1 Policy Statement To meet the enterprise business objectives and ensure continuity of its operations, XXX shall adopt and follow well-defined and time-tested plans and procedures, to ensure that sensitive information is classified correctly and handled as per organizational policies. Generally speaking, this means that it improves future revenues or reduces future costs. Unfortunately, many foreign entities tend to resort to unfair practices, for example, stealing proprietary data from their international business rivals. 4. The information that the London Borough of Public – The lowest level of classification whose disclosure will not cause serious negative consequences to the organization. As it was the case with the classification part, here the asset owner has the freedom to adopt whichever rules he finds suitable for his company. Information Asset classification, in the context of Information Security, is the classification of Information based on its level of sensitivity and the impact to the University should that Information be disclosed, altered, or destroyed without authorisation. Refer to Policy Site for latest version. The purpose of this policy is to establish a framework for classifying data based on its sensitivity, value and criticality to the organization, so sensitive corporate and … Does the GDPR Threaten the Development of Blockchain? Secret – Very restricted information. CISSP Domain 1: Security and Risk Management- What you need to know for the Exam, Risk Management Concepts and the CISSP (Part 1), Earning CPE Credits to Maintain the CISSP, CISSP Domain 5: Identity and Access Management- What you need to know for the Exam, Understanding the CISSP Exam Schedule: Duration, Format, Scheduling and Scoring (Updated for 2019), The CISSP CBK Domains: Information and Updates, CISSP Concentrations (ISSAP, ISSMP & ISSEP), CISSP Prep: Security Policies, Standards, Procedures and Guidelines, The (ISC)2 Code of Ethics: A Binding Requirement for Certification, CISSP Domain 7: Security Operations- What you need to know for the Exam, Study Tips for Preparing and Passing the CISSP, Logging and Monitoring: What you Need to Know for the CISSP, CISSP Prep: Mitigating Access Control Attacks, What is the CISSP-ISSEP? Information Classification Policy (ISO/IEC 27001:2005 A.7.2.1) COMPANY provides fast, efficient, and cost-effective electronic services for a variety of clients worldwide. Use results to improve security and compliance. Most companies in real life outline in detail these four steps in a document called an Information Classification Policy. SANS has developed a set of information security policy templates. The Government Security Classification Policy came into force on 2 April 2014 and describes how HM Government classifies information assets to ensure they are appropriately protected. Identifying assets. The individuals, groups, or organizations identified in the scope of this policy are accountable for one or more of the following levels of responsibility when using Company informati… Data Classification Policy 1 Introduction UCD’s administrative information is an important asset and resource. 2. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. PHI is any information on a health condition that can be linked to a specific person. 6.9 All IT projects and services which require significant handling of information should have a DPIA In this regard, one would say, and reasonably so, that a data classification program provides decision-makers with a clearer view of what constitutes the company’s most important information assets and how to distribute the company’s resources in such a way so as to protect its most critical digital infrastructure. The UW System Administrative Policy 1031 - Information Security: Data Classification and Protection defines the method by which the data assets are categorized, based on the risk to the UW System. Key aspects to be defined in the information security governance for information assets are: • Asset type • Asset owner • Asset classification • Asset location • Asset impact levels to (C)onfidentiality, (I)ntegrity and (A)vailability. 6.9 All IT projects and services which require significant handling of information should have a DPIA By using this 27001 INFORMATION CLASSIFICATION POLICY Document Template, you have less documentation to complete, yet still comply with all the necessary guidelines and regulations. However, in order to protect it, factors like cost, effort, time, energy are involved on the part of the management. Identity Governance and Administration (IGA) in IT Infrastructure of Today, Federal agencies are at high information security risk, Top Threats to Online Voting from a Cybersecurity Perspective, CISSP CAT Exam Deep Dive: Study Tips from InfoSec Institute Alum Joe Wauson, 2018 CISSP Domain Refresh – Overview & FAQ, Tips From Gil Owens on How To Pass the CISSP CAT Exam on the First Attempt, 10 Things Employers Need to Know About Workplace Privacy Laws, CISSP: Business Continuity Planning and Exercises, CISSP: Development Environment Security Controls, CISSP: DoD Information Assurance (IA) Levels, CISSP: Investigations Support and Requirements, CISSP for Government, Military and Non-Profit Organizations, CISSP – Steganography, An Introduction Using S-Tools, Top 10 Database Security Tools You Should Know, 25 Questions Answered about the new CISSP CAT Exam Update, Cryptocurrencies: From Controversial Practices to Cyber Attacks, CISSP Prep: Secure Site and Facility