CASES.LU

Knowhow

Classification

Asset identification and classification are integral to risk management and are key elements of information security management (also called Information Security Management System – ISMS, see ISO/IEC 27001). They define security needs in terms of confidentiality, availability and integrity.

Draft and enforce a sectoral policy on classification and control of resources

Classification principles

  • The greater the impact of a disclosure, the higher the confidentiality classification will need to be.
  • The greater the impact of a loss due to the compromise of an asset, the higher the integrity classification will need to be.
  • The longer the impact of a prolonged disruption to legitimate access to the asset, the higher the availability classification will need to be.

Importance of classification

Asset classification is primarily used to perform risk analysis. Such classification requires that the criticality of an asset (= classification level – potential impact) be associated with the associated threats and vulnerabilities.

The classification will enable risks to be assessed as objectively as possible and a plan to be established to respond to them. The beneficiary will therefore be able to ensure that major risks are reduced, given the available investment.

Classification scheme

Each company has assets that are more or less critical to ensuring that it runs smoothly. These assets include business processes, people, information and of course machines. In order to implement efficient and effective security measures, it is necessary to define a level of protection to be provided for each asset.

This means it is important to classify assets and determine their criticality in terms of the level of confidentiality, integrity and availability.

Confidentiality

The following diagram shows the official abbreviation, the name, and a description of the confidentiality classes. It also refers to the classes of the “Traffic Light protocol” schema, defined by the English administration NISCC. These classes define distribution rules for information used to protect critical infrastructure.

Category 1) Impact 2) Management 3) Example 4) Tools TLP Correspondence
SE, Secret
  1. Disclosure could seriously harm the interests of the organisation.
  2. Management according to well-established procedures, stored only in encrypted locations under the exclusive control of the holder.
  3. Information classified by law (EU, NATO, National, etc.), passwords, sensitive information.
  4. Use of cryptography, safe, memory only.
Red

Personal for named recipients only, mostly passed verbally or in person
CO, Confidential
  1. Disclosure could harm the interests of the organisation.
  2. Management according to well-established procedures, access restricted to persons with an approved reason.
  3. Bank secrets, sensitive personal data (health), security incidents.
  4. Use of cryptography, non-shared local storage, formally managed access permissions.
Orange

Limited distribution, within organization, but only on a ‘need-to-know’ basis.
RE, Restricted
  1. Disclosure could be detrimental to the interests of the organisation or authorised group.
  2. Management based on employment contract or NDA, personal data (salary), reason shared by a file manager.
  3. Internal network documentation or diagram, source program.
  4. Use of cryptography, strictly managed access permissions.
Green

Community wide. Circulation, may not be published or posted on the Internet, nor released outside of the community.
IN, Internal
  1. Disclosure could sometimes be detrimental to the interests of the organisation or authorised group.
  2. Can be sent to other organisations in the same community.
  3. User guide, some direct phone numbers, operating procedure.
  4. Free internal use and transmission, protection must be ensured for external transmission.
Green

Community wide. Circulation, may not be published or posted on the Internet, nor released outside of the community.
PU, Public
  1. Information where disclosure is not generally harmful.
  2. Can circulate freely because accessible outside the organisation.
  3. Various publications, information content of a website.
  4. No constraints on use or transmission.
White

Unlimited, subject to standard copyright rules, WHITE information may be distributed freely, without restriction.

Integrity

The following diagram shows the official abbreviation, the name, and a description of the integrity classes.

Category 1) Impact 2) Management 3) Example 4) Tools
VIT, Vital
  1. Modification could result in significant losses to the organisation or might enable the person making the change to enrich themselves significantly.
  2. Regular (very frequent) formal control procedures are implemented (approximately once a week to once a month maximum).
  3. "DHL" mail, EDM system, configuration of servers or storage elements, telephone lines.
  4. Use of signature, safe.
IMP, Important
  1. Modification could lead to inefficiencies or significant recovery costs.
  2. Regular formal control procedures are often implemented. (about every 3 months).
  3. Registered mail, encrypted email, configuration of client computers (PC, laptop, PDA, etc.).
  4. Limitation of Access rights.
NOR, Normal
  1. There are no security requirements in addition to confidentiality protection.
  2. Regular control procedures are often implemented. (about every 6 months to 1 year).
  3. Internal mail, email, Internet browsing, etc.).
  4. No constraints on use or transmission.

Availability

Availability is expressed in terms of estimated time to recover from any failure.

Category Category code Downtime per year in calendar days owntime per year in working days
1 20D 1 month +/- 20 days
2 10D ½ month 2 weeks
3 5D 1 week 5 days
4 2.5D ½ week 2½ days
5 1D 1 day 8 hours
6 0.5D ½ day 4 hours
7 0.1D 1 hour 1 hours
Table of Contents