Chapter 5

Asset Classification Policy

1 INTRODUCTION

With the U.S. Congress on full alert regarding the protection of information assets and
the international community certifying organizations to information security standards,
the requirement for an asset classification policy is at hand. As a security professional, it
is important to know that an asset or information classification policy is only one element
in the overall information management process. The Information Classification Policy
must be coupled with a Records Management Policy.
Any security standard or best practice must be founded on a solid foundation of an
asset classification. To ensure proper protection of our information resources, it is
necessary to define what an owner is and how that entity has ultimate responsibility for
the information assets within its business unit; this includes classification and assigning
retention requirements. By implementing an asset management scheme and supporting
methodology, we are able to determine required controls commensurate with the
sensitivity of the information as classified by the owner.
This chapter explores the need for both policies, examines the contents of these
policies, and then critiques various examples of these policies.

2 OVERVIEW

Information is an asset and the property of the organization. All employees are to protect
information from unauthorized access, modification, disclosure, and destruction. Before
employees can be expected to protect information, they must first understand what they
have. An information classification policy and methodology will provide them with the
help they need.
There are four essential aspects of information classification: (1) information
classification from a legal standpoint, (2) responsibility for care and control of
information, (3) integrity of the information, and (4) the criticality of the information and
systems processing the information. Examples of how the classification process fits into
the application and system development life cycle are presented to assist you in the
development of your own information classification process.
As discussed later in this chapter, information classification is only one of the
elements in an effective information management program. Knowing what we have and
how important it is to the organization is key to the success for the information security
program. The implementation of this program will require that representatives of the
organization be charged with exercising the organization’s proprietary rights. In addition,
 Asset Classification Policy 75

a full inventory of these assets must be conducted with a requirement for annual review
established.

3 WHY CLASSIFY INFORMATION?

Organizations classify information in an effort to establish the appropriate levels of

protection for these resources (see Figure 1). Because resources are limited, it will be
necessary to prioritize and identify what really needs protection. One of the reasons to
classify information is to ensure that scarce resources exist where they will do the most
good. The return on investment for implementing an encryption system to protect public
domain information would not be considered a sound business decision. All information
is created equal, but not all information is of equal value.
Of all the information found within an enterprise, only about ten percent of it is
actually competitive advantage, trade secret, or personal information. The biggest portion
of organization information is that which employees must access in order to do their
assigned tasks. The remaining information is that which has been available to the public
through authorized channels. Information resources that are classified as public would
include annual stockholders’ reports, press releases, and other authorized public
announcements.

Figure 1. Information Classification

Breakdown
An effective way of understanding the difference between internal use information and
public information is to picture your organization’s connection to the Internet. The Web
site and information contained on it that is outside your zone of protection is your public
information. Remember that posting information to the public Web site is only done by
the Web-master and with approval of the owner of the information. This is your
organization’s Internet connection.
 Information Security Policies and Procedures 76

The portion of Internet access that is behind your zone of protection and contains
information for use by employees is your intranet connection. This area contains
information that is unavailable to the outside world but has been made accessible to
employees for use while performing their assigned tasks.
For years the information handling standard was that all information is closed until the
owner opens it. This worked well in the mainframe environment when access control
packages ruled the single platform of information processing. With the introduction of
the client/server environment and the multiple platforms operating situation, no one
access control package could handle all the needs. With decentralized processing and
then the move to connect to the Internet, the restrictions on information closure began to
weaken. The operating concept during this period was that all information was open until
the owner classified it and closed access to it.
Now we have gone full circle. As the decentralized processing environment matures
and national and international laws, statutes, and privacy concerns become stronger, the
information protection concept was reverted to all information access is closed until the
owner opens access. For this to be effective and to allow the organization to demonstrate
due diligence, it is incumbent for the organization to establish an effective information
classification policy and support handling standards.
Most organizations do not have information that is all the same value or sensitivity. It
is necessary to at least develop an initial high-level attempt at classification. This should
be done if for no other reason than to ensure that budgeted resources are not misused in
over-protecting nonsensitive, noncritical information assets. Before employees can
protect information assets, they must first have a policy that identifies classification
levels and then a methodology to implement the policy requirements. An information
classification policy that is not overly complex and a methodology that relies on common
sense and is facilitated by either information security or records management will make
acceptance possible.

