Sample Information Classification Standard:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Document History==
==Sample Information Classification Standard==
<br>
This Information Classification Standard builds on the objectives established in the [[Sample_Asset_Identification_and_Classification_Policy:|'''Asset Identification and Classification Policy''']], and provides specific instructions and requirements for classifying information assets. These instructions include Confidentiality, Integrity, Availability information classification requirement as well as reclassification and declassification requirements.
{| id="table1" width="100%" border="1"
| bgcolor="#C0C0C0" | '''Version'''
| bgcolor="#C0C0C0" | '''Date'''
| bgcolor="#C0C0C0" | '''Revised By'''
| bgcolor="#C0C0C0" | '''Description'''
|-
| 1.0
| 1 January 2010 <Current date>
| Michael D. Peters '''<Owners's name>'''
| This version replaces any prior version.
|}
<br>
==Document Certification==
<br>
{| id="table1" width="100%" border="1"
| bgcolor="#C0C0C0" | '''Description'''
| bgcolor="#C0C0C0" | '''Date Parameters'''
|-
| '''Designated document recertification cycle in days:'''
| 30 - 90 - 180 - '''365''' '''<Select cycle>'''
|-
| '''Next document recertification date:'''
| 1 January 2011 '''<Date>'''
|}
<br>


=='''Sample Information Classification Standard'''==
==Objectives==
<br>
1. '''Confidentiality'''
The '''<Your Company Name>''' (the "Company") [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']] defines objectives for establishing specific standards on the identification and classification of Company information assets.<br>
All Company information shall be classified in one of four confidentiality categories:<br>
<br>
<br>
This Information Classification Standard builds on the objectives established in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']], and provides specific instructions and requirements for classifying information assets. These instructions address classification requirements for the management of electronically stored information.<br>
* Restricted: Information, the unauthorized disclosure of which would: <Insert company-specific examples>
* Confidential: Information, the unauthorized disclosure of which would: <Insert company-specific examples>
* Internal Use Only: Information confined to use only within Company for purposes related to its business.
* Public: Information and material to which access may be granted to any other person or organization.<br>
<br>
<br>
 
When '''Restricted''' information is combined with Confidential, Internal Use Only or Public information, the resulting collection of information must be classified as Restricted.<br>
=='''I. Scope'''==
<br>
<br>
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.<br>
When '''Confidential''' information is combined with Internal Use Only or Public information, the resulting collection of information must be classified, at a minimum, as Confidential.<br>
<br>
<br>
'''Information assets''' are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
When '''Internal Use Only''' information is combined with Public information, the resulting collection of information must be classified, at a minimum, as Internal Use Only.<br>
<br>
<br>
'''Confidentiality/privacy''' classifications are defined in the [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']].<br>
When information has not been explicitly classified as Restricted, Confidential, or Internal Use Only, the information by default shall not be considered as Public.<br>
<br>
<br>
'''Exchangeable media''' refers to diskettes, tapes, removable hard drives, compact disks, etc.<br>
2. '''Integrity'''
The Integrity Protected classification indicates that the information, in electronic form, should be protected by Company-approved encryption or data inspection techniques that ensure the information has not been intentionally or inadvertently altered. Refer to the Integrity Protection Standard for specific instructions and information on proper controls to protect the integrity of Company information assets.<br>
<br>
<br>
'''Sensitive information''' refers to information that has been classified as Restricted, Confidential, or Internal Use Only.<br>
The Integrity Protected classification shall be applied with discretion to an information asset that if accidentally or intentionally altered without authorization would significantly damage the Company's competitive advantage and reputation or could lead to legal liabilities.<br>
<br>
<br>
 