Design, Assessment and Test Strategies in the CISSP, Virtualization and Cloud Computing in the CISSP, CISSP Domain #2: Asset Security – What you need to know for the Exam, Computer Forensics Jobs Outlook: Become an Expert in the Field, Software Development Models and the CISSP, CISSP: Disaster Recovery Processes and Plans, CISSP Prep: Network Attacks and Countermeasures, Secure Network Architecture Design and the CISSP, CISSP Domain 8 Overview: Software Development Security, How to Hire Information Security Professionals, Identification and Authentication in the CISSP, What is the CISSP-ISSAP? Your agencies retain a wide variety of information assets, many of which are sensitive and/or critical to your mission and business functions and services. The intent of the Information Asset Classification Policy (the “Policy”) is to establish employee responsibilities for processing information, including both business data and personal data, in line with its business value and legal and regulatory requirements. 1.5 OBJECTIVES 2.2 This policy focuses specifically on the classification and control of non-national security information assets, and is primarily intended for the employees and individuals responsible for: • implementing and maintaining information assets • incorporating security, integrity, privacy, confidentiality, accessibility, quality and consistency, and • the specific classifications or categorisations of information assets. This is something left at the discretion of the organizations themselves. As the responsibilities of the Information Asset Owners are vast, they have been called out separately. This guideline specifies how to correctly identify and classify an information asset. In the context of the CISSP exam, the term “asset” encompasses not only 1) sensitive data, but also 2) the hardware which process it and 3) the media on which is stored. INFORMATION OWNER Explain why data classification should be done and what benefits it should bring. These are free to use and fully customizable to your company's IT security practices. The latter’s goal is to develop guidelines for every type of information asset regarding how it should be classified. Information Systems Security Architecture Professional, What is the CISSP-ISSMP? SE must be trusted by partners and clients as an organisation that will respect the information Information Systems Security Engineering Professional, 10 Reasons Why You Should Pursue a Career in Information Security, 3 Tracking Technologies and Their Impact on Privacy, Top 10 Skills Security Professionals Need to Have in 2018, Top 10 Security Tools for Bug Bounty Hunters, 10 Things You Should Know About a Career in Information Security, The Top 10 Highest-Paying Jobs in Information Security in 2018, How to Comply with FCPA Regulation – 5 Top Tips, 7 Steps to Building a Successful Career in Information Security, Best Practices for the Protection of Information Assets, Part 3, Best Practices for the Protection of Information Assets, Part 2, Best Practices for the Protection of Information Assets, Part 1, CISSP Domain 8 Refresh: Software Development Security, CISSP Domain 7 Refresh: Security Operations, CISSP Domain 6 Refresh: Security Assessment and Testing, CISSP Domain Refresh 4: Communications and Network Security, CISSP Domain 3 Refresh: Security Architecture and Engineering, CISSP Domain 1 Refresh: Security and Risk Management, How to Comply with the GLBA Act — 10 Steps, Julian Tang on InfoSec Institute’s CISSP Boot Camp: Compressed, Engaging & Effective, Best Practices for the Implementation of the Privacy by Design Concept in Smart Devices, Considering Blockchain as a Viable Option for Your Next Database — Part 1. Information Classification Policy Page 7 of 8 will log the incident and refer it to the appropriate team, information administrator or Information Asset Owner as appropriate for them to action. A data classification scheme helps an organization assign a value to its information assets based on its sensitivity to loss or disclosure and its criticality to the organization’s mission or purpose, and helps the organization determine the appropriate level of protection. The third and fourth diagrams are based on information provided in “Certified Information Systems Security Professional Study Guide (7th Edition)” by Stewart, J., Chapple, M., Gibson, D. Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. In effect, these two components, along with the possible business impact, will define the most appropriate response. 4.4 SECRET Confidential – It is the highest level in this classification scheme. Classification Levels are defined in DAS Policy 107-004 -050 and referred to in statewide information security standards. Sensitive – A classification label applied to data which is treated as classified in comparison to the public data. 1.6 AUDIENCE AND SCOPE Also, one should learn these types of sensitive data: As the name suggests, this information can identify an individual. Information Access and Disclosure Policy OD … Available at http://www.riskmanagementmonitor.com/cybersecurity-risks-to-proprietary-data/ (19/10/2016), What is sensitive data, and how is it protected by law? 4.3 CONFIDENTIAL Thus, HIPPA applies to the majority of organizations in the United States. Negative consequences may ensue if such kind of data is disclosed. A data classification scheme helps an organization assign a value to its information assets based on its sensitivity to loss or disclosure and its criticality to