There are currently, 22 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
Select Interface Language:
ISO 17799 Resources
There are now quite a few BS7799, ISO27001 and ISO 17799 portals on the web offering commercial tools & products. Possibly the most complete is ISO 17799 and ISO 27001 Central.
Call for Papers
We are shortly to launch a content section for papers and articles on ISO 17799 implementation, BS7799, AS4444, ISO 27001, UNE71502, and information security generally. If you have produced a paper and would like us to publish it, please contact us via the feedback form above.
ISO 27001, ISO 27002 & ISO17799 User Group: Forums
17799.Com :: View topic - Info Assets Classification
Posted: Fri Apr 01, 2005 3:45 am Post subject: Info Assets Classification
I'm new to the forum but I wanted to get some information from more experienced ISO17799 users on Informaton Assets Classification. I'm working towards completing my MS degree doing a thesis completely focused on ISO 17799 - Information Assets Classification and Controls. I know it looks simple and narrow, but my goal is to document processes and guidelines for Info Assets classification in a multinational company (Think of lots and lots of information ). What I'm looking for initially is basic information on what steps need to be followed for assets identification and classification (and of course labeling). I only need a framework or blueprint where I can base and expand my own work. Do you know of any web links, books, white papers, etc. I can use for this work?
Joined: Nov 02, 2005 Posts: 9 Location: Isle of Wight
Posted: Fri Nov 18, 2005 5:54 am Post subject:
This clause sounds simple but is one of the most difficult to implement
I will split it into two
The service or help desk should have a list of all physical IT assets and these should be labelled and audited annually
Information assets have to be determiend by talking to the business or examining all servers (and maybe critical PCs) to determine what applications run on them.
If you are lucky the IT Department may hold such a list (I always live in hope - and if they do is it accurate and up to date?)
There are other assets such as services supplied to the orgainsation, staff, gas, electric, phones, water etc
Additionally - reputation is the biggest asset in many organisations
There may be others and this will vary from organisation to organsation - they could include raw materials, stock, work in progess, money, buildings, cars - the list is endless and depends on the organisation
Well - we have probably all seen James Bond and have seen the cover of a 'Top Secret' file - but what does that mean
One of the best sites for reading about a classification system is (for the UK and to understand the confidentiality requirements):
However, each country and perhaps company has its own views on the subject and you should reseach the issue (Any search engine will keep you amused for hours!)
This marking scheme has a drawback that it only really deals with confidentiality and you may be responsible for high value cash payments which may not be confidential but are a lot of money (Million or Trillions).
Given this classification procedure there would be little protection granted so we need to include payment values as well
There are also the needs for protecting for integrity and availability - a high available system (i.e. on line transaction processing system vs shop window advert)
It will all depend on the business that you are in and what you need to protect and from what protection is needed
I am afraid it is up to you or the organisation to decide, but experience dictates that whatever you decide there will be lots of people who disagree
Once agreed - the real fun comes trying to implement the process including labelling and handling!
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum