Scribd
Upload
129 views

Information Classification Scheme

The document outlines HIC, Inc.'s Asset Identification and Classification Policy which defines four information classifications - Highly Sensitive, Sensitive, Internal, and Public. It assigns responsibilities to the CISO to develop and maintain the policy. Users are responsible for understanding the classifications and maintaining appropriate access controls. Failure to comply can result in disciplinary action up to termination. The detailed standard defines each classification, access permissions, and examples.

Uploaded by

api-413364164
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
129 views

Information Classification Scheme

The document outlines HIC, Inc.'s Asset Identification and Classification Policy which defines four information classifications - Highly Sensitive, Sensitive, Internal, and Public. It assigns responsibilities to the CISO to develop and maintain the policy. Users are responsible for understanding the classifications and maintaining appropriate access controls. Failure to comply can result in disciplinary action up to termination. The detailed standard defines each classification, access permissions, and examples.

Uploaded by

api-413364164
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

HIC, Inc.

Asset Identification and Classification Policy

I. Scope
All full-time, part-time, and temporary employees and contractors, health care providers,
health care clearinghouses, and health plans with authorized access to HIC, Inc. information
systems or data contained within, are covered by this policy and must comply with the
associated standard (Palmer, Robinson, Patilla, & Moser, 2000, p. 25).

II. Objectives
HIC, Inc. defines information classifications based on the sensitivity, criticality, and value of
the information. All information assets, whether generated internally or externally, must be
categorized into one of four information classifications: Highly Sensitive, Sensitive, Internal,
and Public (Johnson, 2015, p. 302). Information collections or documents made up of
information from different classifications shall be classified at the most restrictive level of
existing information contained within. Guidance for the classification of information can be
found in the Asset Identification and Classification Standard section of this policy (Palmer et
al., 2000, p. 25). This policy references a combination of mandatory and discretionary access
controls depending on whether the information is regulated or not.

III. Responsibilities
The Chief Information Security Officer (CISO) is responsible for the development,
implementation, and maintenance of the Asset Identification and Classification Policy and
associated standard (Palmer et al., 2000, p. 25).

Users are responsible for understanding the information classifications, abiding by the
implemented access controls, maintaining the information classification, and contacting the
HIC, Inc. data steward if information classifications are unknown (Palmer et al., 2000, p. 26).

IV. Policy Enforcement and Exception Handling


Failure to comply with the Asset Identification and Classification Policy can result in
disciplinary actions up to and including termination of employment for employees or
termination of contracts for contractors, health care providers, health care clearinghouses,
and health plans. Legal actions also may be taken for violations of applicable regulations and
laws (Palmer et al., 2000, p. 26).
V. Asset Identification and Classification Standard
The Asset Identification and Classification Standard defines each of the classification types
referenced in this policy, how to classify HIC, Inc. information assets, who is authorized to
access information within each classification category, user responsibilities for each
classification category, classification security labels, and information classification examples.

a. Highly Sensitive
i. Definition: Information that is critical to HIC, Inc. operations and/or regulated by
local, state, and/or federal governments. Unauthorized access of information in this
classification presents a risk of catastrophic disruptions to operations or financial
loss.
ii. Example(s): protected health information (PHI), electronic PHI (ePHI), personally
identifiable information (PII), HIC, Inc. financial information, encryption keys
(private)
iii. Access granted to (the “Grantee”):
1. Health providers have read/write access to PHI and ePHI after the health record
owner has provided express written consent.
2. Human resources, security departments, etc. have read/write access to employee
PII.
3. All others are granted read and/or write access to information classified as Highly
Sensitive based on the individual’s job role as determined by the HIC, Inc. data
steward.
iv. Grantee responsibilities and restrictions: Grantees must comply with all applicable
regulations and may not distribute Highly Sensitive information to others without the
express written consent of the information owner.
v. Security label(s): “CONFIDENTIAL - HIGH”, “PROTECTED HEALTH
INFORMATION”
b. Sensitive
i. Definition: Information that is important to HIC, Inc. operations. Unauthorized access
of information in this classification presents a risk of major disruptions to operations
or financial loss.
ii. Example(s): Health plan member lists, corporate network topologies
iii. Access granted to (the “Grantee”): Read and/or write access to information classified
as Sensitive is on a need-to-know basis and dependent on the individual’s job role as
determined by the HIC, Inc. data steward.
iv. Grantee responsibilities and restrictions: Grantees may not distribute Sensitive
information to others without information owner approval.
v. Security label(s): “CONFIDENTIAL – MEDIUM”
c. Internal
i. Definition: Information that is not related to HIC’s core business operations.
Unauthorized access of information in this classification presents a risk of minor
disruptions to operations or financial loss.
ii. Example(s): Internal communications, internal website content
iii. Access granted to (the “Grantee”): Employees
iv. Grantee responsibilities and restrictions: Grantees may not distribute Internal
information externally without public information grantor approval.
v. Security label(s): “FOR INTERNAL USE ONLY”, “CONFIDENTIAL – LOW”
d. Public
i. Definition: Information that presents no risk of disruption to operations or financial
loss.
ii. Example(s): Press releases, HIC, Inc. website content (information accessible without
login credentials)
iii. Access granted to (the “Grantee”): The public and others external of HIC, Inc.
iv. Grantee responsibilities and restrictions: The grantee has no responsibilities
surrounding publicly available information. However, only those designated as public
information grantors may classify HIC, Inc. information as Public.
v. Security label(s): “APPROVED FOR PUBLIC USE”

VI. Review and Revision


The Asset Identification and Classification Policy will be reviewed and revised in accordance
with the HIC, Inc. Information Security Program Charter.

Approved: _________________________________________________________
Signature
Edward R. Locke
Chief Information Security Officer
References
Palmer, M., Robinson, C., Patilla, J., and Moser, E. (2000) META Security Group Information
Security Policy Framework: Best Practices for Security Policy in the Internet and
e-Commerce Age.

Johnson, R. (2015) Security Policies and Implementation Issues (2nd ed.). Burlington, MA: Jones
& Bartlett Learning.

You might also like