3. '''Availability'''
=='''II. Objectives'''==
All Company information shall be classified in one of three availability categories:<br>
<br>
<br>
The Company defines information classifications based on the sensitivity, criticality, confidentiality/privacy requirements, and value of the information. All information assets, whether generated internally or externally, must be categorized into one of these information classifications: Restricted, Confidential, Internal Use Only, or Public. When information of various classifications is combined, the resulting collection of information or new information must be classified at the most restrictive level among the sources. Specific instructions and requirements for classifying information assets are provided in the  [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']].<br>
* High: High to continuous availability required. <Insert company-specific description>
* Medium: Standard availability required. <Insert company-specific description>
* Low: Limited availability required. <Insert company-specific description><br>
<br>
<br>
All Restricted, Confidential, and Internal Use Only information must be labeled or marked with the appropriate information classification designation. Such markings must appear on all manifestations of the information. Specific instructions and requirements for labeling information assets are provided in the [[Sample Information Labeling Standard:|'''Sample Information Labeling Standard''']].<br>
4. '''Reclassification'''
Restricted information shall be reviewed for reclassification by the Asset Owner on a specific review date not to exceed five (5) years unless otherwise required by law or Company policy.<br>
<br>
<br>
 
Confidential and Internal Use Only information shall be reviewed annually for reclassification. In accordance with Company procedures, this review may be conducted sooner in response to specific requests for reclassification.<br>
=='''II. Requirements'''==
<br>
<br>
:'''A. Confidentiality'''<br>
5. '''Declassification'''
Restricted information shall be automatically declassified after five (5) years unless otherwise required by law or Company policy.<br>
<br>
<br>
:All Company information shall be classified in one of four confidentiality categories:<br>
Declassification shall be performed in accordance with Company procedures.<br>
<br>
<blockquote style="background: white; border: 1px solid black; padding: 1em;">
<table border="1">
<tr><td>'''Confidentiality Classification'''</td><td>'''Description'''</td><td>'''Examples'''</td></tr>
<tr><td>'''Restricted'''</td><td></td><td></td></tr>
<tr><td>'''Confidential'''</td><td></td><td></td></tr>
<tr><td>'''Internal Use Only'''</td><td></td><td></td></tr>
<tr><td>'''Public'''</td><td></td><td></td></tr>
</table>
</blockquote>
<br>
<br>


:'''B. Integrity'''<br>
==Document Examples==
<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
:* The Integrity Protected classification indicates that the information, in electronic form, should be protected by Company-approved encryption or data inspection techniques that ensure the information has not been intentionally or inadvertently altered. Refer to the Integrity Protection Standard for specific instructions and information on proper controls to protect the integrity of Company information assets.
:* The Integrity Protected classification shall be applied with discretion to an information asset that if accidentally or intentionally altered without authorization would significantly damage the Company's competitive advantage and reputation or could lead to legal liabilities.<br>
<br>
:''' Possible examples of Integrity Protected information include:'''<br>
<br>
:* <Insert company-specific examples><br>
<br>
:'''C. Availability'''<br>
<br>
: All Company information shall be classified in one of three availability categories:
<br>
: A description of each category is provided in the following table:<br>
<br>
<blockquote style="background: white; border: 1px solid black; padding: 1em;">
<table border="1">
<tr><td>'''Availability Classification'''</td><td>'''Description'''</td><td>'''Potential'''</td></tr>
<tr><td>'''High'''</td><td></td><td></td></tr>
<tr><td>'''Medium'''</td><td></td><td></td></tr>
<tr><td>'''Low'''</td><td></td><td></td></tr>
</table>
</blockquote>
<br>
 
:'''D. Reclassification'''<br>
<br>
:* Restricted information shall be reviewed for reclassification by the Asset Owner on a specific review date not to exceed <#> years.
::* Confidential and Internal Use Only information shall be reviewed annually for reclassification. In accordance with Company procedures, this review may be conducted sooner in response to specific requests for reclassification.
 
:'''E. Declassification'''<br>
<br>
:* Restricted information shall be automatically declassified after <#> years.
:* Declassification shall be performed in accordance with Company procedures.
 