4 WHAT IS INFORMATION CLASSIFICATION?

An information or asset classification process is a business decision process. Information

is an asset of the organization and managers have been charged with protecting and
accounting for proper use of all assets. An information classification process will allow
managers to meet this fiduciary responsibility. The role of the information security
professional or even information systems personnel is one of advice and consulting. The
final decision is made by the business unit managers or, as we will define soon, the asset
owner.
When preparing to develop the information classification policy, it is important to get
input from the management team. As discussed in previous chapters, knowing what
management really wants will improve the quality of the overall policy. It is important
that you ask questions to find out what they mean. When my daughter was about seven or
eight years old, she came to me and asked, “Pa (that is what she calls me), where do we
come from?” Well, I pretended to not hear her so I could research my answer. The next
day I sat down with her and discussed the “facts of life” with her. She looked at me and
said, “I know all that. What I want to know is where we come from. Terri Lynn comes
 Asset Classification Policy 77

from Tennessee and Pam comes from Kentucky.” So before you develop an answer,
make sure you understand the question.
When conducting interviews with management and other key personnel, develop a set
of questions to ensure a consistency in the direction of the responses. These questions
might include some of the following:
• What are the mission-critical or sensitive activities or operations?
• Where is mission-critical or sensitive information stored?
• Where is this information processed?
• Who requires access to this information?
There are no hard-and-fast rules for determining what constitutes sensitive information.
In some instances, it may be that the number of people who require access may affect the
classification. The real test of an information classification system is how easy is it for
the reader to understand what constitutes sensitive information and what organization-
approved label should be affixed to the information asset resource.

5 WHERE TO BEGIN?

After you have a clearer idea of what management is expecting, it is time to do some
research. I like to contact my fellow information security professionals and find out what
they have done to answer the problems I have been assigned. By being a member of the
Computer Security Institute (CSI), the Information System Security Association (ISSA),
and the Information Systems Audit and Control Association (ISACA), I have a ready
access to people in my area who are usually willing to share examples of their work.
When developing classification levels, I prefer to discuss the topic with fellow
professionals. I recommend that you cultivate contacts in similar business environments
and see what your peers are doing. The Internet can generate some examples of
classification policies, but many of them are university or government-agency-related. Be
careful of what you uncover in your research; while there are many good ideas and terms
out there, they are only good if they are applicable to your specific needs.
Use the information you gather from fellow professionals as a starting point. Your
organization will have its own unique variation on the classification policy and
categories. We examine a number of examples of information categories in the
subsequent subsection. If you are a government agency, or do work for a government
agency, be sure to check with your regulatory affairs group to see if there are any
government-imposed requirements.

5.1 Information Classification Category Examples

Using the information in Tables 1 and 2, the manager can determine the level of
criticality of an information asset.
The service provider shown in Table 3 has established five categories to be used by
managers in classifying information assets. Part of the reason for their use of these
categories is that they have experience with Department of Defense contracts and have
become accustomed to certain classification levels. The concern I have with patterning a
 Information Security Policies and Procedures 78

policy after a government standard is that there might be confusion regarding what is
government contact information and what is normal business information. Also, the
number of employees exposed to the government standards may impact the drafting of
these standards.
I recently discussed the classification scheme shown in Table 4 with the company that
created it to find out how they use the color coding. The sample “Information Security
Handbook” included in this book also uses color codes for information classification. The
company does not actually use the colors to color-code the documents. Instead, the
company identifies the level of classification but requires the footer to contain “Company
Red” or whatever color. It gives a good visual for the employees.
The company in Table 5 also requires that specific levels of information contain
appropriate markings to identify it as classified information. We discuss an Information
Handling Matrix later in this chapter. When you create your organization’s handling
requirements, use the following as thought starters:
• MAKE NO COPIES
• THIRD-PARTY CONFIDENTIAL
• ATTORNEY-CLIENT PRIVILEGED DOCUMENT
• DISTRIBUTION LIMITED TO_______
• COVERED BY A NON-ANALYSIS AGREEMENT
Table 1. Information Classification Category
Example 1
Mega Oil Corporation
HIGHLY CONFIDENTIAL—Information whose unauthorized disclosure will cause the
corporation severe financial, legal, or reputation damage. Examples: acquisitions data, bid details,
and contract negotiation strategies.
CONFIDENTIAL—Information whose unauthorized disclosure may cause the corporation
financial, legal, or reputation damage. Examples: employee personnel and payroll files, and
competitive advantage information.
GENERAL—Information that, because of its personal, technical, or business sensitivity, is
restricted for use within the company. Unless otherwise classified, all information within Mega Oil
Corporation is in this category.
At this point in the classification scheme, this company has included a mechanism to establish the
criticality of the information. It has established its three information classification categories and
now adds three impact categories, Using these sets of definitions, the manager of the information
resources will be able to determine how critical the asset is to the company.
MAXIMUM—Information whose unauthorized modification and destruction will cause the
company severe financial, legal, or reputation damage.
MEDIUM—Information whose unauthorized modification and destruction may cause the company
financial, legal, or reputation damage. Examples: electronic funds, transfer, payroll, and
commercial checks.
MINIMUM—Although an error in this data would be of minimal consequence, this is still
important company information and therefore will require some minimal controls to ensure a
 Asset Classification Policy 79

