ISSeG logo

 Training and Dissemination web site

 FP6 logo

Integrated Site Security for Grids

 A project co-funded by EU FP6 programme
Home page

Top Recommendations
Top Threats
Security Checklists
Risk assessment

my Role
my Site
my Community
All Recommendations
All Threats
Training
Downloads

Security terms


Contact
ISS & ISSeG

Recommendation
Establish information classification guidelines

ID: R7
What: Information should be classified in terms of its value, legal requirements, sensitivity and criticality to the organization.
Why: Proper classification allows information to be handled in a manner which is consistent with the security requirements:
  • Under-classification increases the security risk due to insufficient protection
  • Over-classification contributes to increasing the handling costs
    		•
    How :

    Information classification should be performed by the asset owner, and should be periodically re-evaluated to avoid over-classification.

    Classification guidelines should include conventions for initial classification. As an example, the following conventions might be used:

    • Unclassified – Information with no specific requirements, which may be made generally available without specific approval from the owner.
    • Operational – Information whose loss, corruption or unauthorized disclosure would not necessarily impact the organization but is made available to approved users only.
    • Private – Information which involves issues of personal credibility, reputation, or other issues of personal privacy.
    • Restricted – Information whose loss, corruption or unauthorized disclosure would be detrimental to the organization or its reputation, or result in financial or legal loss.
    • Confidential – data whose loss, corruption or unauthorized disclosure would be a violation of applicable laws, regulations, or contracts.
    For guidelines on protecting confidential or sensitive information, including use of cryptographic techniques, see R11 and R39.

    For further information on classification policies, refer to the Information Sensitivity Policy document, available from the SANS Institute:
    http://www.sans.org/resources/policies/

    For information on mapping types of information to security categories, consult NIST publication SP 800-60 (V2):
    http://csrc.nist.gov/publications/PubsSPs.html
    Relevant recommendations

    R8, R12, R18
    Relevant threats:

    T5, T29, T30, T31,

    Relevant ISS audit questions: Q34, Q35
    Keywords

    Authorization, Policy, Risk, Security
    Recommendation Category:
    Technical - X Administrative -  Educational - X
    Copyright (c) Members of the
    ISSeG Collaboration
    2008    		 Top of page Home page Information Society and media logo

    This is version 5.2 of the website - view release notes
     -view visitor statistics