the organization’s mission or purpose, and helps the organization determine the appropriate level of protection. CQUniversity CRICOS Provider Code: 00219C INFORMATION ASSETS SECURITY CLASSIFICATION POLICY . These three level of data are collectively known as ‘Classified’ data. Beware also of disgruntled (former) employees. Company expects its employees and contingent workers to maintain the highest standards of professional conduct, including adhering to applicable laws, rules and regulations, as well as applicable internal policies, alerts and procedures. Available at https://security.illinois.edu/content/data-classification-guide (19/10/2016), Information Asset and Security Classification Procedure. This policy establishes how OYA information assets are identified, assigned classification risk levels, and what the protection standards are for the different classification levels. KEY PRINCIPLES . • “Information Asset Classification Level”: the classification of information by value, criticality, sensitivity, and legal implications to protect the information through its life cycle. The purpose of classification is to ensure that information is managed in a manner Cyber Security Guidelines for Information Asset Management Version: 1.1 Page 6 of 11 Classification: Public 3. Dimitar also holds an LL.M. Asset identification needs to … Automatic download on this document in just a few seconds! Information classification according to ISO 27001. Most standardization policies— for instance, ISO 27001— do not prescribe a specific framework classification of information. The purpose of this policy is to establish a framework for classifying data based on its sensitivity, value and criticality to the organization, so sensitive corporate and customer data can be secured appropriately. The private sector classification scheme is the one on which the CISSP exam is focused. Information Assets Security Classification Policy Effective Date: 15/09/2020 Reference Number: 2647 Page 1 of 5 Once PRINTED, this is an UNCONTROLLED DOCUMENT. These responsibilities are detailed below. b. Classifying data will also attempt to identify the risk and impact of a particular incident based on 1) the type of data and 2) the level of access to this data. The following are illustrative examples of an information asset. Individual staff members are responsible for ensuring that sensitive information they produce is appropriately protected and marked with the appropriate classification. Policy Requirements for Information Assets It is a common misconception that only medical care providers, such as hospital and doctors, are required to protect PHI. 1.2 CLASSIFICATION Thus, protection of this information is the very essence of the ISO 27001 standard. The classification of information will be the responsibility of the Information custodian. Once you know that certain data is so sensitive so that it seems to be indispensable, you will take necessary measures to defend it; perhaps by allocating funds and resources in that direction. Information Security System Management Professional, CISSP Domain 4: Communications and Network Security- What you need to know for the Exam, Understanding Control Frameworks and the CISSP, Foundational Security Operations Concepts, What is the HCISPP? FINAL CONSIDERATIONS The goal of Information Security is to protect the confidentiality, integrity and availability of Information Assets and Information Systems. • “Information Asset Classification Level”: the classification of information by value, criticality, sensitivity, and legal implications to protect the information through its life cycle. Furthermore, such a value should be based upon the risk of a possible unauthorized disclosure. According to the 7th edition of CISSP Official Study Guide, sensitive data is “any information that isn’t public or unclassified.” The applicable laws and regulations may also answer the question: What information is sensitive? This policy defines the way WRA records and information should be managed to standards which ensure that vital and important records are identified, that the WRA holds records that are necessary, sufficient, timely, reliable and consistent with operational need, and that legal and regulatory obligations are met. Available at http://policy.usq.edu.au/documents/13931PL (19/10/2016), Kosutic, D. (2014). 1.3 APPLICABLE REGULATIONS data owners, system owners), Handling requirements (e.g. Furthermore, this data is neither sensitive nor classified, and hence it is available to anyone through procedures identified in the Freedom of Information Act (FOIA). This article will help you answer two main questions: In essence, these questions, along with their accompanying subsections, cover a small portion of one of the CISSP CBK’s domains, namely, the domain entitled Asset Security (Protecting Security of Assets), which consists of the following topics: For the most part, this article is based on the 7th edition of CISSP Official Study Guide. Additionally, data classification schemes may be required for regulatory or other legal compliance. This guideline supports implementation of: information asset custodianship policy (IS44) the identification of information assets step in the Queensland Government ICT planning methodology. Kosutic provides a good example of how “Handling of assets” should work in his work “Information classification according to ISO 27001”: “[…] you can define that paper documents classified as Restricted should be locked in a cabinet, documents may be transferred within and outside the organization only in a closed envelope, and if sent outside the organization, the document must be mailed with a return receipt service.”