CASES.LU

Knowhow

Security Policy – Classification and control of resources

Classification and responsibility for resources

An inventory of the “organisation’s” vital and important resources should be kept up to date. It takes the form of a table describing the resource and naming the person or persons in charge. The classification of assets is an extremely important task.

The level of importance of the resource for the company is also specified:

  • vital
  • important

The following elements are considered resources:

  • computers (PC, laptops, servers, netbooks) and printers;
  • communications equipment (modem, switch, router, PABX, fax, etc.);
  • files and databases (regardless of the device: disks, USB flash drives, tapes, etc.);
  • applications (software);
  • documents (contracts, procedures, plans, archives, etc.).

Comments

Elements classified as “vital” are those that could compromise the organisation’s existence if they disappear, are disclosed externally or become defective.

Elements considered as “important” are those that could cause serious consequences for the company under the same conditions.

Security measures:

Directly associated organisational measures:

Technical measures:

Inventory of assets

An inventory of the “organisation’s” major resources (assets) should be kept up to date. It takes the form of a table describing the resource and naming the person or persons in charge. Each asset should be classified) according to confidentiality), integrity) and availability) requirements.

Elements classified as “vital” are those that could compromise the “organisation’s” existence if they disappear, are disclosed externally or become defective. Elements considered as “important” are those that could cause serious consequences for the company under the same conditions.

The management and classification of properties is based on the following principles:

  1. Application to all assets, in other words, anything with value, including information, such as listed in an inventory.
  2. Determination of a manager for each asset type.
  3. Ensure the correct use of assets in accordance with the security rules for the different classes.
  4. Regular review by the manager.
  5. Classification based on 3 criteria: confidentiality, integrity and availability.
  6. Classification depending on impact).
  7. Confidentiality classification legacy.
  8. Qualification of contents to simplify management rules.
  9. Default classification.
  10. Marking to ensure the security rules are taken into account when handling assets.
  11. Use of encryption) to ensure that sensitive information is transported in a sufficiently well-protected container.

Which is where the following rules and responsibilities come in:

  1. Each item must be inventoried and attributed to a manager who is responsible for determining its classification and the security measures) to be applied.
  2. An item that contains other items must have at least the same classification as the most sensitive item it contains.
  3. Information always has the same classification, regardless of the form in which it is found.
  4. The security manager is responsible for characterising the contents.
  5. The security policy and any document contained within it will be inspired by internationally recognised best practice in security management. Best practice is documented in ISO/IEC standards 27001) and 27002).
  6. An item’s manager must have reached the rank of division manager or his replacement.
  7. The security manager is responsible for characterising the contents.
  8. The classification policy is implemented through procedures.
  9. These procedures and documents are available to all staff.
Table of Contents