minimal level of assurance that the integrity of the data is maintained. This applies to all data that is
not placed in one of the above classifications. Examples: lease production data, expense data,
financial data, and exploration data.
CRITICAL—It is important to assess the availability requirements of data, applications, and
systems. A business decision will be required to determine the length of unavailability that can be
tolerated prior to expending additional resources to ensure the information availability that is
required. Information should be labeled “CRITICAL” if it is determined that special procedures
should be used to ensure its availability.

Table 2. Criticality Matrix

Clasification Level
Highly Confidential Confidential General
Business Impact Maximum 1 2 3
Medium 2 2 3
Minimum 2 3 4
1: Availability safeguards must be implemented.
2: Availability safeguards should be implemented.
3: Continue to monitor availability requirements.
4: No additional action is required at this time.

Table 3. Information Classification Category

Example 2
International Service Provider
Top Secret—Information that, if disclosed, could cause severe impact to the company’s competitive
advantage or business strategies.
Confidential—Information that, if disclosed, could violate the privacy of individuals, reduce
competitive advantage, or damage the company.
Restricted—Information that is available to a specific subset of the employee population when
conducting company business.
Internal Use—Information that is intended for use by all employees when conducting company
business.
Public—Information that has been made available to the public through authorized company
channels.

Table 4. Information Classification Category

Example 3
Global Manufacturer
Company Confidential Red—Provides a significant competitive advantage. Disclosure would cause
severe damage to operations. Relates to or describes a long-term strategy or critical business plans.
Disclosure would cause regulatory or contractual liability. Disclosure would cause severe damage
 Information Security Policies and Procedures 80

to our reputation or the public image. Disclosure would cause a severe loss of market share or the
ability to be first to market. Disclosure would cause a loss of an important customer, shareholder,
or business partner. Disclosure would cause a long-term or severe drop in stock value. Strong
likelihood somebody is seeking to acquire this information.
Company Confidential Yellow—Provides a competitive advantage. Disclosure could cause
moderate damage to the company or an individual. Relates to or describes an important part of the
operational direction of the company over time. Provides important technical or financial aspects of
a product line or a business unit. Disclosure could cause a loss of Customer or Shareholder
confidence. Disclosure could cause a temporary drop in stock value. Very likely that some third
party would seek to acquire this information.
Company Confidential Green—Might provide a business advantage over those who do not have
access to the same information. Might be useful to a competitor. Not easily identifiable by
inspection of a product. Not generally known outside the company or available from public
sources. Generally available internally. Little competitive interest.
Company Public—Would not provide a business or competitive advantage. Routinely made
available to interested members of the General Public. Little or no competitive interest.

6 RESIST THE URGE TO ADD CATEGORIES

Keep the number of information classification categories to a minimum. If two possible

categories do not require substantially different treatment, then combine them. The more
categories available, the greater the chance for confusion among managers and
employees. Normally, three or four categories should be sufficient to meet the
organization’s needs.
Table 5. Information Classification Category
Example 4
Company CONFIDENTIAL—A subset of Company Internal information, the unauthorized
disclosure or compromise of which would likely have an adverse impact on the company’s
competitive position, tarnish its reputation, or embarrass an individual. Examples: customer,
financial, pricing, or personnel data; merger/acquisition, product, or marketing plans; new product
designs, proprietary processes, and systems.
Company INTERNAL—All forms of proprietary information originated or owned by the Company,
or entrusted to it by others. Examples: organization charts, policies, procedures, phone directories,
some types of training materials.
Company PUBLIC—Information officially released by the Company for widespread public
disclosure. Example: press releases, public marketing materials, employment advertising, annual
reports, product brochures, the public Web site, etc.
Additionally, avoid the impulse to classify everything the same. To simplify the
classification process, some organizations have flirted with having everything classified
as confidential. The problem with this concept is that confidential information requires
special handling. This would violate the concept of placing controls only where they are
actually needed, and would require the organization to waste limited resources protecting
assets that do not really require that level of control.
 Asset Classification Policy 81

