Information Classification

Support Home Security ISO27001 Asset Classification and Control

Information Classification

Classification Guidelines

Asset classification is the process of assigning value to data in order to organise it according to its sensitivity to loss or disclosure.  All information assets shall be classified, using a company-wide asset classification system.  All data, regardless of its classification, will be protected from unauthorised alteration; this policy provides guidance on the proper handling of data.

The classification system will allow that classifications of information assets may change over time.

Classifying Information

This policy requires that all information assets be classified and labelled in a manner that allows the asset to be readily identified to determine handling and protection level for that asset.

Care will be taken when interpreting the classification systems from other organisations as their classification systems may have different parameters.  Information assets shall be assigned a sensitivity classification by the asset information owner or their nominees, in accordance with the following classification definitions:

  • Confidential: Sensitive information requiring the highest degree of protection.  Access to this information shall be tightly restricted based on the concept of need-to-know.  Disclosure requires the information owner’s approval and, in the case of third parties, a signed confidentiality agreement.  If this information were to be compromised, there could be serious negative financial, legal, or public image impacts to CX Index or CX Index’s clients.  Examples include client information, CX Index source code, research data, CX Index’s policies and standards, operational procedures, etc.
  • Public:   Information that requires no special protection or rules of use.  This information is suitable for public dissemination. Examples include press releases, marketing brochures, etc.  

    The Senior Management is responsible for maintaining this policy and ensuring the infrastructure exists to support this policy.

Handling and Protection Rules

Each asset classification shall have handling and protection rules.  These rules must cover any media the assets may reside in at any time.   

All computer-resident confidential information shall be protected via access controls to ensure that it is not improperly disclosed, modified, deleted or otherwise rendered unavailable.

Employees are prohibited from recording confidential information with tape recorders, digital/analogue recording devices, etc., without the consent of the Senior Management.   This includes the use of camera equipment (of any kind).

Unless it has specifically been designated as “Public”, all CX Index internal information shall be assumed to be confidential and shall be protected from disclosure to unauthorised third parties.

No confidential information of CX Index or of any third party shall be disclosed to the public or any unauthorised third party without the prior approval of CX Index’s Senior Management.

Access to every office and work area containing confidential information shall be restricted, and employees shall take all reasonable steps to protect confidential information under their control from inadvertent disclosure.

Handling and protection rules must include all parts of an asset’s life-cycle, from creation/installation through use and finally to destruction/disposal.  Sensitive information or systems must be appropriately disposed of when no longer needed.

Information Labelling and Handling

It is important that an appropriate set of procedures are defined for information labelling and handling in accordance with the classification scheme adopted by CX Index.   These procedures must cover information assets in physical and electronic formats.  For each classification, handling procedures should be defined to cover the following types of information processing activity;

  • Copying
  • Storage
  • Transmission by post, fax, and electronic mail
  • Destruction

    System outputs containing confidential information shall carry an appropriate classification label (in the output).

The labelling should reflect the classification.  Items for consideration include printed reports, screen displays, recorded media, and electronic messages and file transfers.

Physical labels are generally the most appropriate forms of labelling.  However, some information assets, such as documents in electronic form, cannot be physically labelled and electronic means of labelling need to be used.

Where feasible, all printed, handwritten, or other paper manifestations of confidential information shall have a clearly evident sensitivity label within the footer of each page or a watermark that indicates the sensitivity classification.

Information Retention

Information shall not be retained any longer than the business requires it to be retained and in accordance with data protection, privacy, legal, and other regulatory    requirements. This reduces the window of time that data can potentially be available for misuse.  Controls should be implemented to delete data that exceeds required retention time.


 

Was this article helpful?

Related Questions: