Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 5: Asset Classification

Published byGladys Jacobs Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 5: Asset Classification"— Presentation transcript:

1 Chapter 5: Asset Classification

2 Objectives Assign information ownership responsibilities
Develop and use information classification guidelines Understand information handling and labeling procedures Manage an information classification program Identify and inventory information systems Recognize the goal and methodology of criticality assessments Create and implement asset classification policies

3 Introduction What is an information asset?
A definable piece of valuable information to an organization stored in any form The information is used by the company (regardless of size) to fulfill its mission or goal

4 What Are We Trying to Protect?
Information Systems Provide a way and a place to process, store, transmit and communicate the information Usually a combination of both hardware and software assets ASPs: Application Service Providers. A way to outsource applications to avoid internal hosting and management When using an ASP, proper due diligence should be conducted to insure the protection of the data

5 What Are We Trying to Protect? Cont.
Information Ownership ISO stands for Information Security Officer The ISO is accountable for the protection of the organization. Compare this with: The information owner is responsible for his/her information The information custodian is responsible for implementing the actual controls that protect the information assets The ISO is the central repository of security information Reference Table 5.1 Information Ownership policy

6 Information Classification
Definitions: Information Classification Information classification is the organization of information assets according to their sensitivity to disclosure Classification Systems Classification systems are labels that we assign to identify the sensitivity levels Reference Table 5.2 Information Asset Classification Policy

7 Information Classification Cont.
Government & Military Classification Systems Top Secret Secret Confidential Unclassified

8 Information Classification Cont.
Top Secret applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause an exceptionally grave damage to the national security” Secret applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security”

9 Information Classification Cont.
Confidential applied to “any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security” Unclassified applied to “any information that can generally be distributed to the public without any threat to national interest”

10 Information Classification Cont.
Commercial classification systems: No standard: each company can choose its own system that matches its culture and needs Usually less complex than the government system The more regulated a company, the more complex the classification system they adopt

11 Information Classification Cont.
Commercial classification systems Most systems revolve around these four classification levels: Confidential Sensitive Restricted Public

12 Information Classification Cont.
Commercial classification systems Confidential: Meant to be kept secret Only available to a small circle of authorized individuals Equivalent of Top Secret Disclosure would cause significant financial loss, reputation loss and/or legal liability

13 Information Classification Cont.
Commercial classification systems Sensitive: Does not necessarily imply legal liability and financial loss in case of disclosure Does imply loss of reputation & personal credibility May also imply loss of privacy-related information Access should be granted on a strict need-to-know basis

14 Information Classification Cont.
Commercial classification systems Restricted: Business-related information that should only be used and accessed internally Unauthorized disclosure would result in impairment of the business and/or result in business, financial or legal loss Also includes most information subjected to non-disclosure agreements

15 Information Classification Cont.
Commercial classification systems Public: Information that does not require protection Information that is specifically intended for the public

16 Information Classification Cont.
Commercial classification systems Criteria used to classify information: The info is not public knowledge or public domain The info has demonstrated value to the organization The info needs to be protected from the outside of the organization The info is subject to government regulation Question a company should ask: What’s the worst impact that would result from the unauthorized disclosure of this bit of information?

17 Information Classification Labeling and Handling
Information labeling: Labeling is the vehicle for communicating the sensitivity level Familiar labels: Labels must be clear & self-explanatory In electronic form, the label should be made part of the file name In printed form, the label should be clearly visible on the outside and in the header and/or footer Reference Table 5.3 Information Classification Labeling and Handling Policy

18 Information Classification Labeling and Handling Cont.
Information handling: Information must be handled in accordance with its classification The information user is responsible for using the information in accordance with its classification level

19 Information Classification Program Lifecycle
The lifecycle starts with assigning a classification level, and ends with declassification Information classification Procedure: A nine-step process: Define the information asset and the supporting information system Characterize the criticality of the information system Identify the information owner and information custodian Assign a classification level to the information

20 Information Classification Program Lifecycle Cont.
Information classification Procedure A nine-step process (cont.): Determine & implement the corresponding level of security controls Label the information & information system Document handling procedures, including disposal Integrate the handling procedures into an information user security awareness program Declassify information when (and if) appropriate

