Welcome to the ninth issue of ISO 17799 News, designed to keep you abreast of developments and news with respect to ISO17799 and information security.
The newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.
Included in this edition are the following topics:
ESTABLISHING INFORMATION CLASSIFICATION CRITERIA
It is essential to classify information according to its actual value and level of sensitivity in order to deploy the appropriate level of security. A system of classification should ideally be:
- simple to understand and to administer
- effective in order to determine the level of protection the information is given.
- applied uniformly throughout the whole organization (note: when in any doubt, the higher, more secure classification should be employed).
With the exception of information that is already in the public domain, information should not be divulged to anyone who is not authorized to access it or is not specifically authorized by the information owner. Violations of the Information Classification Policy should result in disciplinary proceedings against the individual.
It is also sensible to restrict the number of information classification levels in your organization to a manageable number as having too many makes maintenance and compliance difficult. The following five levels of classification cover most eventualities:
Highly sensitive internal documents and data. For example, impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution indeed, and must be protected at all times. Security at this level is the highest possible.
Information which is considered critical to the organization’s ongoing operations and could seriously impede or disrupt them if made shared internally or made public. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data. Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.
Procedures, project plans, operational work routines, designs and specifications that define the way in which the organization operates. Such information is usually for proprietary use by authorized personnel only. Security at this level is high.
Internal Use Only:
Information not approved for general circulation outside the organization, where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility/reputation. Examples include: internal memos, internal project reports, minutes of meetings. Security at this level is controlled but normal.
Information in the public domain: press statements, annual reports, etc. which have been approved for public use or distribution. Security at this level is minimal.
Care should always be applied regarding a user's possible tendency to over classify their own work. It can sometimes be erroneously surmised that the classification level can reflect directly on the individual's own level of importance.
Asset classification is covered by Section 5 of the ISO17799 standard