Info Assets Classification

[esanchezm]

Hi,

I'm new to the forum but I wanted to get some information from more experienced ISO17799 users on Informaton Assets Classification. I'm working towards completing my MS degree doing a thesis completely focused on ISO 17799 - Information Assets Classification and Controls. I know it looks simple and narrow, but my goal is to document processes and guidelines for Info Assets classification in a multinational company (Think of lots and lots of information ). What I'm looking for initially is basic information on what steps need to be followed for assets identification and classification (and of course labeling). I only need a framework or blueprint where I can base and expand my own work. Do you know of any web links, books, white papers, etc. I can use for this work?

Thanks in advance,

Lalo
lalosm@yahoo.com

[DavidWatson]

Hi

This clause sounds simple but is one of the most difficult to implement

I will split it into two

Assets

The service or help desk should have a list of all physical IT assets and these should be labelled and audited annually

Information assets have to be determiend by talking to the business or examining all servers (and maybe critical PCs) to determine what applications run on them.

If you are lucky the IT Department may hold such a list (I always live in hope - and if they do is it accurate and up to date?)

There are other assets such as services supplied to the orgainsation, staff, gas, electric, phones, water etc

Additionally - reputation is the biggest asset in many organisations

There may be others and this will vary from organisation to organsation - they could include raw materials, stock, work in progess, money, buildings, cars - the list is endless and depends on the organisation

Classification

Well - we have probably all seen James Bond and have seen the cover of a 'Top Secret' file - but what does that mean

One of the best sites for reading about a classification system is (for the UK and to understand the confidentiality requirements):

http://www.dti.gov.uk/industry_files/pdf/confidential.pdf

However, each country and perhaps company has its own views on the subject and you should reseach the issue (Any search engine will keep you amused for hours!)

This marking scheme has a drawback that it only really deals with confidentiality and you may be responsible for high value cash payments which may not be confidential but are a lot of money (Million or Trillions).

Given this classification procedure there would be little protection granted so we need to include payment values as well

There are also the needs for protecting for integrity and availability - a high available system (i.e. on line transaction processing system vs shop window advert)

It will all depend on the business that you are in and what you need to protect and from what protection is needed

I am afraid it is up to you or the organisation to decide, but experience dictates that whatever you decide there will be lots of people who disagree

Once agreed - the real fun comes trying to implement the process including labelling and handling!

Dr Watson

[okay]

Hi,

I saw your request in the forum of ISO 17799. I would have a scope: information assets.

information assets is all the data process, store and communicated that has value to the organization, for example, the information of the clients is confidential, the strategy plan is secret .....

This document from Gartner can help you start with the process

listserv.educause.edu/cgi-bin/wa.exe?A3=ind0612&L=cio&P=956638&E=2&B=--%3D__Part8FAB40FE.0__%3D&N=adopt_an_information_classif_125064.pdf&T=application%2Fpdf


Best regards