GROUP INFORMATION TECHNOLOGY DEPARTMENT
ASSET CLASSIFICATION AND MANAGEMENT
POLICY & PROCEDURES
Policy Reference [GITD_IT013]
Table of Contents
DOCUMENT VERSION &
CHANGE CONTROL
4.1 Information Classification Guidelines
4.2 Information Classification Scheme
THIS PAGE IS INTENTIONALLY
LEFT BLANK
Version History
|
Issue Date |
Version |
Description |
Prepared By |
Approved By |
|
Jun 12, 2019 |
1.0 |
Asset Classification
and Management |
Mrs. Sudha Jacob “ITIL Administrator” |
Mr. Winston Ellison |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Change History
|
Issue Date |
Version |
Description |
Prepared By |
Approved By |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.2 To
establish a process for classifying and handling IT assets based on its level
of sensitivity, value and criticality to Al Babtain Group.
· Owners must be identified for all major assets, including physical assets, information assets, and software. Examples of these types of asset groups are:
a) Physical assets, e.g., computer equipment and peripherals, communication equipment, storage media;
b) Software, e.g., operating systems, application software, development tools and utilities;
c) Information assets, e.g., database and data files, test data, backup data, operational procedures, user manuals, system documentation, system configuration, contracts.
· A data repository catalogue of all physical assets owned by Al Babtain Group must be created and maintained. This catalogue must be reviewed and updated annually. The catalogue must contain information such as asset type, physical location (if applicable), owner/responsible party, and criticality. All business users must assist in maintaining this catalogue, and communicate any changes or additions.
· A data repository catalogue of all software owned by Al Babtain Group must be created and maintained. This catalogue must be reviewed and updated annually. The catalogue must contain information such as software type, vendor/developer, logical locations/associated applications or systems, physical location (if applicable), owner/responsible party, custodial responsibilities, and information classification. Business Unit Managers must assist in maintaining this catalogue, and communicate any changes or additions.
· A data repository catalogue of all information assets must be created and maintained. This catalogue must be reviewed and updated annually. The catalogue must contain information such as high-level description, data type, logical locations/associated applications or systems, physical location (if applicable), data owner, custodial responsibilities, and information classification. Information Users and Information Owners must assist in maintaining this catalogue and communicate any changes or additions.
· During user station/workspace location changes or facility changes, all applicable asset inventory control documentation must be updated to reflect the changes made.
· In case of loss or destruction of any assets due to negligence or willful misconduct the reimbursement will be made in accordance to the company law.
Any collection of data that is processed, analyzed, interpreted, organized, classified or communicated in order to serve a useful purpose, present facts or represent knowledge in any medium or form. This includes presentation in electronic (digital), print, audio, video, image, graphical, textual of numerical form.
· In order to properly protect information assets, all Al Babtain Group information must be classified into one of the four categories as defined in Classification Scheme section.
· By classifying data, business units can determine the appropriate resources needed to protect information as well as the level of protection needed. The objective is to dedicate greater resources to the information that needs the greatest amount of protection and minimize the impact on the business process.
· Holders of information must ensure intended recipients of that information have the “need-to-know” before granting access rights to the information. The “need-to-know” principle must be equated to a justifiable business case. If the user needs access to the information to fulfill a business need, then that user can be given access.
· Al Babtain Group information in any format must be protected by all employees, contractors, and vendors at the level adequate with its value as determined by its information classification. These standards mitigate the risk that information of different classification levels is inadvertently combined or released. With all information classified correctly, proper controls can be established to manage the distribution of the information.
· Information must not be downgraded to a lower classification without undergoing a formal de-classification study performed by the Information Owner. The Information Owner must determine if any information can be moved to a lower classification based upon the definitions of the classifications. Otherwise, Information Owners must determine if an information asset’s classification should be raised based upon the definitions. It is the Information Owner’s responsibility to monitor information assets, and therefore, continuously review the information’s classification.
