Information Classification Scheme
I. SCOPE
This asset identification and classification policy applies to all HIC, Inc. associates, including information classification standard. All company associates share in the responsibility for ensuring that company information assets receive an appropriate level of protection by observing this information classification policy:
​
Company Managers or Information ‘Owners’ shall be responsible for assigning classifications to information assets according to the standard information classification system. All company associates shall be guided by the information category in their security-related handling of company information. (Information Classification Policy, 2008)
​
II. OBJECTIVES
Data is a critical asset of HIC, Inc. All members of HIC, Inc. have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored, or used by HIC, Inc. (Examples of Data Classification Schemas, 2014) This policy on data classification drives security and how data will be handled.
​
The data classification scheme is as follows:
​
-
Highly sensitive
-
Sensitive
-
Internal
-
Public
Highly sensitive classification is for mission-critical data. This include PHI (Protected Health Information) and PII (Personally Identifiable Information) such as name, social security number, date and place of birth, mother’s maiden name, passport number, driver’s license number, taxpayer id number, financial account or credit card number, biometric records (retina scan, voice signature, facial geometry) and HIC, Inc.’s proprietary information that is deemed very valuable company asset such as software programs, algorithms, formulas, trade secrets, pricing and financial data. Access to highly sensitive data is limited. Individuals and/or organizations seeking PHI of the insured must have prior authorization from the insured to access his/her information before HIC, Inc. can disclose information on the insured. Only people who work with PHI should have access to PHI. Executives can access corporate highly sensitive data such as HIC’s Organizational Security Policy document but not PHI data. This access control shall be implemented via RBAC. Encryption, enhanced security, and monitoring with detailed logging of when data was accessed. Two factors authentication will be utilized by PHI employees to gain access to PHI data. Executives will also utilize two factors authentication to access highly sensitive corporate data. Unauthorized breach of highly sensitive data creates substantial risk to enterprise. It may bankrupt the company. (Business Classification Schemes, 2015) (Kostadinov, n.d.) (NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), 2010)
​
Sensitive Classification is for data that is important to the business but not vital to its mission. The data can be client lists, vendor information, network diagrams. Access to sensitive data is restricted and monitored. User ID and Password will be utilized by employees to gain access to sensitive data. The monitoring may not be as rigorous as highly sensitive data. Unauthorized breach of sensitive data may result in substantial financial loss, but the business will survive. (Business Classification Schemes, 2015)
Internal classification is for data that is not related to the core business. It can be routine communication within the organization. Unauthorized breach to internal data is a disruption to operations and financial loss. Access to internal data is restricted to employees. User ID and Password will be utilized by employees to gain access to internal data. The information is widely available to the employees but not released to the public or individuals outside the company. (Business Classification Schemes, 2015)
Public classification is for data that has no negative impact on the business when released to the public. Access to public data is achieved by placing the data on a public website or through press release. User ID and Password will be utilized by employees to gain access to sensitive data on the internal network. No authentication is necessary for external public access. The number of individual who are permitted to make data public is limited. (Business Classification Schemes, 2015)
​
Data Classification and security controls
​
​
​
​
​
​
​
​
​
​
​
​
​
III. RESPONSIBILITIES
All members of HIC, Inc. have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored, or used by HIC, Inc. (Bosworth, Kabay, & Whyne, Examples of Data Classification Schemas, 2014)
The CIO approves HIC, Inc. Information Classification Policy. The CIO will appoint the CISO to implement and manage this new Information Classification Policy. The CISO will establish Information Classification Policy Awareness Program to ensure that the policy, standards, guidelines, and procedures are properly communicated and understood across the organization.
HIC, Inc. is accountable to ensure data is protected. Currently, headquartered in California, “California privacy law requires notification when private information that has not been encrypted is breached.” (The Need for Policy Governing Data at Rest and in Transit, 2015)
It is up to the business to ensure adequate controls are funded and they meet regulatory requirements. The COBIT framework recommends that a data owner be assigned. The data owner is the person who would be accountable for defining all data handling requirements with the business. The data owner determines the level of protection and how the data is stored and accessed. The position of data owner should be senior enough to be accountable. The data owner has a vested interest in making sure the data is accurate and properly secure. The data owner needs to understand the importance and value of the information to the business. He or she also needs to understand the ramifications that inaccurate data or unauthorized access has on the organization. (Johnson, Classifying Your Data, 2015)
Confidentiality is the goal of ensuring that only authorized individuals are able to access information. A user should be granted access only to the specific information necessary to complete his or her job.
​
Integrity ensures that information has not been improperly changed. The data owner must approve any changes to the data or approve the process by which the data changes.
​
Availability ensures information is available to authorized users and devices. The information owner must determine availability requirements. The owner must determine who needs access to the data and when. Is it critical that data be available 24/7 or is 9 to 5 adequate? (Johnson, What is Information Assurance?, 2015)
​
IV. POLICY ENFORCEMENT and EXCEPTION HANDLING
​
Failure to comply with HIC, Inc. Information Classification Policy, standards, guidelines, and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws. (Palmer, Robinson, Patilla, & Moser, 2000)
V. REVIEW and REVISON
HIC, Inc. Asset Identification and Classification Policy, standards, and guidelines shall be reviewed under the supervision of the CISO, at least annually or upon significant changes to the operating or business environment, to assess their adequacy and appropriateness. A formal report comprising the results and any recommendations shall be submitted to the CIO. (Palmer, Robinson, Patilla, & Moser, 2000)
​
Approved: ________________________________________________
Signature
<Typed Name>
Chief Information Officer
References
​
Bosworth, S., Kabay, M., & Whyne, E. (2014). Examples of Data Classification Schemas. In S. Bosworth, M. Kabay, & E. Whyne,
Computer Security Handbook (p. 67.9). Hoboken: John Wiley & Sons, Inc.
Business Classification Schemes. (2015). In R. Johnson, Security Policies and Implementation Issues (pp. 301-302). Burlington: Jones
& Bartlett Learning.
Examples of Data Classification Schemas. (2014). In S. Bosworth, M. Kabay, & E. Whyne, Computer Security Handbook (p. 67.9).
Hoboken: John Wiley & Sons, Inc.
Information Classification Policy. (2008, July 9). Retrieved from ISO/IEC 27001:2005 A.7.2.1: http://www.iso27001security.com
/ISO27k_Model_policy_on_information_classification.pdf
Johnson, R. (2015). Classifying Your Data. In R. Johnson, Security Policies and Implementation Issues (pp. 304-306). Burlington: Jones
& Bartlett Learning.
Johnson, R. (2015). Classifying Your Data. In R. Johnson, Security Policies and Implementation Issues (p. 305). Burlington: Jones &
Bartlett Learning.
Johnson, R. (2015). What is Information Assurance? In R. Johnson, Security Policies and Implementation Issues (pp. 10-12).
Burlington: Jones & Bartlett Learning.
Kostadinov, D. (n.d.). Information and Asset Classification. Retrieved from INFOSEC INSTITUTE: http://resources.infosecinstitute.com
/category/certifications-training/cissp/domains/asset-security/information-and-asset-classification/#gref
NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). (2010, April). Retrieved from NIST:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf
Palmer, M. E., Robinson, C., Patilla, J., & Moser, E. P. (2000). META Security Group Information Security Policy Framework. Charlotte,
NC.
The Need for Policy Governing Data at Rest and in Transit. (2015). In R. Johnson, Security Policies and Implementation Issues (p. 306).
Burlington: Jones & Bartlett Learning.
