Asset Classification Policies and Procedures - Essay Example

Asset ification Policies and Procedures In this section, the manual will deal with appropriate categorization of company assets. It will deal with the management and classification of assets with regard to their impact on the information security policies and procedures. A Information Classification/Sensitivity Levels Rubric Company classifies its information in three different levels, namely public data, sensitive data and confidential data. The objective of classifying information into three different levels is to ensure that information may not be misused or mishandled by the employees in the firm. It allows employees to deal with information in the required manner and to prevent confidential information to be redirected to people outside of the organization without proper written authorization. This includes protecting the information from being channeled to the wrong parties through any means including electronic devices such as videos, telephones, computers etc. For information to be handled properly, employees are required to have a working knowledge of the categorization of information into the three provided categories. Employees should be able to categorize the information before forwarding it further. If at some point, employees are confused about properly categorizing the information, the proper course of action is to classify it as confidential while an appropriate supervisor would later review and properly classify. Information classification is as follows: Public Data- As the name suggests, such data is usually open to the public and is easily available. Disclosure of such data does not put the firm in any kind of risk; however certain controls are required to be enforced on such data to prevent modification or destruction of the data by unauthorized parties; Sensitive Data- Data is classified as sensitive data when disclosures of such information publically can result in potential risk for the organization or its people. Such information may be provided to others on a discretionary basis and under the supervision of the data owner. Confidential Data – Confidential data is the most sensitive data within the organization and unauthorized disclosure of such information can result in significant risk for the firm. The highest level of security and control are applied on such information (Michigan Technology University, n.d). A. System Impact Levels The System Impact level will determine the impact of activities on the system on a scale of one to five with five being the most crucial impact and one having the least crucial impact. Since Rubric Company is an advertising agency, system directly impacting the clients will fall under the rating of five. This rating of five will also extend to all relatable critical components and their sub systems (Carnegie Mellon, 2011). Advertising agencies such as Rubric Company are bound by the Federal Trade Commission act, and thus they are required to protect the confidential information trusted upon them by their clients. Such information will be classified under level 3 of the system impact level. On the other hand, human resource system will be classified under level 1 of the system impact level. B. Information Systems Inventory and Criticality Ratings In order to determine the impact of system on Rubric Company, it is important to evaluate information systems inventory and criticality ratings. The system impact levels are based on a rating of 10 point scale; one being assigned to system falling under low criticality while 10 being assigned to the most critical activities. Furthermore, the systems are also further classified under tiers according to their importance for the firm; with Tier 1 being the most critical systems and Tier 4 as the least critical. Rubric Company classified two systems under Tier 1. It classifies the email system under Tier 1 which is responsible for managing and monitoring communication of information within and outside the organization. Clients accept artworks and send instructions via email to the client representative which is subsequently forwarded it to the designer. Properly managing the information is critically for the smooth running of the agency; therefore this system has been placed on level five of the system impact level rating. Another Tier 1 activity is the Demdex data management system that the agency uses to manage its data and keep client and employees informed. This system ensures that work flow remains smooth and thus has been classified as level 5. The Tier 1 system activities are the basis of the agency’s success and without their smooth operation, the agency would be greatly hampered. Tier 2 activities are critical for the organization and are a necessary part of the institution. These include the financial data, Web server, the network server, the backup server and the email system. The financial server is responsible for storing and managing all aspects of the financial aspect of the agency. These include salaries to the employees, overhead expenses, client fees, purchasing assets etc. The system impact level of this is level 5. The webserver and network system is the agency’s delivery system for internal as well as external information. These systems are responsible for integral communication of the employees within the organization and to connect with the outside world. Since there is private communication between the employees regarding different jobs, therefore the system level for this aspect is 5. In terms of criticality rating, this system is placed at level 8. The next tier is Tier 3, which is medium priority level. This level encompasses the Human Resource department that manages employee data along with their salary scope. Properly managing the employee data and information is critically for the smooth running of the agency; therefore this system has been placed on level five of the system impact level rating. The last Tier includes the web site server which holds a low priority. This system is responsible for updating potential and existing clients about the agency and their latest work. Information protection is low for this system and thus has been placed in level 1. References Carnegie Mellon (2011) Guidelines for Data Classification, Retrieved from http://www.cmu.edu/iso/governance/guidelines/data-classification.html [Accessed 3 February, 2013] Michigan Technology University (n.d) Data Classification and Handling Policy, Retrieved from http://security.mtu.edu/policies-procedures/DataClassificationAndHandlingPolicy.pdf [Accessed 3 February, 2013] Read More