An organization's information classification policy should address the concept of owner, custodian and user in terms of information use and ownership. The owner is the manager of the department or business unit where the information resource is created, or is the primary user of that information resource. As such, he is responsible for classifying information assets. Classifying information does not have to be a difficult, but it must be standardized.
To be effective, the process for classifying information must be easy to use as possible. One way of meeting the objective quickly and correctly is to create a table that allows the owner to answer a few questions and then look to a grid to determine the classification category.
MORE SECURITY POLICIES TIPS BY THOMAS R. PELTIER:
- You shouldn't be developing your organization's security policies by yourself. Find out who should be sharing the responsibility in
- this tip.
- Learn what components should be included in each of your Tier-1 Policy statements.
- Thomas offers an overview of Tier-1 Policies beginning with this tip.
The following is an example of such a table and grid.
|Disclosure value is:||Integrity value is:||Availability value is:*|
|HIGH - if unauthorized use or disclosure would severely impact business operations, make a segment of the company unable to function or cause high monetary loss.||HIGH - if data inaccuracy, incompleteness or unauthorized modification causes failures of operations, revenue loss, wrong decisions to be made, loss in productivity or loss of customer confidence or market share.||HIGH – if unavailable information impairs business operations, affects customer service or makes it impossible to process revenues.|
|MODERATE - if use or disclosure does not severely affect operations or does not result in high monetary loss.||MODERATE - if it causes inability to make some decisions, but the problem is not difficult to detect and correct, and does not severely impact business operations.||MODERATE – if unavailable information causes productivity loss, but does not interrupt customer service or revenue generation.|
|LOW - if use or disclosure does not affect operations or result in significant monetary loss.||LOW – if alternative validations of the information make it possible to continue business operations.||LOW – if unavailable information does not severely impact business operations.|
* Availability values are used to score resource criticality for business continuity planning.
Using the values created from the table, the owner looks to the following grid to assign the proper classification category. If the disclosure and integrity values differ, the owner is should assign the higher category to the information asset. This classification will lead to the implementation of handling standards, which will be addressed in a future Security Policies Tip.
About the author
Tom Peltier has been an information security professional for more than twenty-five years. He has written books on information security policies and contributed to several books on CISSP preparation, and computer and data security.
This was first published in July 2004