Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.

Slides:



Advertisements
Similar presentations
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Advertisements

IT Security Policy Framework
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
CIP Cyber Security – Security Management Controls
Indian Institute of Information Technology, Allahabad.
Information Asset Classification Communications Forum Theresa A. Masse, State Chief Information Security Officer Department of Administrative Services.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
Are you ready for HIPPO??? Welcome to HIPAA
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Chapter 5: Asset Classification
SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Data Classification & Privacy Inventory Workshop
Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Session 3 – Information Security Policies
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Information Asset Classification
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Section Ten: Security Violations and Deviations Note: All classified markings contained within this presentation are for training purposes only.
Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
HIPAA PRIVACY AND SECURITY AWARENESS.
Information Systems Security Computer System Life Cycle Security.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
ISO/IEC 27001:2013 Annex A.8 Asset management
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Information Security IBK3IBV01 College 1 Paul J. Cornelisse / George Pluimakers.
IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.
SANS Technology Institute GDWP Presentation 1 GIAC Enterprises eDiscovery Policies and Procedures Brad Ruppert and Russell Meyer.
Information Security. Your responsibilities as a Government of Canada employee.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
For Official Use Only (FOUO) and Similar Designations NPS Security Office
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Classification September 2003© Peltier and Associates, all rights reserved Creating an Asset Classification Methodology ISIG & ISSA September, 2003.
Welcome to the ICT Department Unit 3_5 Security Policies.
HIPAA Privacy Rule Training
UW-Madison Guidelines for Managing the Records of Departing Employees*
Information Asset Classification Communications Forum
Privacy & Confidentiality
Data Security Policies
Domain 2 – Asset Security
IS4680 Security Auditing for Compliance
Electronic Records Management Program
Module P6 Principle 6: Establish and Maintain a Management Process for Intellectual Property, Proprietary Information, and Competition-Sensitive Data Learning.
An Introduction to Public Records Office of the General Counsel
Move this to online module slides 11-56
Health Care: Privacy in a Digital Age
Privacy Policy the Law….
Presentation transcript:

Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees

Information Asset Classification2rev. 10/24/2007 Community of Practice Information security “Information protection is something you do, not something you buy. It is not … a policy to put in place and forget. Information security requires a strong process and effective technologies – all based on a sound understanding of the business the organization is in and how it performs that business.” Burton Group “A Systematic, Comprehensive Approach to Information Security” October 15, 2007

Information Asset Classification3rev. 10/24/2007 Community of Practice Information security  Elements: Identify Classify Protect Manage

Information Asset Classification4rev. 10/24/2007 Community of Practice What is an information asset?  Anything that has value to the agency that can be communicated or documentary material, regardless of its physical form or characteristics.  Includes, but is not limited to, paper, electronic, digital, images, and voice mail.  Information technology hardware and software are not information assets for classification purposes.

Information Asset Classification5rev. 10/24/2007 Community of Practice Information asset classification  The purpose is to ensure information assets are identified, properly classified, and protected throughout their lifecycles.  The objective is to develop and implement processes that allow an agency to continually assess and classify its information assets.

Information Asset Classification6rev. 10/24/2007 Community of Practice Why is classification important?  Not all information has the same value or importance to an agency, therefore information requires different levels of protection.  Classification enables employees to apply appropriate handling processes to protect client and customer information.

Information Asset Classification7rev. 10/24/2007 Community of Practice Classification levels  Level 1 – Published Information that is not protected from disclosure, that if disclosed will not jeopardize the privacy or security of agency employees, clients, and partners. This includes information regularly made available to the public via electronic, verbal or hard copy media.

Information Asset Classification8rev. 10/24/2007 Community of Practice Classification levels  Level 1 – Published Examples:  Press releases  Brochures  Pamphlets  Public access Web pages  Materials created for public consumption

Information Asset Classification9rev. 10/24/2007 Community of Practice Classification levels  Level 2 – Limited Information that may not be protected from public disclosure but if made easily and readily available, may jeopardize the privacy or security of agency employees, clients, and/or partners. Agencies shall follow their disclosure policies and procedures before providing this information to external parties.

Information Asset Classification10rev. 10/24/2007 Community of Practice Classification levels  Level 2 – Limited Examples  Enterprise risk management planning documents  Published internal audit reports  Names and addresses that are not protected from disclosure

Information Asset Classification11rev. 10/24/2007 Community of Practice Classification levels  Level 3 – Restricted Information intended for limited business use that may be exempt from public disclosure because, among other reasons, such disclosure will jeopardize the privacy or security of agency employees, clients, partners or individuals who otherwise qualify for an exemption.

Information Asset Classification12rev. 10/24/2007 Community of Practice Classification levels  Level 3 – Restricted Information in this category may be accessed and used by external parties. External parties requesting this information for authorized agency business must be under contractual obligation of confidentiality with the agency (for example, confidential/non- disclosure agreement) prior to receiving it.

Information Asset Classification13rev. 10/24/2007 Community of Practice Classification levels  Level 3 – Restricted Examples:  Network diagrams  Personally identifiable information  Other information exempt from public records disclosure

Information Asset Classification14rev. 10/24/2007 Community of Practice Classification levels  Level 4 – Critical Information that is deemed extremely sensitive and is intended for use by named individual(s) only. This information is typically exempt from public disclosure because, among other reasons, such disclosure would potentially cause major damage or injury up to and including death to … (con’t.)

Information Asset Classification15rev. 10/24/2007 Community of Practice Classification levels  Level 4 – Critical (con’t.) … the named individual(s), agency employees, clients, partners or cause major harm to the agency.

Information Asset Classification16rev. 10/24/2007 Community of Practice Classification levels  Level 4 – Critical Examples:  Regulated information with significant penalties for disclosure, such as information covered under HIPAA or IRS regulations  Information that is typically exempt from public disclosure

Information Asset Classification17rev. 10/24/2007 Community of Practice Classification levels  Classifying information assets is a business issue and is agency- centric. The classification should be determined by the identified agency information owner for that particular information asset.

Information Asset Classification18rev. 10/24/2007 Community of Practice Management methodology  Use information asset classification levels to determine proper processes and procedures for: Information exchange Proper and secure handling Labeling Secure storage Proper destruction

Information Asset Classification19rev. 10/24/2007 Community of Practice What you can do  Understand and follow agency policies and procedures for classifying and securing information assets  Understand the proper handling required for the different classification levels  Handle agency information securely  Talk to your supervisor

Information Asset Classification20rev. 10/24/2007 Community of Practice Resources  Available at DAS/EISPD/ESO Information Asset Classification Methodology Information Asset Classification statewide policy Best practices documents

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.