Information Asset Classification

1
Information Asset Classification

• What it means to employees

2
Information security

• Information protection is something you do, not
  something you buy. It is not a policy to put in
  place and forget. Information security requires a
  strong process and effective technologies all
  based on a sound understanding of the business
  the organization is in and how it performs that
  business.
• Burton Group
• A Systematic, Comprehensive Approach to
  Information Security October 15, 2007

3
Information security

• Elements
• Identify
• Classify
• Protect
• Manage

4
What is an information asset?

• Anything that has value to the agency that can be
  communicated or documentary material, regardless
  of its physical form or characteristics.
• Includes, but is not limited to, paper,
  electronic, digital, images, and voice mail.
• Information technology hardware and software are
  not information assets for classification
  purposes.

5
Information asset classification

• The purpose is to ensure information assets are
  identified, properly classified, and protected
  throughout their lifecycles.
• The objective is to develop and implement
  processes that allow an agency to continually
  assess and classify its information assets.

6
Why is classification important?

• Not all information has the same value or
  importance to an agency, therefore information
  requires different levels of protection.
• Classification enables employees to apply
  appropriate handling processes to protect client
  and customer information.

7
Classification levels

• Level 1 Published
• Information that is not protected from
  disclosure, that if disclosed will not jeopardize
  the privacy or security of agency employees,
  clients, and partners. This includes information
  regularly made available to the public via
  electronic, verbal or hard copy media.

8
Classification levels

• Level 1 Published
• Examples
• Press releases
• Brochures
• Pamphlets
• Public access Web pages
• Materials created for public consumption

9
Classification levels

• Level 2 Limited
• Information that may not be protected from public
  disclosure but if made easily and readily
  available, may jeopardize the privacy or security
  of agency employees, clients, and/or partners.
  Agencies shall follow their disclosure policies
  and procedures before providing this information
  to external parties.

10
Classification levels

• Level 2 Limited
• Examples
• Enterprise risk management planning documents
• Published internal audit reports
• Names and addresses that are not protected from
  disclosure

11
Classification levels

• Level 3 Restricted
• Information intended for limited business use
  that may be exempt from public disclosure
  because, among other reasons, such disclosure
  will jeopardize the privacy or security of agency
  employees, clients, partners or individuals who
  otherwise qualify for an exemption.

12
Classification levels

• Level 3 Restricted
• Information in this category may be accessed and
  used by external parties. External parties
  requesting this information for authorized agency
  business must be under contractual obligation of
  confidentiality with the agency (for example,
  confidential/non-disclosure agreement) prior to
  receiving it.

13
Classification levels

• Level 3 Restricted
• Examples
• Network diagrams
• Personally identifiable information
• Other information exempt from public records
  disclosure

14
Classification levels

• Level 4 Critical
• Information that is deemed extremely sensitive
  and is intended for use by named individual(s)
  only. This information is typically exempt from
  public disclosure because, among other reasons,
  such disclosure would potentially cause major
  damage or injury up to and including death to
  (cont.)

15
Classification levels

• Level 4 Critical
• (cont.) the named individual(s), agency
  employees, clients, partners or cause major harm
  to the agency.

16
Classification levels

• Level 4 Critical
• Examples
• Regulated information with significant penalties
  for disclosure, such as information covered under
  HIPAA or IRS regulations
• Information that is typically exempt from public
  disclosure

17
Classification levels

• Classifying information assets is a business
  issue and is agency-centric. The classification
  should be determined by the identified agency
  information owner for that particular information
  asset.

18
Management methodology

• Use information asset classification levels to
  determine proper processes and procedures for
• Information exchange
• Proper and secure handling
• Labeling
• Secure storage
• Proper destruction

19
What you can do

• Understand and follow agency policies and
  procedures for classifying and securing
  information assets
• Understand the proper handling required for the
  different classification levels
• Handle agency information securely
• Talk to your supervisor

20
Resources

• Available at http//oregon.gov/DAS/EISPD/ESO
• Information Asset Classification Methodology
• Information Asset Classification statewide policy
  107-004-050
• Best practices documents