Another pitfall to avoid is to take the information classification categories developed

by another enterprise and adopt them verbatim as one’s own. Use the information created
by other organizations to assist in the creation of the organization’s unique set of
categories and definitions.
In some government sectors, there are five categories for information classification
(Top Secret, Secret, Confidential, Restricted, and Unclassified). In addition to these
categories, there are additional impact levels of Sensitive and Nonsensitive. Using this
scheme, it would be possible to have an information asset of higher concern if it is
classified Restricted/Sensitive compared to one that was classified
Confidential/Nonsensitive. In addition, information labeled as Unclassified has the
classification level of Unclassified, so it has actually been classified. Sometimes I think
Joseph Heller in Catch 22 actually established a guideline for government and industry to
use when developing standards and policies.

7 WHAT CONSTITUTES CONFIDENTIAL INFORMATION?

There are a number of ways to look at information that may be classified as confidential.
A number of statements relating to confidential information are examined below. The
first is a general statement about sensitive information.
For a general definition of what might constitute confidential information, it may be
sufficient to define such information as:

Information if disclosed could violate the privacy of individuals, reduce

the company’s competitive advantage, or cause damage to the
organization.

The Economic Espionage Act of 1996 (EEA) defines “trade secret” information to
include “all forms and types of financial, business, scientific, technical, economic, or
engineering information,” regardless of “how it is stored, complied, or memorialized.”
The EEA criminalizes the actions of anyone who:
• Steals or, without authorization, appropriates, takes, carries away, or conceals, or by
fraud, artifice, or deception obtains a trade secret
• Without authorization, copies, duplicates, sketches, draws, photographs, downloads,
uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails,
communicates, or conveys a trade secret
• Receives, buys, or possesses a trade secret, knowing the same to have been stolen or
appropriated, obtained, or converted without authorization
• Conspires with one or more other persons to commit any offense described in any part
of the EEA under the heading “conspiracy”
The inf ormation classification policy that you will be developing will discuss
organization-confidential information. Typically, this type of information will consist of
either competitive-advantage or trade secret information or personal information.
The laws regarding trade secret information were developed from the duty of good
faith imposed generally in commercial dealings. A trade secret is commonly defined as
 Information Security Policies and Procedures 82

information deriving actual or potential economic value by virtue of its not being readily
ascertainable through proper means by the public, and which is the subject of reasonable
efforts to maintain its secrecy. The legal system protects the owner (in our case, the
organization) from someone who uses improper means to learn the trade secret, either
directly or indirectly. Therefore, anyone using improper means to learn the trade secret
has breached a duty of good faith dealing with the trade secret owner.
The breach of that duty of good faith usually takes the form of an abuse of a
confidence, the use of improper means to ascertain the secret, or a breach of contract.
Anyone involved in the breach of that duty is liable for trade secret stealing.
The laws are requirements governing trade secret and competitive-advantage
information, are well established, and offer substantial penalties for noncompliance (see
Figure 2). The area of personal information has become hotter during the past couple of
years. The passage of the Health Insurance Portability and Accountability Act (HIPAA),
Gramm-Leach-Bliley Act (GLBA), European Union privacy laws, and organizations
such as Privacy International are working to increase the safeguards required for personal
information.

Figure 2. Data Protection Laws

around the World. Source: Privacy
International. Used with permission.
Any policy and supporting standards on information classification levels must take
into account not only the trade secret and competitive-advantage information, but must
also include any personal information about employees, customers, clients, and other
third parties.
Earlier in this chapter we examined a number of examples of information
classification categories. Now we discuss one other important ele-ment: the role of
employees in the information classification process.
 Asset Classification Policy 83

8 EMPLOYEE RESPONSIBILITIES

When I was doing research for this section of the book, I came across the following
policy statement:

The “Information Owner” means the party who confides the referenced
Confidential Information to the other party, the Confidant . Despite the
name, the Information Owner benefits from a Confidentiality Engagement
with respect to Confidential Information that it owns or possesses.

