Information Asset Classification Community of Practicerev. 10242007 - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Information Asset Classification Community of Practicerev. 10242007

Description:

a policy to put in place and forget. ... Stage 2 Processes are developed and implemented, allowing assets to be classified in detail ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 27
Provided by: EvaDo8
Category:

less

Transcript and Presenter's Notes

Title: Information Asset Classification Community of Practicerev. 10242007


1
Information Asset Classification
  • What it means to management

2
Information security
  • Information protection is something you do, not
    something you buy. It is not a policy to put in
    place and forget. Information security requires a
    strong process and effective technologies all
    based on a sound understanding of the business
    the organization is in and how it performs that
    business.
  • Burton Group
  • A Systematic, Comprehensive Approach to
    Information Security October 15, 2007

3
Information security
  • Elements
  • Identify
  • Classify
  • Protect
  • Manage

4
What is an information asset?
  • Anything that has value to the agency that can be
    communicated or documentary material, regardless
    of its physical form or characteristics.
  • Includes, but is not limited to, paper,
    electronic, digital, images, and voice mail.
  • Information technology hardware and software are
    not information assets for classification
    purposes.

5
Information asset classification
  • The purpose is to ensure information assets are
    identified, properly classified, and protected
    throughout their lifecycles.
  • The objective is to develop and implement
    processes that allow an agency to continually
    assess and classify its information assets.

6
Why is classification important?
  • Not all information has the same value or
    importance to an agency, therefore information
    requires different levels of protection.
  • Information asset classification is critical to
    ensure assets have a level of protection
    corresponding to the sensitivity and value of the
    information asset.

7
Five phase approach
  • Management education
  • Implementation strategy
  • Employee education
  • Implementation
  • Maintenance

8
Six maturity stages
  • Stage 0 No information assets are classified or
    assets are randomly classified.
  • Stage 1 Assets are classified at a high level
    or organizational level.
  • Stage 2 Processes are developed and
    implemented, allowing assets to be classified in
    detail

9
Six maturity stages
  • Stage 3 New assets are classified in detail.
  • Stage 4 Legacy assets are classified in detail.
  • Stage 5 Assets are classified, and processes
    exist that allow for asset reassessment and new
    asset classification.

10
Six maturity stages
  • It is likely many agencies were at Stage 0 at the
    time the policy was approved.
  • While Stage 5 is the ultimate goal, most agencies
    should be able to reach Stage 1 by July 2008.

11
Classification methodology
  • Identify information assets
  • Identify the owner(s)
  • Conduct an impact assessment
  • Determine the classification
  • Document classifications
  • Provide education and awareness
  • Maintain classification and conduct continuous
    review

12
Classification levels
  • Level 1 Published
  • Information that is not protected from
    disclosure, that if disclosed will not jeopardize
    the privacy or security of agency employees,
    clients, and partners. This includes information
    regularly made available to the public via
    electronic, verbal or hard copy media.

13
Classification levels
  • Level 1 Published
  • Examples
  • Press releases
  • Brochures
  • Pamphlets
  • Public access Web pages
  • Materials created for public consumption

14
Classification levels
  • Level 2 Limited
  • Information that may not be protected from public
    disclosure but if made easily and readily
    available, may jeopardize the privacy or security
    of agency employees, clients, and/or partners.
    Agencies shall follow their disclosure policies
    and procedures before providing this information
    to external parties.

15
Classification levels
  • Level 2 Limited
  • Examples
  • Enterprise risk management planning documents
  • Published internal audit reports
  • Names and addresses that are not protected from
    disclosure

16
Classification levels
  • Level 3 Restricted
  • Information intended for limited business use
    that may be exempt from public disclosure
    because, among other reasons, such disclosure
    will jeopardize the privacy or security of agency
    employees, clients, partners or individuals who
    otherwise qualify for an exemption.

17
Classification levels
  • Level 3 Restricted
  • Information in this category may be accessed and
    used by external parties. External parties
    requesting this information for authorized agency
    business must be under contractual obligation of
    confidentiality with the agency (for example,
    confidential/non-disclosure agreement) prior to
    receiving it.

18
Classification levels
  • Level 3 Restricted
  • Examples
  • Network diagrams
  • Personally identifiable information
  • Other information exempt from public records
    disclosure

19
Classification levels
  • Level 4 Critical
  • Information that is deemed extremely sensitive
    and is intended for use by named individual(s)
    only. This information is typically exempt from
    public disclosure because, among other reasons,
    such disclosure would potentially cause major
    damage or injury up to and including death to
    (cont.)

20
Classification levels
  • Level 4 Critical
  • (cont.) the named individual(s), agency
    employees, clients, partners or cause major harm
    to the agency.

21
Classification levels
  • Level 4 Critical
  • Examples
  • Regulated information with significant penalties
    for disclosure, such as information covered under
    HIPAA or IRS regulations
  • Information that is typically exempt from public
    disclosure

22
Classification levels
  • Classifying information assets is a business
    issue and is agency-centric. The classification
    should be determined by the identified agency
    information owner for that particular information
    asset.

23
Management methodology
  • Use information asset classification levels to
    determine proper processes and procedures for
  • Information exchange
  • Proper and secure handling
  • Labeling
  • Secure storage
  • Proper destruction

24
Where does an agency start?
  • Determine information asset classification
    maturity stage.
  • Develop documented methodologies and mechanisms
    for identifying and classifying assets.
  • Determine the need for new or updated agency
    policies and procedures for classifying and
    handling information.

25
Where does an agency start?
  • Determine short-term and long-term goals to
    demonstrate constant improvement.
  • Synchronize information asset classification
    efforts with other business-related activities.

26
Resources
  • Available at http//oregon.gov/DAS/EISPD/ESO
  • Information Asset Classification Methodology
  • Information Asset Classification statewide policy
    107-004-050
  • Best practices documents
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Information Asset Classification Community of Practicerev. 10242007" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!