Security Policy – Classification and Control of Resources

Classification and Responsibility for Resources

An inventory of the organisation’s vital and important resources should be kept up to date. It takes the form of a table describing the resource and naming the person or persons in charge. The classification of assets is an extremely important task.

The level of importance of the resource for the company is also specified:

• vital
• important

The following elements are considered resources:

• computers (PCs, laptops, servers, netbooks) and printers;
• communication equipment (modem, switch, router, PABX, fax, etc.);
• files and databases (regardless of the device: disks, USB flash drives, tapes, etc.);
• applications (software);
• documents (contracts, procedures, plans, archives, etc.).

Security Measures:

• file servers
• email servers
• fixed network
• internal Wi-Fi network
• customer Wi-Fi network
• computers connected to the Internet
• laptop computers

Directly Associated Organisational Measures:

• Organisation of Security
  • Attribution of responsibilities
• Operational and communication aspects
  • Documented procedures
• Access control
  • Access control policy
  • Access rights management
• Compliance
  • Identification of applicable legislation
  • Intellectual property
  • Protection of operational data
  • Personal data protection

Technical Measures:

• classification

Inventory of Assets

An inventory of the organisation’s major resources (assets) should be kept up to date. It takes the form of a table describing the resource and naming the person or persons in charge. Each asset should be classified according to confidentiality, integrity and availability requirements.

Elements classified as ‘vital’ are those that could compromise the organisation’s existence if they disappear, are disclosed externally or become defective. Elements considered as ‘important’ are those that could cause serious consequences for the company under the same conditions.

The management and classification of properties are based on the following principles:

1. Application to all assets, in other words, anything with value, including information, such as listed in an inventory.
2. Determination of a manager for each asset type.
3. Ensure the correct use of assets in accordance with the security rules for the different classes.
4. Regular review by the manager.
5. Classification based on three criteria: confidentiality, integrity and availability.
6. Classification depending on impact.
7. Confidentiality classification legacy.
8. Qualification of contents to simplify management rules.
9. Default classification.
10. Marking to ensure the security rules are considered when handling assets.
11. Use of encryption to ensure that sensitive information is transported in a sufficiently well-protected container.

Which is where the following rules and responsibilities come in:

1. Each item must be inventoried and attributed to a manager who is responsible for determining its classification and the security measures to be applied.
2. An item that contains other items must have at least the same classification as the most sensitive item it contains.
3. Information always has the same classification, regardless of the form in which it is found.
4. The security manager is responsible for characterising the contents.
5. The security policy and any document contained within it will be inspired by internationally recognised best practice in security management. The best practice is documented in ISO/IEC standards 27001 and 27002.
6. An item’s manager must have reached the rank of division manager or his replacement.
7. The security manager is responsible for characterising the contents.
8. The classification policy is implemented through procedures.
9. These procedures and documents are available to all staff.