21 Reclassification / Declassification
The need to protect information may change With that change, the label assigned to that information may change as well The process of downgrading sensitivity levels is called declassification The process of upgrading sensitivity levels is called reclassification

22 Value and Criticality of Information Systems
Information is assigned a classification level for protection purposes Classification is only one of the elements in determining the overall value & criticality of the information to the organization The asset’s value must be determined before a cost can be associated with protecting this asset Reference Table 5.7 Information System Asset Policy

23 Value and Criticality of Information Systems Cont.
Calculating the value of an asset: Cost to acquire or develop asset Cost to maintain & protect asset Cost to replace asset Importance of asset to owner Competitive advantage of the information Marketability of information Impact on deliver of services Reputation Liability issues Regulatory compliance requirements

24 Value and Criticality of Information Systems Cont.
An organization should always keep an updated information asset inventory You can’t protect what you don’t know you have! Asset Inventory Methodology: Hardware assets include (but are not limited to): Computer equipment Communication equipment Storage media Infrastructure equipment

25 Value and Criticality of Information Systems Cont.
Asset Inventory Methodology Software assets include (but are not limited to): Operating System software Productivity software Application software

26 Value and Criticality of Information Systems Cont.
Asset Inventory characteristics & attributes: Each asset should have a unique identifier Create a naming convention so that all assets are consistently named throughout the company Each asset should have a description What is this asset used for? Manufacturer imprint: Hardware: Manufacturer name, model & serial numbers Software: publisher name, version number, revision number, patch level

27 Value and Criticality of Information Systems Cont.
Asset Inventory characteristics & attributes: Physical address: geographical location of the asset Logical address: where the asset can be found in the organization’s network Controlling entity: the department that funded the purchase/development of this asset

28 System Characterization
Articulates the understanding of the system, including the boundaries of the system being assessed, the system’s hardware and software, and the information that is stored, processed and transmitted. Assets should be ranked based on their protection level and importance to the organization

29 System Characterization Cont.
Two criteria used to rank information: System impact How vital is this information to the organization? Protection level The level of protection/safeguards required

30 System Characterization Cont.
Three levels used to characterize information assets (system impact): High: breach or disruption of information would have major business processing or customer impact Medium: breach or disruption of information would have minor business processing or customer impact Low: breach or disruption of information would have no business processing or customer impact

31 System Characterization Cont.
Three levels used to characterize information assets (Information protection): High: Compromise / disclosure / loss would have a significant negative impact Medium: Compromise / disclosure / loss would have some negative impact Low: Compromise / disclosure / loss would have a minimal negative impact

32 System Characterization Cont.
Criticality ratings: provide the basis on which to prioritize and allocate resources to protect information assets Also used during risk analysis and management, disaster recovery planning and business continuity planning Should be revised at least once a year and anytime a change driver is introduced

33 Summary A company cannot defend its information assets unless it knows what they are and where they are. Furthermore, the company must also identify how critical these assets are to the business process. Companies need an inventory of their assets and a classification system for those assets. Companies should run critical analyses at least once a year.

Download ppt "Chapter 5: Asset Classification"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Pertemuan 10 Cara mengelola Sumber Daya Teknologi secara baik Matakuliah: H0402/PENGELOLAAN SISTEM KOMPUTER Tahun: 2005 Versi: 1/0.

Pertemuan 10 Cara mengelola Sumber Daya Teknologi secara baik Matakuliah: H0402/PENGELOLAAN SISTEM KOMPUTER Tahun: 2005 Versi: 1/0.
Access Control Methodologies

Access Control Methodologies
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
© Prentice Hall 2002 14.1 CHAPTER 14 Managing Technological Resources.

© Prentice Hall CHAPTER 14 Managing Technological Resources.
Information Systems Security Officer

Information Systems Security Officer
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Risk Management.

Risk Management.
Chapter 3: Information Security Framework

Chapter 3: Information Security Framework
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Information Asset Classification

Information Asset Classification
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.

Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google