Ask the Expert

Identifying information assets in a security policy

We've defined policies for info classifications and info owner, custodian and user categories. Our next step is to write a policy for the owners to categorize their information assets. Can you provide any guidance on what to include in that policy? Is the deliverable a spreadsheet with something like the following columns:

What are the critical business assets (e.g. drawings, product plans, payroll system...)
Info

    Requires Free Membership to View

Class (e.g. secret, confidential, public)
Security Risk (e.g. Confidentiality, Integrity, Availability??)
Required Security Controls
Other info?


I'm not sure I understand your question, so if I've missed the mark, let me know. As the policy statement already exists for information classifications and information owners, custodians and users, you are trying to develop a checklist to assist data owners and data custodians in classifying their data, correct? This is a good strategy! Developing the owners / custodians / users a "yes" or "no" checklist format asking three or four critical questions to help them will reduce frustration and erroneous dissemination of information. (For example, is the information available through the media?) Categorize each information class so that when they reach a "yes" answer, the information is bumped into the next classification, which will allow for natural migration into the next category.

Since you have defined your information classes (i.e., secret, confidential, public), your next step will be to list the assets on the spreadsheet (you have already identified them in the risk assessment / analysis) requiring protection, and determine how they will be protected. As you pointed out, your best method will be to develop a matrix or a spreadsheet. WARNING!! The list of assets will be extensive. This will be the time to "micro-manage" your assets. Do not assume your user community thinks in the same way you do.

For example, one of your assets listed is MAIL. Sound straightforward? You will need to identify ALL methods available to send mail: electronic mail through internal systems only; electronic mail through external systems, including the Internet; through interdepartmental mail internal to the building; through interdepartmental mail external to the building; USPS; Federal Express; special courier; etc. For each of these methods, you now will have to determine if certain actions will be permitted and how (i.e., handling, envelope, labeling, address information, document instruction, writing instrument, etc.) for each classification. As you can see, your matrix will be rather expansive.


This was first published in April 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: