The CISO approach: Classification

Asset identification and classification are integral to risk management and are key elements of information security management (also called Information Security Management System – ISMS, see ISO/IEC 27001). They define security needs in terms of confidentiality, availability and integrity.

Classification Principles

The greater the impact of disclosure, the higher the confidentiality classification will need to be.
The greater the impact of a loss due to the compromise of an asset, the higher the integrity classification will need to be.
The longer the impact of a prolonged disruption to legitimate access to the asset, the higher the availability classification will need to be.

Importance of Classification

Asset classification is primarily used to perform risk analysis. Such classification requires that the criticality of an asset (= classification level – potential impact) is associated with threats and vulnerabilities.

The classification will enable risks to be assessed as objectively as possible and a plan to be established to respond to them. The beneficiary will, therefore, be able to ensure that major risks are reduced, given the available investment.

Classification Scheme

Each company has assets that are more or less critical to ensuring that it runs smoothly. These assets include business processes, people, information and - of course - machines. To implement efficient and effective security measures, it is necessary to define a level of protection to be provided for each asset.

This means it is important to classify assets and determine their criticality in terms of the level of confidentiality, integrity and availability.

Confidentiality

The following diagram shows the official abbreviation, the name, and a description of the confidentiality classes. It also refers to the classes of the ‘Traffic Light protocol’ schema, defined by the English administration, NISCC. These classes define distribution rules for information used to protect critical infrastructure.

Category	1) Impact 2) Management 3) Example 4) Tools	TLP Correspondence
SE, Secret	Disclosure could seriously harm the interests of the organisation. Management according to well-established procedures, stored only in encrypted locations under the exclusive control of the holder. Information classified by law (EU, NATO, National, etc.), passwords, sensitive information. Use of cryptography, safe, memory only.	Red Personal for named recipients only, mostly passed verbally or in person
CO, Confidential	Disclosure could harm the interests of the organisation. Management according to well-established procedures, access restricted to persons with an approved reason. Bank secrets, sensitive personal data (health), security incidents. Use of cryptography, non-shared local storage, formally managed access permissions.	Orange Limited distribution, within the organisation, but only on a ‘need-to-know’ basis.
RE, Restricted	Disclosure could be detrimental to the interests of the organisation or authorised group. Management based on employment contract or NDA, personal data (salary), reason shared by a file manager. Internal network documentation or diagram, source program. Use of cryptography, strictly managed access permissions.	Green Community-wide. Circulation may not be published or posted on the Internet, nor released outside of the community.
IN, Internal	Disclosure could sometimes be detrimental to the interests of the organisation or authorised group. Can be sent to other organisations in the same community. User guide, some direct phone numbers, operating procedure. Free internal use and transmission, protection must be ensured for external transmission.	Green Community-wide. Circulation may not be published or posted on the Internet, nor released outside of the community.
PU, Public	Information where disclosure is not generally harmful. Can circulate freely because accessible outside the organisation. Various publications, the information content of a website. No constraints on use or transmission.	White Unlimited, subject to standard copyright rules, WHITE information may be distributed freely, without restriction.

Integrity

The following diagram shows the official abbreviation, the name, and a description of the integrity classes.

Category	1) Impact 2) Management 3) Example 4) Tools
VIT, Vital	Modification could result in significant losses to the organisation or might enable the person making the change to enrich themselves significantly. Regular (very frequent) formal control procedures are implemented (approximately once a week to once a month maximum). 'DHL' mail, EDM system, configuration of servers or storage elements, telephone lines. Use of signature, safe.
IMP, Important	Modification could lead to inefficiencies or significant recovery costs. Regular formal control procedures are often implemented (about every three months). Registered mail, encrypted email, configuration of client computers (PC, laptop, PDA, etc.). Limitation of access rights.
NOR, Normal	There are no security requirements in addition to confidentiality protection. Regular control procedures are often implemented (about every six months to one year). Internal mail, email, Internet browsing, etc. No constraints on use or transmission.

Availability

Availability is expressed in terms of an estimated time to recover from any failure.

Category	Category code	Downtime per year in calendar days	Downtime per year in working days
1	20D	1 month	+/- 20 days
2	10D	½ month	2 weeks
3	5D	1 week	5 days
4	2.5D	½ week	2½ days
5	1D	1 day	8 hours
6	0.5D	½ day	4 hours
7	0.1D	1 hour	1 hour