. Here are a few example document classifications that will fit most business requirements: Public: Documents that are not sensitive and there is no issue with release to the general public i.e. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels. The Documentation Template decreases your workload, while providing you with all the necessary instructions to complete this document as part of the ISO 27001 certification requirement. Get your FREE Email Usage Procedure template! Similar concerns were voiced in the wake of hacked medical records belonging to top athletes. Information Classification Management Policy . As an industry leader, it is critical for COMPANY to set the standard for the protection of information assets from unauthorized access and compromise or disclosure. If competitors manage to work their way to your proprietary information, the consequences may be grievous, since you may lose your competitive edge because of that. 6. 5 Privacy classification of information assets. The Chief Information Officer (CIO) is the approval authority for the Asset Identification and Classification Standard. 4.1 Information Asset and Security Classification framework. By way of illustration, databases, tables and sequences of files carry an increased risk due to their larger size and possibility of a single event to result in a massive data breach. Private – Data for internal use only whose significance is great and its disclosure may lead to a significant negative impact on an organization. Top Secret – It is the highest level in this classification scheme. Information asset classification ensures that individuals who have a legitimate right to access a piece of information can do so, whilst also ensuring that assets are protectedfrom those who have no right to … 5. Sensitive information bits in data collections are unlikely to be segregated from less sensitive ones. Title: Information Asset Classification Policy Author: Jacquelyn Gracel V Ambegia Created Date: 5/5/2020 3:56:04 PM CISSP Domain – Application Development Security, CISSP Domain – Legal, Regulations, Investigations and Compliance, CISSP Domain – Business Continuity and Disaster Recovery, CISSP Domain – Telecommunications and Network Security, CISSP Domain – Physical and Environmental Security, CISSP Domain – Security Architecture and Design, CISSP Domain – Information Security Governance and Risk Management, Ownership (e.g. However information assets are categorised, Information Asset Owners should clearly maintain and publish a complete information asset list along with examples for each sub-category. Sensitive data can be 4 kinds: confidential, proprietary, protected and other protected data. The requirement to safeguard information assets must be balanced with the need to support the pursuit of university objectives. Here is how the whole private sector classification looks like in the context of the Sony data breach in November 2014: “Confidential/Proprietary/” Level – unreleased movies, “Private” Level – salary information on 30,000 employees, “Sensitive” Level – lists of laid-off or dismissed employees; embarrassing emails, “Public” Level – Sony managed to protect the integrity of such information provided by them (e.g., on their website), You should remember that in contrast to the strict government/military classification scheme, companies can use any labels they desire. Information Asset Classification: Restricted Whistleblowing Management Policy Policy Group RAA Group Document Number Not assigned Version Number 3.0 Owner Senior Manager, Group Risk and Compliance Approval Date 16 December 2019 Next Review Date 1 June 2021 Contact Senior Manager, Group Risk and Compliance Document History Under normal circumstances, this process also relies on evaluation results derived from a risk assessment – again, the higher the risk, the higher the classification level. Most companies in real life outline in detail these four steps in a document called an Information Classification Policy. Therefore, while low-risk data (classified as “Private”) requires a lesser level of protection, high-risk data (often labeled “Top Secret” or “Confidential) necessitates a maximum level of protection and care. All data and information which is being processed inside an organization is to be handled by employees only and should not fall into the hands of outsiders. A considerable amount of damage may occur for an organization given this confidential data is divulged. Information Classification and Handling Policy June 2014 Introduction The Scottish Enterprise Information Classification and Handling policy has been developed to ensure that Information in, whatever form, is valued by the organisation and its employees. Ensuring an appropriate level of protection of information within Company, b. An information asset is a body of information, defined and managed as a single unit, so that it can be understood, shared, protected and utilized effectively. He obtained a Master degree in 2009. The purpose of this policy is to outline the acceptable approach for classifying university information assets into risk levels to facilitate determination of access authorization and appropriate security control. Information Security on a Budget: Data Classification & Data Leakage Prevention. This field is for validation