Scribd Logo
Carica

Benvenuto in Scribd!

  • Assignment 5

    Caricato da

    api-508435779
    46 visualizzazioni5 pagine

    Titolo originale

    assignment 5

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    46 visualizzazioni5 pagine

    Assignment 5

    Caricato da

    api-508435779

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 5

    1

    Running head: HIC ASSET ID AND CLASSIFICATION POLICY

    HIC Inc. Asset Identification and Classification Policy


    Jessica Romio
    University of San Diego
    2
    HIC ASSET ID AND CLASSIFICATION POLICY
    As stated in the HIC, Inc. Information Security Program Charter, HIC Inc. is committed to
    protecting the information of its customers and employees and is responsible for the use and
    protection of their private information. Responsible use ensures that individual privacy is
    respected and that the confidentiality, integrity, and availability of the company information is
    preserved and complies fully with all laws and government regulations. This Asset Identification
    and Classification Policy defines HIC, Inc.’s conditions for establishing standards for the
    identification, classification, and labeling of its information assets.
    Scope
    The Asset Identification and Classification Policy applies to all employees – full time, part time,
    or temporary – as well as contractors or those who provide work on HIC, Inc. premises or
    systems. Any individuals who are authorized to use HIC, Inc. technology resources and data, or
    are granted access, also apply to the policy.
    An information asset is defined as all data, electronic or physical, which is used by HIC, Inc. or
    in support of HIC, Inc processes. This includes all data that is managed, processed, or handled,
    by, or on behalf of, HIC, Inc. (Palmer, Robinson, Patilla, & Moser, 2000).
    Objectives
    Information classification, as defined by HIC, Inc., is the classification of information based on
    its level of sensitivity and the impact to HIC Inc. and its customers should that information be
    disclosed, altered, or destroyed without authorization. All HIC, Inc. information must be
    classified into one of the following classifications: Restricted, Confidential, Internal, or Public. If
    documents are combined, the information must be reclassified to the highest level of
    classification of the combined documents. The classification of the information helps determine
    what baseline security controls are appropriate for safeguarding the information.
    • Restricted information is restricted to individuals with the highest level of need-to-know
    and must be approved by security for that system. Violations to the restrictions of these
    systems hold the highest enforcement and can result in legal action if information is
    shared, distributed, or modified without approval. Additional information on enforcement
    can be found in the Enforcement and Exception Handling section.
    • Confidential information is authorized to employees with a need-to-know to access the
    information. Access is granted by the system administrator with permission by the
    Information System Owner.
    • Internal information is accessible by all HIC, Inc. employees. All employees are granted
    permission to access these information systems upon employment.
    • Public information is open to the public outside of HIC, Inc. and is not restricted at all.
    Restricted information requires CIO approval for modification, all other information can be
    modified if the employee modifying the data is approved to access the information and there are
    no additional restrictions put in place.
    3
    HIC ASSET ID AND CLASSIFICATION POLICY
    HIC, Inc. follows a combination of a Role Based Access Control (RBAC) and a Mandatory
    Access Control (DAC). RBAC is the main form of access control in which access is based on job
    function at the company, DAC is used in instances to override permissions with root if necessary
    and for specialized systems. RBAC roles can be granted additional permissions based on the
    discretion of the system administrator.
    Any information that is determined to be Restricted, Confidential, or Internal Use, must be
    labeled appropriately. Specific instructions for labeling information assets are provided in the
    Information Labeling Standard.
    Responsibilities
    All HIC, Inc. employees are responsible for being aware of the information classification that has
    been assigned to information systems and assets and must ensure that they do not breach the
    controls that have been put in place.
    All information systems and information assets must be uniquely identified, must be assigned an
    Information System Owner, and must be given an information classification. The Information
    System Owner must adhere to the Information Management and Security Policy. Information
    System Owners are responsible for ensuring the proper controls are put in place for the systems
    and/or assets they are responsible for, based on their security classification (2017).
    HIC Inc. systems security is responsible for monitoring the network and addressing any issues
    that arise. They are responsible for assisting Information System Owners with any issues that are
    identified.
    The Chief Information Officer (CIO) is the approval authority for the Asset Identification and
    Classification Policy.
    The Chief Information Security Officer (CISO) is responsible for the development,
    implementation and maintenance of the Asset Identification and Classification Policy and its
    associated standards and guidelines.
    All employees of HIC, Inc. who have access to information systems must be aware of the Asset
    Identification and Classification Policy and are responsible for maintaining it.
    Enforcement and Exception Handling
    Any violations of the Asset Identification and Classification Policy, or any of the standards,
    guidelines, or procedures, may result in disciplinary actions. This may result in the termination
    of employment or contracts as well legal actions for violation of applicable laws and regulations.
    Any exceptions requests to the Asset Identification and Classification Policy shall be submitted
    to the chief information officer. All exceptions require written approval from the authorized
    authority.
    4
    HIC ASSET ID AND CLASSIFICATION POLICY
    Review and Revision
    The Asset Identification and Classification Policy will be reviewed and revised in accordance
    with the Information Security Program Charter.

    Approved: ___________________________________ Date: ___________________

    Signature
    Jessica Romio
    Chief Information Officer Company – HIC, Inc.
    5
    HIC ASSET ID AND CLASSIFICATION POLICY
    References
    Bosworth, S., Kabay, M. E., & Whyne, E. (2014). Computer Security Handbook (6th ed., Vol. 1).

    Hoboken, NJ: John Wiley & Sons.

    Information Asset and Security Classification Procedure. (2017, October 20). Retrieved from

    https://policy.usq.edu.au/documents/13931PL

    Palmer, M., Robinson, C., Patilla, J., & Moser, E. (2000). META Security Group Information

    Security Policy Framework. Retrieved October 11, 2019, from

    http://horseproject.wiki/images/1/18/Information-Security-Policy-Framework-Research-

    Report.pdf.

    What is role-based access control (RBAC)? - Definition from WhatIs.com. (n.d.). Retrieved from

    https://searchsecurity.techtarget.com/definition/role-based-access-control-RBAC

    Potrebbero piacerti anche