Which of the following is the most important objective of classifying information assets?
Guidelines for Data ClassificationThis document contains the following sections: Show
View the Data Classification Workflow to determine how to classify data. You can also visit an accessible version of the Data Classification Workflow. PurposeThe purpose of this Guideline is to establish a framework for classifying institutional data based on its level of sensitivity, value and criticality to the University as required by the University's Information Security Policy. Classification of data will aid in determining baseline security controls for the protection of data. Applies ToThis Policy applies to all faculty, staff and third-party Agents of the University as well as any other University affiliate who is authorized to access Institutional Data. In particular, this Guideline applies to those who are responsible for classifying and protecting Institutional Data, as defined by the Information Security Roles and Responsibilities. DefinitionsConfidential Data is a generalized term that typically represents data classified as Restricted, according to the data classification scheme defined in this Guideline. This term is often used interchangeably with sensitive data. A Data Steward is a senior-level employee of the University who oversees the lifecycle of one or more sets of Institutional Data. See the Information Security Roles and Responsibilities for more information. Institutional Data is defined as all data owned or licensed by the University. Non-public Information is defined as any information that is classified as Private or Restricted Information according to the data classification scheme defined in this Guideline. Sensitive Data is a generalized term that typically represents data classified as Restricted, according to the data classification scheme defined in this Guideline. This term is often used interchangeably with confidential data. Data ClassificationData classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:
Classification of data should be performed by an appropriate Data Steward. Data Stewards are senior-level employees of the University who oversee the lifecycle of one or more sets of Institutional Data. See Information Security Roles and Responsibilities for more information on the Data Steward role and associated responsibilities. Visit the Data Classification Workflow for a process on how to classify data. Data CollectionsData Stewards may wish to assign a single classification to a collection of data that is common in purpose or function. When classifying a collection of data, the most restrictive classification of any of the individual data elements should be used. For example, if a data collection consists of a student's name, address and social security number, the data collection should be classified as Restricted even though the student's name and address may be considered Public information. ReclassificationOn a periodic basis, it is important to reevaluate the classification of Institutional Data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the University. This evaluation should be conducted by the appropriate Data Steward. Conducting an evaluation on an annual basis is encouraged; however, the Data Steward should determine what frequency is most appropriate based on available resources. If a Data Steward determines that the classification of a certain data set has changed, an analysis of security controls should be performed to determine whether existing controls are consistent with the new classification. If gaps are found in existing security controls, they should be corrected in a timely manner, commensurate with the level of risk presented by the gaps. Calculating ClassificationThe goal of information security, as stated in the University's Information Security Policy, is to protect the confidentiality, integrity and availability of Institutional Data. Data classification reflects the level of impact to the University if confidentiality, integrity or availability is compromised. Unfortunately there is no perfect quantitative system for calculating the classification of a particular data element. In some situations, the appropriate classification may be more obvious, such as when federal laws require the University to protect certain types of data (e.g. personally identifiable information). If the appropriate classification is not inherently obvious, consider each security objective using the following table as a guide. It is an excerpt from Federal Information Processing Standards (FIPS) publication 199 published by the National Institute of Standards and Technology, which discusses the categorization of information and information systems.
As the total potential impact to the University increases from Low to High, the classification of data should become more restrictive moving from Public to Restricted. If an appropriate classification is still unclear after considering these points, contact the Information Security Office for assistance. Appendix A - Predefined Types of Restricted InformationThe Information Security Office and the Office of General Counsel have defined several types of Restricted data based on state and federal regulatory requirements. This list does not encompass all types of restricted data. Predefined types of restricted information is defined as follows:
Revision History
What is the most important benefit of classifying information assets?Data classification is a useful way to rank an organization's informational assets. A well-planned data classification system makes it easy to store and access data. It also makes it easier for users of data to understand its importance.
Which of the following is are the classification of information asset?Information assets are classified according to confidentiality, integrity, and availability. Each of these three principles of security is individually rated as low, moderate, or high.
What is the primary objective of assigning classifications to information assets?The classification of an Information Asset is to identify Security Controls required to protect that asset....more. The classification of an Information Asset is to identify Security Controls required to protect that asset.
What is the purpose of an information data asset classification?Information assets, including printed materials, email attachments, or other data, should be classified appropriately to ensure they are handled securely. Organizations may not have the appropriate security controls in place for sensitive assets if classification levels are not defined.
|