Sample Information Classification Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Document History


Version Date Revised By Description
1.0 1 January 2010 <Current date> Michael D. Peters <Owners's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document recertification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document recertification date: 1 January 2011 <Date>


Sample Information Classification Standard


The <Your Company Name> (the "Company") Sample Asset Identification and Classification Policy defines objectives for establishing specific standards on the identification and classification of Company information assets.

This Information Classification Standard builds on the objectives established in the Sample Asset Identification and Classification Policy, and provides specific instructions and requirements for classifying information assets. These instructions address classification requirements for the management of electronically stored information.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.

Information assets are defined in the Sample Asset Identification and Classification Policy.

Confidentiality/privacy classifications are defined in the Sample Information Classification Standard.

Exchangeable media refers to diskettes, tapes, removable hard drives, compact disks, etc.

Sensitive information refers to information that has been classified as Restricted, Confidential, or Internal Use Only.

II. Objectives


The Company defines information classifications based on the sensitivity, criticality, confidentiality/privacy requirements, and value of the information. All information assets, whether generated internally or externally, must be categorized into one of these information classifications: Restricted, Confidential, Internal Use Only, or Public. When information of various classifications is combined, the resulting collection of information or new information must be classified at the most restrictive level among the sources. Specific instructions and requirements for classifying information assets are provided in the Sample Information Classification Standard.

All Restricted, Confidential, and Internal Use Only information must be labeled or marked with the appropriate information classification designation. Such markings must appear on all manifestations of the information. Specific instructions and requirements for labeling information assets are provided in the Sample Information Labeling Standard.

II. Requirements


A. Confidentiality


All Company information shall be classified in one of four confidentiality categories:


Confidentiality ClassificationDescriptionExamples
Restricted
Confidential
Internal Use Only
Public


B. Integrity


  • The Integrity Protected classification indicates that the information, in electronic form, should be protected by Company-approved encryption or data inspection techniques that ensure the information has not been intentionally or inadvertently altered. Refer to the Integrity Protection Standard for specific instructions and information on proper controls to protect the integrity of Company information assets.
  • The Integrity Protected classification shall be applied with discretion to an information asset that if accidentally or intentionally altered without authorization would significantly damage the Company's competitive advantage and reputation or could lead to legal liabilities.


Possible examples of Integrity Protected information include:


  • <Insert company-specific examples>


C. Availability


All Company information shall be classified in one of three availability categories:


A description of each category is provided in the following table:


Availability ClassificationDescriptionPotential
High
Medium
Low


D. Reclassification


  • Restricted information shall be reviewed for reclassification by the Asset Owner on a specific review date not to exceed <#> years.
  • Confidential and Internal Use Only information shall be reviewed annually for reclassification. In accordance with Company procedures, this review may be conducted sooner in response to specific requests for reclassification.
E. Declassification


  • Restricted information shall be automatically declassified after <#> years.
  • Declassification shall be performed in accordance with Company procedures.

III. Responsibilities


The Chief Information Officer (CIO) is the approval authority for the Asset Identification and Classification Policy.

The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Asset Identification and Classification Policy and associated standards and guidelines.

The individuals, groups, or organizations identified in the scope of this policy are accountable for one or more of the following levels of responsibility when using Company information assets:

  • Owners are managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. Owners are responsible for: identifying information assets; assigning the proper information classification; ensuring the proper labeling for sensitive information; designating the Custodian in possession of the information; ensuring the information classifications are properly communicated and understood by the Custodians; and reviewing information assets periodically to determine if their classifications should be changed.


  • Custodians are the managers, administrators, service providers, and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for understanding the information classifications, and applying the necessary controls (specified in the Sample Asset Protection Policy) to maintain and conserve the information classifications and labeling established by the Owners.


  • Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for understanding the information classifications, abiding by the controls defined by the Owner and implemented by Custodians; maintaining and conserving the information classification and labeling established by the Owners; and contacting the Owner when information is unmarked or the classification is unknown.


IV. Enforcement and Exception Handling


Failure to comply with the Asset Identification and Classification Policy and associated standards, guidelines, and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Asset Identification and Classification Policy should be submitted to <Title>. Exceptions shall be permitted only on receipt of written approval from <Title>.

V. Review and Revision


The Asset Identification and Classification Policy will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Officer