=='''III. Responsibilities'''==
<br>
The Chief Information Security Officer (CISO) approves the Information Classification Standard. The CISO also is responsible for the development, implementation, and maintenance of the Information Classification Standard.<br>
<br>
Legal counsel is responsible for informing company management about data classification requirements generated by legislation, regulations, or contractual agreements, and ensuring that those requirements are covered by the Information Classification Standard and associated procedures.<br>
<br>
Company management, including senior management and department managers, is accountable for ensuring that the Information Classification Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Information Classification Standard.<br>
<br>
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. Owners are responsible for assigning the proper information classifications; ensuring the information classifications are properly communicated and understood by the Custodians and Users; and ensuring that information assets are reviewed for reclassification.<br>
<br>
Asset Custodians (Custodians) are the managers, administrators, and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for understanding the information classifications, and defining and implementing the necessary controls to apply, maintain, and conserve the information classifications established by the Owners.<br>
<br>
Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for familiarizing themselves with the Information Classification Standard and associated guidelines and procedures; maintaining and conserving the information classification established by the Owners and applied by the Custodians; and contacting the Owner when the information classification is unknown.
 
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the Asset Identification and Classification Policy and associated standards, guidelines, and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Asset Identification and Classification Policy should be submitted to <Title>. Exceptions shall be permitted only on receipt of written approval from <Title>.<br>
<br>
=='''V. Review and Revision'''==
<br>
The Asset Identification and Classification Policy will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Officer<br>
<br>
<br>
<gallery>
Image:Information Classification Standard.png|Information Classification Standard page one of eight.
Image:Information Classification Standard(1).png|Information Classification Standard page two of eight.
Image:Information Classification Standard(2).png|Information Classification Standard page three of eight.
Image:Information Classification Standard(3).png|Information Classification Standard page four of eight.
Image:Information Classification Standard(4).png|Information Classification Standard page five of eight.
Image:Information Classification Standard(5).png|Information Classification Standard page six of eight.
Image:Information Classification Standard(6).png|Information Classification Standard page seven of eight.
Image:Information Classification Standard(7).png|Information Classification Standard page eight of eight.
</gallery>

Latest revision as of 17:44, 23 January 2014

Sample Information Classification Standard

This Information Classification Standard builds on the objectives established in the Asset Identification and Classification Policy, and provides specific instructions and requirements for classifying information assets. These instructions include Confidentiality, Integrity, Availability information classification requirement as well as reclassification and declassification requirements.

Objectives

1. Confidentiality All Company information shall be classified in one of four confidentiality categories:

  • Restricted: Information, the unauthorized disclosure of which would: <Insert company-specific examples>
  • Confidential: Information, the unauthorized disclosure of which would: <Insert company-specific examples>
  • Internal Use Only: Information confined to use only within Company for purposes related to its business.
  • Public: Information and material to which access may be granted to any other person or organization.


When Restricted information is combined with Confidential, Internal Use Only or Public information, the resulting collection of information must be classified as Restricted.

When Confidential information is combined with Internal Use Only or Public information, the resulting collection of information must be classified, at a minimum, as Confidential.

When Internal Use Only information is combined with Public information, the resulting collection of information must be classified, at a minimum, as Internal Use Only.

When information has not been explicitly classified as Restricted, Confidential, or Internal Use Only, the information by default shall not be considered as Public.

2. Integrity The Integrity Protected classification indicates that the information, in electronic form, should be protected by Company-approved encryption or data inspection techniques that ensure the information has not been intentionally or inadvertently altered. Refer to the Integrity Protection Standard for specific instructions and information on proper controls to protect the integrity of Company information assets.

The Integrity Protected classification shall be applied with discretion to an information asset that if accidentally or intentionally altered without authorization would significantly damage the Company's competitive advantage and reputation or could lead to legal liabilities.

3. Availability All Company information shall be classified in one of three availability categories:

  • High: High to continuous availability required. <Insert company-specific description>
  • Medium: Standard availability required. <Insert company-specific description>
  • Low: Limited availability required. <Insert company-specific description>


4. Reclassification Restricted information shall be reviewed for reclassification by the Asset Owner on a specific review date not to exceed five (5) years unless otherwise required by law or Company policy.

Confidential and Internal Use Only information shall be reviewed annually for reclassification. In accordance with Company procedures, this review may be conducted sooner in response to specific requests for reclassification.

5. Declassification Restricted information shall be automatically declassified after five (5) years unless otherwise required by law or Company policy.

Declassification shall be performed in accordance with Company procedures.

Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.