Chapter 5: Asset Classification

Objectives Assign information ownership responsibilities Develop and use information classification guidelines Understand information handling and labeling procedures Manage an information classification program Identify and inventory information systems Recognize the goal and methodology of criticality assessments Create and implement asset classification policies

Introduction What is an information asset? A definable piece of valuable information to an organization stored in any form The information is used by the company (regardless of size) to fulfill its mission or goal

What Are We Trying to Protect? Information Systems Provide a way and a place to process, store, transmit and communicate the information Usually a combination of both hardware and software assets ASPs: Application Service Providers. A way to outsource applications to avoid internal hosting and management When using an ASP, proper due diligence should be conducted to insure the protection of the data

What Are We Trying to Protect? Cont. Information Ownership ISO stands for Information Security Officer The ISO is accountable for the protection of the organization. Compare this with: The information owner is responsible for his/her information The information custodian is responsible for implementing the actual controls that protect the information assets The ISO is the central repository of security information Reference Table 5.1 Information Ownership policy

Information Classification Definitions: Information Classification Information classification is the organization of information assets according to their sensitivity to disclosure Classification Systems Classification systems are labels that we assign to identify the sensitivity levels Reference Table 5.2 Information Asset Classification Policy

Information Classification Cont. Government & Military Classification Systems Top Secret Secret Confidential Unclassified

Information Classification Cont. Top Secret applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause an exceptionally grave damage to the national security” Secret applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security”

Information Classification Cont. Confidential applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security” Unclassified applied to “any information that can generally be distributed to the public without any threat to national interest”

Information Classification Cont. Commercial classification systems: No standard: each company can choose its own system that matches its culture and needs Usually less complex than the government system The more regulated a company, the more complex the classification system they adopt

Information Classification Cont. Commercial classification systems Most systems revolve around these four classification levels: Confidential Sensitive Restricted Public

Information Classification Cont. Commercial classification systems Confidential: Meant to be kept secret Only available to a small circle of authorized individuals Equivalent of Top Secret Disclosure would cause significant financial loss, reputation loss and/or legal liability

Information Classification Cont. Commercial classification systems Sensitive: Does not necessarily imply legal liability and financial loss in case of disclosure Does imply loss of reputation & personal credibility May also imply loss of privacy-related information Access should be granted on a strict need-to-know basis

Information Classification Cont. Commercial classification systems Restricted: Business-related information that should only be used and accessed internally Unauthorized disclosure would result in impairment of the business and/or result in business, financial or legal loss Also includes most information subjected to non-disclosure agreements

Information Classification Cont. Commercial classification systems Public: Information that does not require protection Information that is specifically intended for the public

Information Classification Cont. Commercial classification systems Criteria used to classify information: The info is not public knowledge or public domain The info has demonstrated value to the organization The info needs to be protected from the outside of the organization The info is subject to government regulation Question a company should ask: What’s the worst impact that would result from the unauthorized disclosure of this bit of information?

Information Classification Labeling and Handling Information labeling: Labeling is the vehicle for communicating the sensitivity level Familiar labels: Labels must be clear & self-explanatory In electronic form, the label should be made part of the file name In printed form, the label should be clearly visible on the outside and in the header and/or footer Reference Table 5.3 Information Classification Labeling and Handling Policy

Information Classification Labeling and Handling Cont. Information handling: Information must be handled in accordance with its classification The information user is responsible for using the information in accordance with its classification level

Information Classification Program Lifecycle The lifecycle starts with assigning a classification level, and ends with declassification Information classification Procedure: A nine-step process: Define the information asset and the supporting information system Characterize the criticality of the information system Identify the information owner and information custodian Assign a classification level to the information

Information Classification Program Lifecycle Cont. Information classification Procedure A nine-step process (cont.): Determine & implement the corresponding level of security controls Label the information & information system Document handling procedures, including disposal Integrate the handling procedures into an information user security awareness program Declassify information when (and if) appropriate

Reclassification / Declassification The need to protect information may change With that change, the label assigned to that information may change as well The process of downgrading sensitivity levels is called declassification The process of upgrading sensitivity levels is called reclassification

Value and Criticality of Information Systems Information is assigned a classification level for protection purposes Classification is only one of the elements in determining the overall value & criticality of the information to the organization The asset’s value must be determined before a cost can be associated with protecting this asset Reference Table 5.7 Information System Asset Policy

Value and Criticality of Information Systems Cont. Calculating the value of an asset: Cost to acquire or develop asset Cost to maintain & protect asset Cost to replace asset Importance of asset to owner Competitive advantage of the information Marketability of information Impact on deliver of services Reputation Liability issues Regulatory compliance requirements

Value and Criticality of Information Systems Cont. An organization should always keep an updated information asset inventory You can’t protect what you don’t know you have! Asset Inventory Methodology: Hardware assets include (but are not limited to): Computer equipment Communication equipment Storage media Infrastructure equipment

Value and Criticality of Information Systems Cont. Asset Inventory Methodology Software assets include (but are not limited to): Operating System software Productivity software Application software

Value and Criticality of Information Systems Cont. Asset Inventory characteristics & attributes: Each asset should have a unique identifier Create a naming convention so that all assets are consistently named throughout the company Each asset should have a description What is this asset used for? Manufacturer imprint: Hardware: Manufacturer name, model & serial numbers Software: publisher name, version number, revision number, patch level

Value and Criticality of Information Systems Cont. Asset Inventory characteristics & attributes: Physical address: geographical location of the asset Logical address: where the asset can be found in the organization’s network Controlling entity: the department that funded the purchase/development of this asset

System Characterization Articulates the understanding of the system, including the boundaries of the system being assessed, the system’s hardware and software, and the information that is stored, processed and transmitted. Assets should be ranked based on their protection level and importance to the organization

System Characterization Cont. Two criteria used to rank information: System impact How vital is this information to the organization? Protection level The level of protection/safeguards required

System Characterization Cont. Three levels used to characterize information assets (system impact): High: breach or disruption of information would have major business processing or customer impact Medium: breach or disruption of information would have minor business processing or customer impact Low: breach or disruption of information would have no business processing or customer impact

System Characterization Cont. Three levels used to characterize information assets (Information protection): High: Compromise / disclosure / loss would have a significant negative impact Medium: Compromise / disclosure / loss would have some negative impact Low: Compromise / disclosure / loss would have a minimal negative impact

System Characterization Cont. Criticality ratings: provide the basis on which to prioritize and allocate resources to protect information assets Also used during risk analysis and management, disaster recovery planning and business continuity planning Should be revised at least once a year and anytime a change driver is introduced

Summary A company cannot defend its information assets unless it knows what they are and where they are. Furthermore, the company must also identify how critical these assets are to the business process. Companies need an inventory of their assets and a classification system for those assets. Companies should run critical analyses at least once a year.