Q

Identifying information assets in a security policy

We've defined policies for info classifications and info owner, custodian and user categories. Our next step is to write a policy for the owners to categorize their information assets. Can you provide any guidance on what to include in that policy? Is the deliverable a spreadsheet with something like the following columns:

What are the critical business assets (e.g. drawings, product plans, payroll system...)
Info Class (e.g. secret, confidential, public)
Security Risk (e.g. Confidentiality, Integrity, Availability??)
Required Security Controls
Other info?


I'm not sure I understand your question, so if I've missed the mark, let me know. As the policy statement already exists for information classifications and information owners, custodians and users, you are trying to develop a checklist to assist data owners and data custodians in classifying their data, correct? This is a good strategy! Developing the owners / custodians / users a "yes" or "no" checklist format asking three or four critical questions to help them will reduce frustration and erroneous dissemination of information. (For example, is the information available through the media?) Categorize each information class so that when they reach a "yes" answer, the information is bumped into the next classification, which will allow for natural migration into the next category.

Since you have defined your information classes (i.e., secret, confidential, public), your next step will be to list the assets on the spreadsheet (you have already identified them in the risk assessment / analysis) requiring protection, and determine how they will be protected. As you pointed out, your best method will be to develop a matrix or a spreadsheet. WARNING!! The list of assets will be extensive. This will be the time to "micro-manage" your assets. Do not assume your user community thinks in the same way you do.

For example, one of your assets listed is MAIL. Sound straightforward? You will need to identify ALL methods available to send mail: electronic mail through internal systems only; electronic mail through external systems, including the Internet; through interdepartmental mail internal to the building; through interdepartmental mail external to the building; USPS; Federal Express; special courier; etc. For each of these methods, you now will have to determine if certain actions will be permitted and how (i.e., handling, envelope, labeling, address information, document instruction, writing instrument, etc.) for each classification. As you can see, your matrix will be rather expansive.


This was first published in April 2001

Dig deeper on Enterprise Risk Management: Metrics and Assessments

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close