Sample Asset Identification and Classification Policy:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Document History

Version Date Revised By Description
1.0 1 January 2009 <Current date> Michael D. Peters <Owners's name> This version replaces any prior version.

Document Certification

Description Date Parameters
Designated document recertification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document recertification date: 1 January 2010 <Date>

Sample Asset Identification and Classification Standard

As stated in the <Your Company Name> (the "Company") Sample Information Security Program Charter, the Company will follow a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures. The Information Security Program will protect information assets by establishing policies to identify, classify, define protection and management objectives, and define acceptable use of Company information assets.

This Asset Identification and Classification Standard defines Company objectives for establishing specific standards on the identification, classification, and labeling of Company information assets.

I. Scope

All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, at hosted or outsourced sites supporting the Company, or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.

The Company Information Security Program Charter and relevant policies, standards and guidelines must have the fundamental guidance, procedures, and commentary based upon the ISO 27002 framework. The ISO 27002 standard is the rename of the existing ISO 17799, ISO 17799:2005 standard, and is a code of practice for information security subject to the guidance provided within ISO 27001. The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of organizational security standards and effective security management practices.

Information Asset is defined as any data, or an aggregate of data, that has value to the organization. This includes all data, whether in the form of electronic media or physical records that are used by the Company or in support of Company business processes, including all data maintained or accessed through systems owned or administered by or on the behalf of the Company. Information Assets include all personal, private, or financial data about employees, clients, contractors, or other organizations that must be protected in accordance with relevant legislative, regulatory, or contractual requirements.

Customer refers to an entity that is paying for service.

Customer Information refers to an Information Asset that is owned by a Customer.

II. Objectives

The Company defines information classifications based on the sensitivity, criticality, confidentiality/privacy requirements, and value of the information. All information assets, whether generated internally or externally, must be categorized into one of these information classifications: Restricted, Confidential, Internal Use Only, or Public. When information of various classifications is combined, the resulting collection of information or new information must be classified at the most restrictive level among the sources. Specific instructions and requirements for classifying information assets are provided in the Sample Information Classification Standard.

All Restricted, Confidential, and Internal Use Only information must be labeled or marked with the appropriate information classification designation. Such markings must appear on all manifestations of the information. Specific instructions and requirements for labeling information assets are provided in the Sample Information Labeling Standard.

III. Responsibilities

The Chief Information Officer (CIO) is the approval authority for the Asset Identification and Classification Standard.

The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Asset Identification and Classification Policy and associated standards and guidelines.

The individuals, groups, or organizations identified in the scope of this policy are accountable for one or more of the following levels of responsibility when using Company information assets:

  • Owners are managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. Owners are responsible for: identifying information assets; assigning the proper information classification; ensuring the proper labeling for sensitive information; designating the Custodian in possession of the information; ensuring the information classifications are properly communicated and understood by the Custodians; and reviewing information assets periodically to determine if their classifications should be changed.

  • Custodians are the managers, administrators, service providers, and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for understanding the information classifications, and applying the necessary controls (specified in the Sample Asset Protection Standard) to maintain and conserve the information classifications and labeling established by the Owners.

  • Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for understanding the information classifications, abiding by the controls defined by the Owner and implemented by Custodians; maintaining and conserving the information classification and labeling established by the Owners; and contacting the Owner when information is unmarked or the classification is unknown.

IV. Enforcement and Exception Handling

Failure to comply with the Asset Identification and Classification Policy and associated standards, guidelines, and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Asset Identification and Classification Standard should be submitted to the CISO. Exceptions shall be permitted only on receipt of written approval from the CISO. The CISO will periodically report current status to the CIO or its designee.

V. Review and Revision

The Asset Identification and Classification Policy will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Recommended: _______________________________________________________


<Typed Name>

Chief Information Security Officer

Approved: _______________________________________________________


<Typed Name>

Chief Information Officer