1
0
mirror of https://github.com/strongdm/comply synced 2024-11-22 15:44:55 +00:00

Updated Table 3

This commit is contained in:
Manisha Singh 2018-05-18 16:02:38 -07:00
parent a642c812e3
commit 491bd00b20

View File

@ -7,8 +7,7 @@ majorRevisions:
- date: Jun 1 2018 - date: Jun 1 2018
comment: Initial document comment: Initial document
--- ---
# Appendices
#Appendices
Appendix A: Handling of Classified Information Appendix A: Handling of Classified Information
@ -44,43 +43,49 @@ a. When classifying information, the level of confidentiality is determined by:
i. Sensitivity and criticality of the information, based on the highest risk calculated for each information item during the risk assessment. i. Sensitivity and criticality of the information, based on the highest risk calculated for each information item during the risk assessment.
i. Legal, regulatory and contractual obligations. i. Legal, regulatory and contractual obligations.
a. Information must be classified based on confidentiality levels as defined in Table 3.
+-------------------+------------------+---------------------------+------------------+ +-------------------+------------------+---------------------------+---------------------------+
|**Confidentiality**| **Label** | **Classification** | **Access** | |**Confidentiality**| **Label** | **Classification** | **Access** |
| **Level** | | **Criteria** | **Restrictions** | | **Level** | | **Criteria** | **Restrictions** |
+===================+==================+===========================+==================+ +===================+==================+===========================+============================+
| Public | FOR PUBLIC | Making the information | Information | | Public | For Public | Making the information | Information is available |
| | RELEASE | public will not harm | is available to | | | Release | public will not harm | to the public. |
| | | the organization in | to the public. | | | | the organization in | |
| | | any way. | | | | | any way. | |
+-------------------+------------------+---------------------------+------------------+ +-------------------+------------------+---------------------------+---------------------------+
| Internal Use | INTERNAL USE | Unauthorized access | Information | | | | | |
| | | may cause minor damage | is available to | +-------------------+------------------+---------------------------+---------------------------+
| | | and/or inconvenience | all employees | | Internal Use | Internal Use | Unauthorized access | Information is available |
| | | to the organization. | and authorized | | | | may cause minor damage | to all employees and |
| | | | third parties. | | | | and/or inconvenience | authorized third parties. |
+-------------------+------------------+---------------------------+------------------+ | | | to the organization. |
| Restricted | RESTRICTED | Unauthorized access to | Information | +-------------------+------------------+---------------------------+---------------------------+
| | | information may cause | is available only| | | | | |
| | | considerable damage to | to a specific | +-------------------+------------------+---------------------------+---------------------------+
| | | the business and/or | group of | | Restricted | Restricted | Unauthorized access to | Information is available |
| | | the organization's | employees and | | | | information may cause | to a specific group of |
| | | reputation. | authorized third | | | | considerable damage to | employees and authhorized |
| | | | parties. | | | | the business and/or | third parties. |
+-------------------+------------------+---------------------------+------------------+ | | | the organization's | |
| Confidential | CONFIDENTIAL | Unauthorized access to | Information is | | | | reputation. | |
| | | information may cause | availalbe only to| +-------------------+------------------+---------------------------+---------------------------+
| | | catastrophic damage to | specific indivi- | | | | | |
| | | business and/or the | duals in the | +-------------------+------------------+---------------------------+---------------------------+
| | | organization's | organization. | | Confidential |Confidential | Unauthorized access to | Information is available |
| | | reputation. | | | | | information may cause | only to specific indivi- |
+-------------------+------------------+---------------------------+------------------+ | | | catastrophic damage to | duals in the |
| | | business and/or the | organization. |
| | | organization's reputation.| |
+-------------------+------------------+---------------------------+---------------------------+
Table 3: Information Confidentiality Levels Table 3: Information Confidentiality Levels
 
d. Information must be classified based on confidentiality levels as defined in Table 3.
e. Information and information system owners should try to use the lowest confidentiality level that ensures an adequate level of protection, thereby avoiding unnecessary production costs. e. Information and information system owners should try to use the lowest confidentiality level that ensures an adequate level of protection, thereby avoiding unnecessary production costs.
f. Information classified as “Restricted” or “Confidential” must be accompanied by a list of authorized persons in which the information owner specifies the names or job functions of persons who have the right to access that information. f. Information classified as “Restricted” or “Confidential” must be accompanied by a list of authorized persons in which the information owner specifies the names or job functions of persons who have the right to access that information.