These two sentences have five terms that require the reader to get further definitions. As I
attempted to determine exactly what it means to “confide,” I was sent to a hypertext page
that explained that it meant to “entrust” the information to a “confidant,” which means
the “party receiving the information,” and at that point I started looking elsewhere for
examples.
The two lines of policy above provide a good example of what should be avoided
when you are writing a policy—or writing anything. The document just referenced came
from an organization with strong roots in the legal and government sector. If this is your
audience, then this is the language for you. If not, try to think like Henry David Thoreau
and simplify.
There are typically three areas of employee responsibility: owner, user, and custodian.
We discuss each of these concepts and examine how other organizations have defined
these responsibilities.

8.1 Owner
The information owner is the entity within the organization that has been assigned the
responsibility to exercise the organization’s proprietary rights and grant access privileges
to those with a true business need. This role is normally assigned to the senior level
manager within the business unit where the information asset was created, or is the
primary user of that asset. The manager will have the ultimate responsibility for
compliance, but will probably delegate the day-to-day activities to some individual who
reports to him or her.

Information owner: the person who creates or initiates the creation or

stor-age of the information is the initial owner. In an organization,
possibly with divisions, departments, and sections, the owner becomes the
unit itself with the person responsible being designated as the “head” of
the unit

The Information owner is responsible for ensuring that:

• A classification hierarchy is agreed upon and it is appropriate for the types of
information processed for that business unit.
• Classify all information stored into the agreed types and create an inventory (listing) of
each type.
 Information Security Policies and Procedures 84

• For each document or file within each of the classification categories, append its agreed
(confidentiality) classification. Its availability should be determined by the respective
classification.
• Ensure that, for each classification type, the appropriate level of information security
safeguards is available; for example, the log-on controls and access permissions
applied by the Information Custodian provide the required levels of confidentiality.
• Periodically check to ensure that information continues to be classified appropriately
and that the safeguards remain valid and operative.
I am not certain what being designated “head” actually means, but I do not believe I
would want that title. The term “initial owner” may also lead the reader to believe that
someone else may come along and become the “final” or “ultimate” leader.
We now review the owner definition from a global media organization.

Owners are authorized employees to whom responsibility has been

delegated for the creation and/or use of specific business data by the
business unit that “owns” the data. Owners are responsible for defining
requirements for safeguards that assure the confidentiality, availability,
and integrity of the information. Owners are also responsible for placing
information in the proper classification so that those who need the
information to perform their assigned duties can obtain it. The owner
provides requirements for security for the information to the custodian.
The custodian implements the controls to meet the owner’s requirements.

This is a fairly good definition. The only element that I might add is the requirement that
the owner monitor the safeguards to ensure custodian compliance. Let us examine one
more example.

A. Owner: the Company management of an organizational unit,

department, etc. where the information is created, or that is the primary
user of the information. Owners have the responsibility to:
Identify the classification level of all corporate information within their
organizational unit
Define and implement appropriate safeguards to ensure the
confidentiality, integrity, and availability of the information resource
Monitor safeguards to ensure their compliance and report situations of
non-compliance
Authorize access to those who have a business need for the information
Remove access from those who no longer have a business need for the
information

We see variations on this definition in the following section.

 Asset Classification Policy 85

8.2 Custodian
The next responsibility we have to create is that of the information custodian. This entity
is responsible for protecting the information asset based on the requirements established
by the owner. In an organization that has an information systems organization, the
operations group might be considered the custodian of client data and information. They
do not have the right to permit anyone access to the information asset, nor can they alter
that information in any way without approval from the owner. This would include any
programming or system upgrades that would modify the information or the output from
applications and transactions.

An Information Custodian is the person responsible for overseeing and

implementing the necessary safeguards to protect assets, at the level
classified by the Information Owner.
This could be the System Administrator, controlling access to a
computer network; or a specific application program or even a standard
filing cabinet.

This example started out well but finished oddly. Giving examples of what might be
considered a custodian is good. Trying to liken a filing cabinet to the opening sentence
where the policy identifies the custodian as a “person” is not. Remember that when you
are writing, go back and read what you just wrote to make sure the concepts match from
beginning to end. Do not try to be cute. Stick to what the subject is, and make sure you
say exactly what needs to be said.

