Tip

Standardizing information classification

An organization's information classification policy should address the concept of owner, custodian and user in terms of information use and ownership. The owner is the manager of the department or business unit where the information resource is created, or is the primary user of that information resource. As such, he is responsible for classifying information assets. Classifying information does not have to be a difficult, but it must be standardized.

To be effective, the process for classifying information must be easy to use as possible. One way of meeting the objective quickly and correctly is to create a table that allows the owner to answer a few questions and then look to a grid to determine the classification category.


MORE SECURITY POLICIES TIPS BY THOMAS R. PELTIER:
  • You shouldn't be developing your organization's security policies by yourself. Find out who should be sharing the responsibility in

    Requires Free Membership to View


The following is an example of such a table and grid.

Disclosure value is: Integrity value is: Availability value is:*
HIGH - if unauthorized use or disclosure would severely impact business operations, make a segment of the company unable to function or cause high monetary loss. HIGH - if data inaccuracy, incompleteness or unauthorized modification causes failures of operations, revenue loss, wrong decisions to be made, loss in productivity or loss of customer confidence or market share. HIGH – if unavailable information impairs business operations, affects customer service or makes it impossible to process revenues.
MODERATE - if use or disclosure does not severely affect operations or does not result in high monetary loss. MODERATE - if it causes inability to make some decisions, but the problem is not difficult to detect and correct, and does not severely impact business operations. MODERATE – if unavailable information causes productivity loss, but does not interrupt customer service or revenue generation.
LOW - if use or disclosure does not affect operations or result in significant monetary loss. LOW – if alternative validations of the information make it possible to continue business operations. LOW – if unavailable information does not severely impact business operations.

* Availability values are used to score resource criticality for business continuity planning.

Using the values created from the table, the owner looks to the following grid to assign the proper classification category. If the disclosure and integrity values differ, the owner is should assign the higher category to the information asset. This classification will lead to the implementation of handling standards, which will be addressed in a future Security Policies Tip.

About the author
Tom Peltier has been an information security professional for more than twenty-five years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.


This was first published in July 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.