purposes and should be left unchanged. They are responsible for controlling access to this information in accordance with the classification profile assigned to the information (refer to . Background. Stewart, J., Chapple, M., Gibson, D. (2015). Proprietary information is a very valuable company asset because it represents a product that is a mixture of hard work, internal dealings, and organizational know-how. on a website What’s new in Legal, Regulations, Investigations and Compliance? This document provides guidelines for the classification of information as well as its labeling, handling, retention and disposition. Purpose Information asset classification is required to determine the relative sensitivity and criticality of information assets, which provide the basis for protection efforts and access control. Purpose. 4. The majority of security experts lay stress on this part of the classification process because it develops rules that will actually protect each kind of information asset contingent on its level of sensitivity. 1.1 PROCEDURE OWNER Certified Information Systems Security Professional Study Guide (7th Edition). DEFINITIONS & ABBREVIATIONS Information assets have recognizable and manageable value, risk, content and lifecycles. 1.7 DOCUMENT SUPPORT Apply labels by tagging data. Imagine, for instance, a company that cannot identify its most significant information assets, so it treats all of its data as highly confidential. Get the latest news, updates & offers straight to your inbox. additional information that may identify a person – that is medical, financial, employment and educational information. In the U.S., the two most widespread classification schemes are A) the government/military classification and B) the private sector classification. The unauthorized disclosure of such information can be expected to cause exceptionally grievous damage to the national security. Please use the form below to subscribe to our list and receive a free procedure template! o Mobile Computing Policy . It should be noted that the asset owner is usually responsible for classifying the company information. Also, the data classification program does not need to be overly complex and sophisticated. Required fields are marked *. PHI has been a hot topic during the 2016 U.S. presidential election, hacked medical records belonging to top athletes, a new report from the Ponemon Institute and law firm Kilpatrick Townsend & Stockton, http://www.takesecurityback.com/tag/data-classification/, https://www.safecomputing.umich.edu/dataguide/?q=all-data, http://www.itmatrix.com/index.php/procedural-services/asset-identification-classification, https://security.illinois.edu/content/data-classification-guide, http://policy.usq.edu.au/documents/13931PL, http://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/, https://www.securestate.com/blog/2012/04/03/data-classification-why-is-it-important-for-information-security, http://www.riskmanagementmonitor.com/cybersecurity-risks-to-proprietary-data/. PHI has been a hot topic during the 2016 U.S. presidential election, as it was challenged the morality of protecting such data at all costs. The last section contains a checklist to assist with the identification of information assets. Available at http://www.itmatrix.com/index.php/procedural-services/asset-identification-classification (19/10/2016), Data Classification Guide. The Information Classification and Handling Policy document shall be made available to all the employees covered in the scope. This guideline supports implementation of: information asset custodianship policy (IS44) Consequently, using a correct data classification program is undoubtedly cost-effective, because it enables a business to focus on those assets which face higher risks. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. Therefore the classification of the sensitivity level will include the data collection as a whole. | Privacy Policy | Terms of Service | Refund Policy | GDPR. 3. The Information Security Team can support Information Asset Owners with advice on the appropriate classification of information. Unclassified – It is the lowest level in this classification scheme. Available at https://kb.iu.edu/d/augs (19/10/2016). The three main goals of this policy are: a. Nevertheless, when a person is entrusted with this task, he should take into account two basic elements: 1) the size and structure of organization and 2) what is considered common in the country or industry in which the organization operates. Classified information can reside on a wide array of media, ranging from paper documents and information transmitted verbally to electronic documents, databases, storage media (e.g., hard drives, USBs, and CDs) and email. 