Custodians are authorized system support persons or organizations

(employees, contractors, consultants, vendors, etc.) responsible for
maintaining the safeguards established by owners. The owner designates
the custodian. The Custodian is the “steward of the data” for the owner;
that is, the Data Center may be the Custodian for business applications
“owned” by a Business Unit.

The use of the term “steward of the data” brings out a point that needs to be made. Some
organizations and cultures prefer other terms than the ones discussed here. When I was
younger, I played Pony League baseball for a team called the “Custodians.” Our uniforms
were the most realistic because we had the name on the front and number on the back.
The other teams had names like “Tigers” and “Braves” but had some advertisement about
their sponsor on the back. It was not until we played a few games that the other team
started calling us the janitors. Custodian to some is a noble name; to others, maybe not so
noble. So choose your terms wisely. Curator, Keeper, and Guardian are other terms that
might work.
Recently we were doing work for HIPAA compliance. While developing policies for a
hospital, we discussed the definition for “user.” The hospital staff started to chuckle and
told us that the term “user” had a totally different meaning there and we needed to find
another term.
 Information Security Policies and Procedures 86

B. Custodian: employees designated by the Owner to be responsible for

maintaining the safeguards established by the Owner.

It is important to remember that when we use the term “employee,” we are actually
discussing the virtual employee. We can only write policy for employees; for all third
parties, a contract must contain compliance language. So it is perfectly acceptable to
identify “employees” even if we know that someone other than an employee may actually
perform the function. This is true for all employee responsibilities except “owner.” The
owner must be an employee; after all, it is the organization’s information.

8.3 User
The final element is the user. The owner grants permission to access the information asset
to this individual. The user must use the information in the manner agreed upon with the
owner. The user has no other rights. When granting access, the owner should use the
concept of “least privilege.” This means that users are granted only the access they
specifically need to perform their business task, and no more.

An Information User is the person responsible for viewing, amending, or

updating the content of the information assets. This can be any user of the
information in the inventory created by the Information Owner.

The inventory discussed here will be addressed in both the classification policy and the
records management policy. Including who has been assigned access needs to be tracked.
The Custodian is generally responsible for providing the tools to monitor the user list.

Users are authorized system users (employees, contractors, consultants,

vendors, etc.) responsible for using and safeguarding information under
their control according to the directions of the Owner. Users are
authorized access to information by the Owner.

The final example is similar to the definition used above.

C. User: employees authorized by the Owner to access information and

use the safeguards established by the Owner.

9 CLASSIFICATION EXAMPLES

In this section we examine attributes and examples of different classification categories.

We also present examples of organization information classification policies.
 Asset Classification Policy 87

9.1 Example 1
Critique of Example 1 ( Table 6 ): This is an actual classification policy (very high level)
for the executive branch of a national government. There is little here to help the average
user. This is an example of a Program or General Policy Statement; however, a Topic-
Specific Policy Statement might have been more beneficial. Perhaps the next two
examples will provide more information.

9.2 Example 2
Critique of Example 2 ( Table 7 ): The policy seems to stress competitive advantage
information in its opening paragraphs. It does not appear to address personal information
about employees or customers. It does provide for these topics as categories under
Confidential but it never really mentions them by name. This appears to be a policy that
is somewhat limited in scope. Additionally, it does not establish the scope of the
information (is it computer generated only, or exactly what information is being
addressed). The employee responsibilities are missing. What is management’s
responsibility with respect to information classification, and what is expected of the
employees? Finally, what are the consequences of noncompliance?
Table 6. Information Classification Policy
Example 1
Information Classification
Policy: Security classifications should be used to indicate the need and priorities for security
protection.
Objective: To ensure that information assets receive an appropriate level of protection.
Statement: Information has varying degrees of sensitivity and criticality. Some items may require
an additional level of security protection or special handling. A security classification system
should be used to define an appropriate set of security protection levels, and to communicate the
need for special handling measures to users.