The purpose of classification is to protect information. Higher classification accords different levels of protection based on the expected damage the information might cause in the wrong hands.
· “PUBLIC” information is considered to have value, but there is no risk of unauthorized disclosure. Some level of control is required to prevent unauthorized modification or destruction of the information.
· “PUBLIC” information could be made public without any implications for Al Babtain Group (i.e., the data is not confidential). It would not provide a business or competitive advantage and is routinely made available to interested members of the general public. This type of information is available to the public with no special restrictions.
· Data integrity is of higher concern than confidentiality and availability. The appropriate Information System Owner must authorize replication or copying of the information in order to ensure it remains accurate and updated. It would include information such as marketing brochures, advertising media, annual reports, certain public information services, and the public Internet websites.
· “INTERNAL” data is important but not crucial to business operations. This type of data is mainly used internally within Al Babtain Group.
· External access and distribution of this data is to be controlled. If this data is inadvertently disclosed to the public, the consequences are not critical. Data confidentiality is not important internally; however, data integrity and availability are important but not vital. Internally used data that needs only minimal protection could be categorized in this class. Often internal information is used in making decisions and therefore it is important that this information remain timely and accurate.
· By default all information assets that are not explicitly classified as confidential or public information should be treated as Internal information
Examples of this type of data are telephone books, policy and procedure documents, certain blank forms, project plans and timelines, and information published through the intranet services.
·
“CONFIDENTIAL” data is
sensitive to internal and external exposure. Data in this class is confidential
within Al Babtain Group, and internal access is allowed selectively. restricted
to authorized personnel only.
· External access and distribution of this data is to be tightly controlled. Data meeting this classification level should be secured at all times. Access to this data must be explicitly and expressly authorized by appropriate personnel, only after a valid business need requiring access is proven.
· This type of data is primarily production data used in the day-to-day operations, and stored centrally in a secure environment. Data integrity and availability are vital. The owners of this type of data are responsible for maintaining and ensuring the accuracy and timeliness of the information.
Examples of this type of data include, but are not limited to, general ledger data, accounts payable data and staff payroll details.
· “SECRET” data is the most highly sensitive data and of great value to Al Babtain Group.
· This type of data is crucial to the business continuity of Al Babtain Group, and Executive Management would typically be the owner of this information. Internal access to this data is restricted to a limited number of personnel in their appropriate area of responsibility, External access and distribution of this data is to be strictly controlled.
· Data meeting this classification level should be secured at all times. Access to this data must be explicitly and expressly authorized by appropriate personnel. After a valid business need requiring access is proven, very strict rules must be adhered to in the usage of this data. If such data were to be accessed by unauthorized persons, it could have the highest impact in terms of financial loss, and competitive position in the marketplace.
· The availability of this type of data is important; however, confidentiality and integrity are of higher concern than availability. Examples of this type of data include financial data, business continuity information, merger & acquisition data, Executive Information data, certain legal and contractual data, and information on strategic direction and initiatives.
· Access to information must be on a “need-to-know” basis, i.e., access is restricted to authorized individuals whose duties require such access and justifiable by a business case. Individuals are not entitled to access information merely because of status, rank, or office. If a person or a group “need-to-know” the information due to a justifiable business reason (therefore becoming an Information User), then the information access can be granted by the Information Owner, and the Information User must treat the information according to its Information Classification as defined by the Information Owner.
· All media containing Al Babtain Group information must be labelled with its information classification. Media of different classifications should be stored in separate containers or drawers to insure that accidental mixing of information from different classifications is prevented.
· All “SECRET” and “CONFIDENTIAL” documents must have a cover page identifying the classification of the information.
· All “SECRET” documents must be marked at the top or bottom of every page with the classification of the information contained in the document.
· Hard-copy documents must be stamped with the classification on every page.
P.S. The mentioned procedures
are built on standard practice and can be changed upon business and technology
environment. And/or IT new frameworks, new roles & responsibilities across
IT resources and business owners demand.
END OF
DOCUMENT