Sample Information Classification Standard:: Difference between revisions
No edit summary |
|||
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== | ==Sample Information Classification Standard== | ||
This Information Classification Standard builds on the objectives established in the [[Sample_Asset_Identification_and_Classification_Policy:|'''Asset Identification and Classification Policy''']], and provides specific instructions and requirements for classifying information assets. These instructions include Confidentiality, Integrity, Availability information classification requirement as well as reclassification and declassification requirements. | |||
| | |||
==''' | ==Objectives== | ||
1. '''Confidentiality''' | |||
All Company information shall be classified in one of four confidentiality categories:<br> | |||
<br> | <br> | ||
* Restricted: Information, the unauthorized disclosure of which would: <Insert company-specific examples> | |||
* Confidential: Information, the unauthorized disclosure of which would: <Insert company-specific examples> | |||
* Internal Use Only: Information confined to use only within Company for purposes related to its business. | |||
* Public: Information and material to which access may be granted to any other person or organization.<br> | |||
<br> | <br> | ||
When '''Restricted''' information is combined with Confidential, Internal Use Only or Public information, the resulting collection of information must be classified as Restricted.<br> | |||
<br> | <br> | ||
When '''Confidential''' information is combined with Internal Use Only or Public information, the resulting collection of information must be classified, at a minimum, as Confidential.<br> | |||
<br> | <br> | ||
When '''Internal Use Only''' information is combined with Public information, the resulting collection of information must be classified, at a minimum, as Internal Use Only.<br> | |||
<br> | <br> | ||
When information has not been explicitly classified as Restricted, Confidential, or Internal Use Only, the information by default shall not be considered as Public.<br> | |||
<br> | <br> | ||
''' | 2. '''Integrity''' | ||
The Integrity Protected classification indicates that the information, in electronic form, should be protected by Company-approved encryption or data inspection techniques that ensure the information has not been intentionally or inadvertently altered. Refer to the Integrity Protection Standard for specific instructions and information on proper controls to protect the integrity of Company information assets.<br> | |||
<br> | <br> | ||
' | The Integrity Protected classification shall be applied with discretion to an information asset that if accidentally or intentionally altered without authorization would significantly damage the Company's competitive advantage and reputation or could lead to legal liabilities.<br> | ||
<br> | <br> | ||
''' | 3. '''Availability''' | ||
All Company information shall be classified in one of three availability categories:<br> | |||
<br> | <br> | ||
* High: High to continuous availability required. <Insert company-specific description> | |||
* Medium: Standard availability required. <Insert company-specific description> | |||
* Low: Limited availability required. <Insert company-specific description><br> | |||
<br> | <br> | ||
4. '''Reclassification''' | |||
Restricted information shall be reviewed for reclassification by the Asset Owner on a specific review date not to exceed five (5) years unless otherwise required by law or Company policy.<br> | |||
<br> | <br> | ||
Confidential and Internal Use Only information shall be reviewed annually for reclassification. In accordance with Company procedures, this review may be conducted sooner in response to specific requests for reclassification.<br> | |||
<br> | <br> | ||
5. '''Declassification''' | |||
Restricted information shall be automatically declassified after five (5) years unless otherwise required by law or Company policy.<br> | |||
<br> | <br> | ||
Declassification shall be performed in accordance with Company procedures.<br> | |||
<br | |||
<br> | <br> | ||
== | ==Document Examples== | ||
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br> | |||
The | |||
<br> | <br> | ||
<gallery> | |||
Image:Information Classification Standard.png|Information Classification Standard page one of eight. | |||
Image:Information Classification Standard(1).png|Information Classification Standard page two of eight. | |||
Image:Information Classification Standard(2).png|Information Classification Standard page three of eight. | |||
Image:Information Classification Standard(3).png|Information Classification Standard page four of eight. | |||
Image:Information Classification Standard(4).png|Information Classification Standard page five of eight. | |||
Image:Information Classification Standard(5).png|Information Classification Standard page six of eight. | |||
Image:Information Classification Standard(6).png|Information Classification Standard page seven of eight. | |||
Image:Information Classification Standard(7).png|Information Classification Standard page eight of eight. | |||
</gallery> |
Latest revision as of 17:44, 23 January 2014
Sample Information Classification Standard
This Information Classification Standard builds on the objectives established in the Asset Identification and Classification Policy, and provides specific instructions and requirements for classifying information assets. These instructions include Confidentiality, Integrity, Availability information classification requirement as well as reclassification and declassification requirements.
Objectives
1. Confidentiality
All Company information shall be classified in one of four confidentiality categories:
- Restricted: Information, the unauthorized disclosure of which would: <Insert company-specific examples>
- Confidential: Information, the unauthorized disclosure of which would: <Insert company-specific examples>
- Internal Use Only: Information confined to use only within Company for purposes related to its business.
- Public: Information and material to which access may be granted to any other person or organization.
When Restricted information is combined with Confidential, Internal Use Only or Public information, the resulting collection of information must be classified as Restricted.
When Confidential information is combined with Internal Use Only or Public information, the resulting collection of information must be classified, at a minimum, as Confidential.
When Internal Use Only information is combined with Public information, the resulting collection of information must be classified, at a minimum, as Internal Use Only.
When information has not been explicitly classified as Restricted, Confidential, or Internal Use Only, the information by default shall not be considered as Public.
2. Integrity
The Integrity Protected classification indicates that the information, in electronic form, should be protected by Company-approved encryption or data inspection techniques that ensure the information has not been intentionally or inadvertently altered. Refer to the Integrity Protection Standard for specific instructions and information on proper controls to protect the integrity of Company information assets.
The Integrity Protected classification shall be applied with discretion to an information asset that if accidentally or intentionally altered without authorization would significantly damage the Company's competitive advantage and reputation or could lead to legal liabilities.
3. Availability
All Company information shall be classified in one of three availability categories:
- High: High to continuous availability required. <Insert company-specific description>
- Medium: Standard availability required. <Insert company-specific description>
- Low: Limited availability required. <Insert company-specific description>
4. Reclassification
Restricted information shall be reviewed for reclassification by the Asset Owner on a specific review date not to exceed five (5) years unless otherwise required by law or Company policy.
Confidential and Internal Use Only information shall be reviewed annually for reclassification. In accordance with Company procedures, this review may be conducted sooner in response to specific requests for reclassification.
5. Declassification
Restricted information shall be automatically declassified after five (5) years unless otherwise required by law or Company policy.
Declassification shall be performed in accordance with Company procedures.
Document Examples
Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.
-
Information Classification Standard page one of eight.
-
Information Classification Standard page two of eight.
-
Information Classification Standard page three of eight.
-
Information Classification Standard page four of eight.
-
Information Classification Standard page five of eight.
-
Information Classification Standard page six of eight.
-
Information Classification Standard page seven of eight.
-
Information Classification Standard page eight of eight.