include classification level on all forms being updated. • Synch with Business Continuity Planning (BCP) • Identify critical records and systems and include classifications. • Leverage business critical functions to prioritize the information asset classification efforts (as defined in BCP).

  11. Stage 5 • Assets are classified, and processes exist that allow for asset reassessment and new asset classification. • This is an on-going activity, because business changes.

  12. Where does an organization start? • Determine the organization’s information asset classification maturity level. • Develop documentation methodology and mechanism(s). • Determine short term and long term goals to demonstrate constant improvement. • Submit plan to the Enterprise Security Office for assessment. • Synchronize with other activities. • information asset classification becomes a task and deliverable to these activities.

  13. Classification Plan Example

  14. Classification Plan Example

More Related