Information is a business asset and is of value to an organization. Information can exist in various forms, such as printed on paper, spoken in conversations, stored in electronic media, transmitted through e-mails and messages, and so on. Hence, irrespective of the location of the asset, its protection is vital and is based on the classification. In turn, classification is based on confidentiality, integrity, and availability requirements.
Asset classification is based on asset value. Various parameters are used in the industry to derive asset value. In general, asset value is based on the impact to the corporation in the event of disclosure, alteration, or destruction. Impacts could be loss of business, loss of corporate image, customer dissatisfaction, and so on. Hence, parameters to derive asset value may include, monetary value, intellectual property value, competitive advantage, privacy requirements, legal and regulatory requirements, and so on. Security controls for asset protection are based on its value and its sensitivity. Hence, the asset type and its value determine the level of security assurance required. Information assurance requirements establish the required CIA values.
In a nutshell, asset classification is used to identify the type of information based on its value, sensitivity, and the degree of assurance required. Classification helps to devise suitable security controls.
The following parameters are applicable to information assets:
- Classification criteria: Information assets are generally classified based on the following:
- Value
- Age
- Useful life
- Personnel association based on privacy requirements, such as the damage caused by loss or damage
- Owner: The owner of the information asset is responsible for its protection. The owner plays the role of determining the classification level, periodical review, and delegation.
- Custodian: The custodian is the person delegated to maintain the information by the owner. A custodian's role includes the backup and restoration of the information and maintaining records.
- User: A user uses the information. A user may be an employee, an operator, or a third party. The role of the user is to exercise due care while handling the information by following the operating procedures. A user is responsible for using the information only for the authorized purpose.
Governmental agencies classify information based on confidentiality requirements and on the damage that might be incurred if the information is disclosed or compromised. This classification schema enforces need to know principle for access.
Note
The need to know principle establishes that one has to demonstrate specific need to know or access to information that is classified as sensitive. In other words, even if the primary clearance is available to the user to access the information, whenever such sensitive information is accessed, the user should establish the need to access the information.
For example, entering a data center may require an access card and also writing down the date, time, and reason for access in the log book. Another example could be: Joe has a secret clearance and works in IT. Joe has access to most secret material, but is restricted from accessing details of his companies latest aerospace project because his duties do not include aerospace engineering, therefore he does not need to know.
Information classification in the United States government is based on the effect of compromise of the asset on national security. There is a specific classifications, such as Core Secrets, for information assets within the National Security Agency (NSA) besides others. They are:
- Core Secrets is the highest level of classification. In this classification, only select individuals from the NSA and government have access to the information.
- Top Secret is any information that will cause exceptional damage to national security if disclosed to unauthorized entities. This is level 5 or the highest level of classification after Core Secrets.
- Secret information has a potential to cause serious damage to national security if disclosed. This is one level down from Top Secret.
- Confidential information could cause certain damage to national security when disclosed to unauthorized entities. This is level 3 classification.
- Public Trust is a type of information that may require background clearance to access. This is neither confidential nor unclassified.
- Unclassified information does not compromise confidentiality and its disclosure will not have adverse impacts. This information is neither confidential nor classified.
Private and public sector corporate entities classify information under four categories. These classifications are generic and vary between corporations and across countries. Some of the top classification types are follows:
- Confidential: This classification is used to denote that information is to be used strictly within the organization. Its unauthorized disclosure will have adverse effects. This is the highest level of classification in private sector or a corporation.
- Private: This information classification is applicable to personnel information and should be used strictly within the organization. Compromise or unauthorized disclosure will adversely affect the organization and will have legal and regulatory ramifications from privacy laws.
- Sensitive: This classification is used to ensure higher confidentiality and integrity requirements of the information asset. They are generally associated with competitiveness and corporate image.
- Public: This is an information classification applicable to all the information that can be disclosed to everyone. However, unauthorized modifications are not allowed. This is the lowest level of classification.