Information Classification

Pertemuan 8

Fakultas Ilmu Komputer

 Purpose

• Ensure personal information and confidential

information are protected from unauthorized use and
disclosure;
• Protection of personal information.
• protect the intellectual property
• facilitate the identification of information to support
routine disclosure and active dissemination of
information;
 Classifying Information Assets

• Unrestricted (Public)
• Protected
• Confidential
• Restricted (Top Secret)
 Unrestricted (Public)

• Information has no potential risk for organization

• Available to the public, all employees, contractors,
sub-contractors and agents.
• Example: Price, book catalog, product, service
information
 Protected

• Information that is sensitive for outside organization

• The information need to be protected
• Information has low potential risk for organization
• Available for authorized access (to employees, contractors,
sub-contractors and agents) on a “need-to-know” basis for
business-related purposes.
• Example: Policy, Meeting note, etc
 Confidential

• Information that is sensitive within the organization

• The information need to be protected
• Information has high potential risk for organization
• Available only to a specific function, group or role
• Example: Payroll, performance review, Setting standard,
personnel data, etc
 Restricted (Top Secret)

• Information that is highly sensitive within the organization

• The information need to be protected
• Information has High potential risk for organization and
create damage.
• Available only to specific, named individuals (or specific
positions).
• Example: Business Plan, New Business Model, Secret
Message, Investigation documents, etc
 Approach

• Organization will determine the extent to which

security classification needs to be applied to
information assets.
• The security classification of information assets
should meet both business and operational needs. It
should be based on a threat and risk assessment and
business impact analysis.
 Determine Criteria

Four criteria are the basis for deciding the security

and access requirements for information assets. These
criteria are:
• Integrity
• Availability
• Confidentiality
• Value
 Criteria

• Integrity: information is current, complete and only

authorized and accurate changes are made to
information;
• Availability: authorized users have access to and
can use the information when required;
• Confidentiality: information is only accessed by
authorized individuals, entities or processes;
• Value: Information is protected properly, as needed.
 Threat & Risk Assessment

• These criteria can be applied in a threat and risk

assessment.
• The purpose of the assessment is to identify what
the probability or likelihood of the threat is and
what the impact would be if there was a loss to the
integrity, availability, confidentiality or the value of
information assets.
 Information Classification Guidelines

Classification Example of Inf. Asset Risk & Impact

Unrestricted Job Vacancy Litle or no risk/impact
Research paper Minimal inconvenience if not availabe
Public health information, etc If lost, would not result in injury
Protected Policy Low degree of risk/ impact
Business information Unfair competitive advantage
Service Application, etc Disruption to business if NA
Confidential Personal files Loss of reputation & competitive
Industrial trade secrets advantage
NDA, etc Financial loss
High degree of risk
Restricted Business Plan Extreme or serious injury
New Business Model Significant financial loss
Investigation Documents Significant damage
 Information Classification Practice

Implementing information security classification will mean that

ministries should consider practices related to:
• labeling information assets;
• storing information;
• transmitting information;
• disposing of unneeded information;
• protecting the integrity of information;
• allowing appropriate access and disclosure; and
• establishing accountability
 Labelling Information Assets

Implement standard security labels for information assets. The

actual labeling procedure will vary depending on the medium in
which the information is stored.
Type Procedure
Hard copy Documents Rubber ink-stamps for each level may be needed to mark hardcopy
documents received from outside the organization.
Electronic mail Identify security classification in subject line of e-mail, if classified as
confidential, or restricted.
Electronic documents Identify security classification in document metadata.
Electronic document is to be printed or viewed in .pdf format,
databases and Identify classification in system/application metadata.
business applications Labels may be required for online screen displays and reports generated
by IT systems
 Storing Information

