Information is a business asset and is of value to an organization. Information can exist in various forms, such as printed on paper, spoken in conversations, stored in electronic media, transmitted through e-mails and messages, and so on. Hence, irrespective of the location of the asset, its protection is vital and is based on the classification. In turn, classification is based on confidentiality, integrity, and availability requirements.
Asset classification is based on asset value. Various parameters are used in the industry to derive asset value. In general, asset value is based on the impact to the corporation in the event of disclosure, alteration, or destruction. Impacts could be loss of business, loss of corporate image, customer dissatisfaction, and so on. Hence, parameters to derive asset value may include, monetary value, intellectual property value, competitive advantage, privacy requirements, legal and regulatory requirements, and so on. Security controls for asset protection are based on its value and its sensitivity. Hence, the asset type and its value determine the level of security assurance required. Information assurance requirements establish the required CIA values.
In a nutshell, asset classification is used to identify the type of information based on its value, sensitivity, and the degree of assurance required. Classification helps to devise suitable security controls.
The following parameters are applicable to information assets:
Governmental agencies classify information based on confidentiality requirements and on the damage that might be incurred if the information is disclosed or compromised. This classification schema enforces need to know principle for access.
The need to know principle establishes that one has to demonstrate specific need to know or access to information that is classified as sensitive. In other words, even if the primary clearance is available to the user to access the information, whenever such sensitive information is accessed, the user should establish the need to access the information.
For example, entering a data center may require an access card and also writing down the date, time, and reason for access in the log book. Another example could be: Joe has a secret clearance and works in IT. Joe has access to most secret material, but is restricted from accessing details of his companies latest aerospace project because his duties do not include aerospace engineering, therefore he does not need to know.
Information classification in the United States government is based on the effect of compromise of the asset on national security. There is a specific classifications, such as Core Secrets, for information assets within the National Security Agency (NSA) besides others. They are:
Private and public sector corporate entities classify information under four categories. These classifications are generic and vary between corporations and across countries. Some of the top classification types are follows: