Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Information security
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Classification == An important aspect of information security and risk management is recognizing the value of information and defining appropriate procedures and protection requirements for the information.<ref>{{Citation|title=Overview|date=2001-12-20 |work=Information Security Policies, Procedures, and Standards|publisher=Auerbach Publications|doi=10.1201/9780849390326 |url=https://www.taylorfrancis.com/chapters/edit/10.1201/9780849390326-5/overview-information-protection-fundamentals |isbn=978-0-8493-1137-6 |last1=Peltier |first1=Thomas R. }}</ref> Not all information is equal and so not all information requires the same degree of protection.<ref>{{Citation|title=Electrical protection relays. Information and requirements for all protection relays|url=http://dx.doi.org/10.3403/bs142-1|publisher=BSI British Standards|doi=10.3403/bs142-1|access-date=2021-05-29}}</ref> This requires information to be assigned a [[Classified information|security classification]].<ref>{{Cite journal|title=Supplemental Information 4: List of all combined families in alphabetical order assigned in MEGAN vers. 5.11.3.|journal=PeerJ|date=6 February 2019|volume=7|pages=e6379|doi=10.7717/peerj.6379/supp-4|last1=Dibattista|first1=Joseph D.|last2=Reimer|first2=James D.|last3=Stat|first3=Michael|last4=Masucci|first4=Giovanni D.|last5=Biondi|first5=Piera|last6=Brauwer|first6=Maarten De|last7=Bunce|first7=Michael |doi-access=free }}</ref> The first step in information classification is to identify a member of senior management as the owner of the particular information to be classified. Next, develop a classification policy.<ref>{{Cite journal|last=Kim|first=Sung-Won|date=2006-03-31|title=A Quantitative Analysis of Classification Classes and Classified Information Resources of Directory|journal=Journal of Information Management<!--This is not the predatory journal of the same name-->|volume=37|issue=1|pages=83β103|doi=10.1633/jim.2006.37.1.083|issn=0254-3621|doi-access=free}}</ref> The policy should describe the different classification labels, define the criteria for information to be assigned a particular label, and list the required [[security controls]] for each classification.<ref name="BayukEnterprise09">{{cite book |chapter-url=https://books.google.com/books?id=XxPhvm1EP3EC&pg=PA59 |chapter=Chapter 4: Information Classification |title=Enterprise Information Security and Privacy |author=Bayuk, J. |editor1=Axelrod, C.W.|editor2=Bayuk, J.L.|editor3=Schutzer, D. |publisher=Artech House |year=2009 |pages=59β70 |isbn=9781596931916}}</ref> Some factors that influence which classification information should be assigned include how much value that information has to the organization, how old the information is and whether or not the information has become obsolete.<ref>{{Citation|title=Welcome to the Information Age|date=2015-09-11|url=http://dx.doi.org/10.1002/9781119200642.ch5|work=Overload!|pages=43β65|place=Hoboken, NJ, US|publisher=John Wiley & Sons, Inc.|doi=10.1002/9781119200642.ch5|isbn=978-1-119-20064-2|access-date=2021-05-29}}</ref> Laws and other regulatory requirements are also important considerations when classifying information.<ref>{{Cite book|last=Crooks|first=S.|date=2006|chapter=102. Case Study: When Exposure Control Efforts Override Other Important Design Considerations |title=AIHce 2006|pages=V102 |publisher=AIHA|doi=10.3320/1.2759009|doi-broken-date=November 1, 2024 }}</ref> The [[ISACA|Information Systems Audit and Control Association]] (ISACA) and its ''Business Model for Information Security'' also serves as a tool for security professionals to examine security from a systems perspective, creating an environment where security can be managed holistically, allowing actual risks to be addressed.<ref name="ISACA-BMIS">{{cite web |url=https://www.isaca.org/KNOWLEDGE-CENTER/BMIS/Pages/Business-Model-for-Information-Security.aspx |title=Business Model for Information Security (BMIS) |publisher=ISACA |access-date=25 January 2018 |archive-date=26 January 2018 |archive-url=https://web.archive.org/web/20180126072505/https://www.isaca.org/KNOWLEDGE-CENTER/BMIS/Pages/Business-Model-for-Information-Security.aspx |url-status=dead }}</ref> The type of information security classification labels selected and used will depend on the nature of the organization, with examples being:<ref name="BayukEnterprise09" /> * In the business sector, labels such as: Public, Sensitive, Private, Confidential. * In the government sector, labels such as: Unclassified, Unofficial, Protected, Confidential, Secret, Top Secret, and their non-English equivalents.<ref>{{Cite journal|last=McAuliffe|first=Leo|date=January 1987|title=Top secret/trade secret: Accessing and safeguarding restricted information|url=http://dx.doi.org/10.1016/0740-624x(87)90068-2|journal=Government Information Quarterly|volume=4|issue=1|pages=123β124|doi=10.1016/0740-624x(87)90068-2|issn=0740-624X}}</ref> * In cross-sectoral formations, the [[Traffic Light Protocol]], which consists of: White, Green, Amber, and Red. * In the personal sector, one label such as Financial. This includes activities related to managing money, such as online banking.<ref>{{Cite journal |last1=Iqbal |first1=Javaid |last2=Soroya |first2=Saira Hanif |last3=Mahmood |first3=Khalid |date=2023-01-05 |title=Financial information security behavior in online banking |url=http://journals.sagepub.com/doi/10.1177/02666669221149346 |journal=Information Development |volume=40 |issue=4 |language=en |pages=550β565 |doi=10.1177/02666669221149346 |s2cid=255742685 |issn=0266-6669}}</ref> All employees in the organization, as well as business partners, must be trained on the classification schema and understand the required security controls and handling procedures for each classification.<ref>{{Cite journal|last1=Khairuddin|first1=Ismail Mohd|last2=Sidek|first2=Shahrul Naim|last3=Abdul Majeed|first3=Anwar P.P.|last4=Razman|first4=Mohd Azraai Mohd|last5=Puzi|first5=Asmarani Ahmad|last6=Yusof|first6=Hazlina Md|date=25 February 2021|title=Figure 7: Classification accuracy for each model for all features.|journal=PeerJ Computer Science|volume=7|pages=e379|doi=10.7717/peerj-cs.379/fig-7|doi-access=free }}</ref> The classification of a particular information asset that has been assigned should be reviewed periodically to ensure the classification is still appropriate for the information and to ensure the security controls required by the classification are in place and are followed in their right procedures.<ref>{{Citation|title=Asset Classification|date=2013-10-16|url=http://dx.doi.org/10.1201/b15573-18|work=Information Security Fundamentals|pages=327β356|publisher=Auerbach Publications|doi=10.1201/b15573-18|isbn=978-0-429-13028-1|access-date=2021-06-01}}</ref>
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
Information security
(section)
Add topic