Depending on the security classification, information assets will

need different types of storage procedures to ensure that the
confidentiality, integrity, accessibility, and value of the
information are protected.
Classification Print/ Hard media Electronic Files
Unrestricted No special storage requirements No special storage requirements
Regular back-ups to ensure availability
and integrity
Protected Secure location (e.g., locked office; All media under physical and/or logical
locked file room) access control of protected zone (e.g.
group authorized access)
 Storing Information
Classification Print/ Hard media Electronic Files
Confidential Secure location with restricted All media under physical and/or logical
access access control of confidential zone (e.g.,
Clean desk policy authorized access and authenticated
access)
Restrcited Stored in highly secure zone, with AlAll media under physical and/or logical
access tracking access control of restricted zone (e.g.,
Clean desk policy singled or double authentication,
Audit trail for all access points (e.g., encrypted data, audit and monitoring)
signatures)

Various classes of information located in one common medium/location

should have the highest classification of all information located in the
medium. This is important to ensure that highly classified information is
not put at risk. Physical security of any media should include
fire/flood/theft protection.
 Transmitting Information

When transmitting information that is protected, confidential or

restricted, special procedures will be needed.
Classification Print/ Hard media Electronic Files
Unrestricted • No special procedures • No special procedures
Protected • Sealed envelope • If electronic message contains
• First class mail personal information, personal
information must be transmitted
in such a way to prevent
interception, modification, or
unauthorized receipt en route or
at the destination (e.g., password
protected file; encryption;
personal information sent in
separate e-mail)
 Transmitting Information

Classification Print/ Hard media Electronic Files

Confidential • Sealed envelope • Message sent in such a way to
• Stamped confidential prevent interception, modification, or
• Receipt confirmation required unauthorized receipt en route or at
destination
• Recipient confirmation required
• Audit of access points (suggested)
Restricted • Tamper evident packaging (e.g., • Message sent in such a way to
doublesealed envelope with prevent interception, modification or
inside envelope signed to reveal unauthorized receipt en route or at
evidence of tampering) destination (e.g., encryption used to
• Transmitted under a continuous send/authenticate message)
chain of custody with receipts • Complete audit trail of each access
covering each individual who point
obtains custody
 Protecting the Integrity of Information

• Integrity refers to the fact that information is current,

complete, and only authorized changes are made to it.
• The integrity of information processed by and stored in
information systems can be addressed by assigning the
appropriate rights (e.g., read only, modify).
• f the threat to the integrity of information is significant,
electronic files should be saved as read only files with
changes to be made only by the author
• In some cases, stronger control such as encryption may be
required.
 Allowing Appropriate Access and
Disclosure
Certain types of information will require controlled access and
logs to track access and disclosure activities.
Classification Access Restriction Audit/ Activity Files
Unrestricted • Open to the public and all • None
employees, contractors,
subcontractors and agents
Protected • Authorized access • Periodic audits to show protection
(employees, contractors, sub- is, in fact, occurring
contractors and agents) on a
“need-toknow” basis for
business related purposes
 Allowing Appropriate Access and
Disclosure
Classification Access Restriction Audit/ Activity Files
Confidential • Limited to individuals in a • Pre-clearance based on position or
specific function, group or contractor, sub-contractor or agent
role relationship
• Log of access/actions
• Periodic audits of adequate
protection
Restricted • Limited to named individuals • All access or actions will be logged
(positions) and subject to non-repudiation
processes as appropriate
 Establishing Accountability

A clear accountability regime for all personnel will be important to

ensure the protection of government information assets. Here is
example:
• Chief of Executive Officer
• reviewing, understanding and applying the information
security classification standard to electronic information
and information technology assets;
• Chief of Information Officer
• Responsible for establishing corporate security policy and
standards for electronic information and information
technology assets.
• etc
 Implementing Information
Classification
Create inventory of Perform threat/ risk
Define Approach
information assests assessment

Implement security
Train All users of
Classify information practice in IT,
sensitive
as needed human & process
information assets
(PPT)

Monitor
Labelling compliance, report
Information Assest security violations
& breach
Any Question?