Commentary

A successful business is usually one that has good control over the management of its resources. To achieve that control it is critical to understand which assets are important to the organisation and which are less so, in order to allocate protection to best effect.

The previous clause identifies the need for delegated security responsibility. The managers who accept that delegation need to know precisely what is of value to the organisation and the degree to which it must be kept secure. Without such definition it is impossible to meet those security responsibilities.

This clause is designed to assist managers to decide just what is important to the organisation by creating a formal scheme against which all working information and assets can be classified.

It is customary to consider the classification of information in three separate areas, namely confidentiality, integrity and availability.

The military and government has for years used what is primarily four-layer security classification scheme to determine confidentiality. The layers are:

Unrestricted - Restricted - Secret - Top Secret

Unrestricted information on any form of media, is freely distributed with no need for special handling routines. Restricted material in hard copy media should only be passed around under cover of closed envelopes. Secret and Top Secret material in hard copy media is passed in sealed envelopes and is signed for by a suitable authorised party at each point where it changes hands. How electronic information is handled is determined by the risk assessment and the handling rules in force for such information. Measures typically include removable media, encryption and isolated systems.

Experience shows that in the majority of organisations the information that qualifies for Secret treatment is regularly less than 5% of all communications. Restricted information is usually between 5% and 15% of all communications. The balance is Unrestricted and not worth expending special resources on. Just because it is Unrestricted does not mean that it is for public consumption but internal circulation within the organisation only.

However, it is important to note that the growth of e-commerce and dot-com organisations will change that conventional balance. These organisations are essentially purveyors of information and if information is your product then it could be that your top level of security should extend to almost everything you do.

The Desk-top IT environment is particularly prone to "organic" growth where comparatively inexpensive items of equipment and software become the host to critical business processes without necessarily attracting the corresponding degree of protection.

It is only possible to protect your high value assets if you know what and where they are!

Having delegated responsibility for corporate security down through all departments of the managerial chain, this clause is about the need for asset owners and managers to identify where and how those controls should be applied.

Just as only the corporate executive can legitimately own the corporate policy, so only the asset owners can know which are the important files, where they are kept and which individual employees need access to them in order to work effectively.

A word of warning!

It is always tempting for individuals to over classify work in the genuine belief that the work they do is important. Important does not always equal secret. The better the definition of what should and should not be deemed classified, the more effectively the system will operate.

An Introduction To Information, Network and Internet Security
Commentary A successful business is usually one that has good control over the management of its resources. To achieve that control it is critical to understand which assets are important to the organisation and which are less so, in order to allocate protection to best effect. The previous clause identifies the need for delegated security responsibility. The managers who accept that delegation need to know precisely what is of value to the organisation and the degree to which it must be kept secure. Without such definition it is impossible to meet those security responsibilities. This clause is designed to assist managers to decide just what is important to the organisation by creating a formal scheme against which all working information and assets can be classified. It is customary to consider the classification of information in three separate areas, namely confidentiality, integrity and availability. The military and government has for years used what is primarily four-layer security classification scheme to determine confidentiality. The layers are: Unrestricted - Restricted - Secret - Top Secret Unrestricted information on any form of media, is freely distributed with no need for special handling routines. Restricted material in hard copy media should only be passed around under cover of closed envelopes. Secret and Top Secret material in hard copy media is passed in sealed envelopes and is signed for by a suitable authorised party at each point where it changes hands. How electronic information is handled is determined by the risk assessment and the handling rules in force for such information. Measures typically include removable media, encryption and isolated systems. Experience shows that in the majority of organisations the information that qualifies for Secret treatment is regularly less than 5% of all communications. Restricted information is usually between 5% and 15% of all communications. The balance is Unrestricted and not worth expending special resources on. Just because it is Unrestricted does not mean that it is for public consumption but internal circulation within the organisation only. However, it is important to note that the growth of e-commerce and dot-com organisations will change that conventional balance. These organisations are essentially purveyors of information and if information is your product then it could be that your top level of security should extend to almost everything you do. The Desk-top IT environment is particularly prone to "organic" growth where comparatively inexpensive items of equipment and software become the host to critical business processes without necessarily attracting the corresponding degree of protection. It is only possible to protect your high value assets if you know what and where they are! Having delegated responsibility for corporate security down through all departments of the managerial chain, this clause is about the need for asset owners and managers to identify where and how those controls should be applied. Just as only the corporate executive can legitimately own the corporate policy, so only the asset owners can know which are the important files, where they are kept and which individual employees need access to them in order to work effectively. A word of warning! It is always tempting for individuals to over classify work in the genuine belief that the work they do is important. Important does not always equal secret. The better the definition of what should and should not be deemed classified, the more effectively the system will operate.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security