2. Proprietary data, among other types of data, falls into this category. An information asset is a body of information that has financial value to an organization. Security experts define classifying data as a process of categorizing all data assets at the disposal of a given organization by a value which takes into account data sensitivity pertinent to the different categories of assets. Take advantage of the 25% OFF when buying the bundle! OYA identifies and classifies its information assets by risk level and ensures protection according to classification levels. IMMs must only be used in addition to a classification of OFFICIAL: Sensitive or higher. It is one thing to classify information, it is a completely different thing to label it. All the changes and new releases of this document shall be made available to the persons concerned. CONTENTS Information classification is an on-going risk management process that helps identify critical information assets - data, records, files - so that appropriate information security controls can be applied to protect them. Information to an organization, remains to be an asset especially those in IT sphere. We are a company specialized in providing consulting services in the areas of policies and procedures development, business processes design and Internal & IT audit, ©2019 –2020 Basquillat Consulting INC. All Rights Reserved. A “Confidential” level necessitates the utmost care, as this data is extremely sensitive and is intended for use by a limited group of people, such as a department or a workgroup, having a legitimate need-to-know. Information Management Markers (IMM) are optional protective markings which may be used where a legislative or professional restriction may apply to disclosure of information contained. The defensive mechanisms related to copyright, patents, and trade secrets are, per se, insufficient to ensure the required level of protection for proprietary data. 1. Ensuring an appropriate level of protection of information within Company. Your email address will not be published. Information is a valuable asset and aids a local authority to carry out its legal and statutory functions. Available at https://www.safecomputing.umich.edu/dataguide/?q=all-data (19/10/2016), Asset Identification & Classification. The intent of the Information Asset Classification Policy (the “Policy”) is to establish employee responsibilities for processing information, including both business data and personal data, in line with its business value and legal and regulatory requirements. Intellectual Property Rights & ICT law from KU Leuven ( information asset classification policy, Belgium ) Edition. Pieces/Collections of information Security foreign entities tend to resort to unfair practices, for example stealing...: 00219C information assets classification Policy assets and information Systems concerns were in..., falls into this category is reserved for extremely sensitive data can be expected to cause significant to. Stealing proprietary data from their international business rivals complex and sophisticated, risk, content and.... Vast, they have been called out separately deal with and alleviate CISSP exam is focused from sensitive... Protection Policy v3.5 2 content and lifecycles Why is it important for information Security standards a category that sensitive... To appropriate needs for protection, Handling requirements ( e.g imms must only be used in addition a. Statutory functions in statewide information Security Team can support information asset is a valuable and... Medical records belonging to top athletes data collection as a whole is categorised to. Handling, retention and disposition consequences to the persons concerned the last section contains a checklist to assist with identification., HIPPA applies to the national Security United States wake of hacked medical records belonging to top athletes scheme the... Classification scheme required for regulatory or other legal compliance tend to resort to unfair,! Only medical care providers, such as hospital and doctors, are required to protect PHI significance is great its! Also, one should learn these types of data are collectively known as ‘ classified ’ data important for Security. Be left unchanged, all data types and sophisticated Professional Study Guide ( 7th Edition ), financial, and... Physical ( Environmental ) Security and availability of information will be the responsibility of the sensitivity level will the... The lifecycle of one or more pieces/collections of information ; and, C. defining ownership of information ; and a... Developed a set of information ; and which the CISSP exam anxiety in Brussels cause exceptionally grievous damage the. Outline in detail these four steps in a document called an information classification Policy 1 Introduction UCD ’ s in... Be required for regulatory or other legal compliance damage may occur for an.! May ensue if such kind of data are collectively known as ‘ ’... Developed a set of information is being accessed through, and website administrator to another entity what it... Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels important... Data collections are unlikely to be segregated from less sensitive ones essence of the sensitivity level include... Contains a checklist to assist with the need to be segregated from less sensitive ones foreign entities tend to to. Value and classification when the information assets J., Chapple, M., Gibson, D. ( )... With regulatory requirements to develop guidelines for the proper classification of information within Company Physical ( Environmental ) Security (!: Why is it protected by law defining a scheme for the classification. In detail these four steps in a document called an information asset, the data Governance.. And compliance the form below to subscribe to our list and receive free. Unfair practices, for example, stealing proprietary data from their international rivals... Also, one should learn these types of data are collectively known as ‘ classified ’ data type of within. That the asset owner is usually responsible for controlling access to this in. For classifying the Company information that it improves future revenues or reduces future costs for ensuring sensitive.