Table 7. Information Classification Policy

Example 2
Classification Requirements
Classified data is information developed by the organization with some effort and some expense or
investment that provides the organization with a competitive advantage in its relevant industry and
that the organization wishes to protect from disclosure.
While defining information protection is a difficult task, four elements serve as the basis for a
classification scheme:
The information must be of some value to the organization and its competitors so that it provides
some demonstrable competitive advantage.
 Information Security Policies and Procedures 88

The information must be the result of some minimal expense or investment by the organization.
The information is somewhat unique in that it is not generally known in the industry or to the
public or may not be readily ascertained.
The information must be maintained as a relative secret, both within and outside the organization,
with reasonable precautions against disclosure of the information. Access to such information could
only result from disregarding established standards or from using illegal means.
Top Secret (Secret, Highly Confidential)
Attributes:
Provides the organization with a very significant competitive edge
Is of such a nature that unauthorized disclosure would cause severe damage to the organization
Shows specific business strategies and major directions
Is essential to the technical or financial success of a product
Examples:
Specific operating plans, marketing strategies
Specific descriptions of unique parts or materials, technology intent statements, new technologies,
and research
Specific business strategies and major directions
Confidential (Sensitive, Personal, Privileged)
Attributes:
Provides the organization with a significant competitive edge
Is of such a nature that unauthorized disclosure would cause damage to the organization
It shows operational direction over extended period of time
Is extremely important to the technical or financial success of a product
Examples:
Consolidated revenue, cost, profit, or other financial results
Operating plans, marketing strategies
Descriptions of unique parts or materials, technology intent statements, new technological studies,
and research
Market requirements, technologies, product plans, revenues

Restricted (Internal Use)

Attributes:
All business-related information requiring baseline security protection, but failing to meet the
specified criteria for higher classification
Information that is intended for use by employees when conducting company business
Examples:
 Asset Classification Policy 89

Business information
Organization policies, standards, procedures
Internal organization announcements
Public (Unclassified)
Attributes:
Information that, due to its content and context, requires no special protection, or
Information that has been made available to the public distribution through authorized company
channels
Examples:
Online public information, Web site information
Internal correspondence, memoranda, and documentation that do not merit special controls
Public corporate announcements

9.3 Example 3
Critique of Example 3 ( Table 8 ): Examples 2 and 3 are very similar; this one does
address the role of the Owner but it fails to define what an Owner is. The issue of
noncompliance is not addressed and the scope of the policy is vague.

9.4 Example 4
Critique of Example 4 ( Table 9 ): The intent of the policy is stated as “Information is a
corporate asset and is the property of Corporation.” The scope of the policy is “Corporate
information includes electronically generated, printed, filmed, typed, or stored.” The
responsibilities are well established. The issue of compliance is the only policy element
that appears to be lacking.

10 DECLASSIFICATION OR RECLASSIFICATION OF
INFORMATION

Classified information normally declines in sensitivity with the passage of time.

Downgrading should be as automatic as possible. If the information owner knows the
date that the information should be reclassified, then it might be labeled as Confidential
until (date). There should be an established review process for all information classified
as Confidential, and reclassified when it no longer meets the criteria established for such
information.
 Information Security Policies and Procedures 90

Table 8. Information Classification Example 3

Information Classification
Introduction
Information, wherever it is handled or stored (for example, in computers, file cabinets, desktops,
fax machines, voice-mail), needs to be protected from unauthorized access, modification,
disclosure, and destruction. All information is not created equal. Consequently, segmentation or
classification of information into categories is necessary to help identify a framework for
evaluating the information’s relative value and the appropriate controls required to preserve its
value to the company.
Three basic classifications of information have been established. Organizations may define
additional sub-classifications as necessary to complete their framework for evaluating and
preserving information under their control.
When information does require protection, the protection must be consistent. Often, strict access
controls are applied to data stored in the mainframe computers but not applied to office
workstations. Whether in a mainframe, client/server, workstation, file cabinet, desk drawer, waste
basket, or in the mail, information should be subject to appropriate and consistent protection.
The definitions and responsibilities described below represent the minimum level of detail
necessary for all organizations across the company. Each organization may decide that additional
detail is necessary to adequately implement information classification within their organization.
Corporate Policy:
All information must be classified by the owner into one of three classifications: Confidential,
Internal Use, or Public. (From: Company Policy on Information Management)
Confidential
Definition
Information that, if disclosed, could:
Violate the privacy of individuals
Reduce the company’s competitive advantage
Cause damage to the company
Examples
Some examples of Confidential information are:
Personnel records (including name, address, phone, salary, performance rating, social security
number, date of birth, marital status, career path, number of dependents, etc.)
Customer information (including name, address, phone number, energy consumption, credit
history, social security number, etc.)
Shareholder information (including name, address, phone number, number of shares held, social
security number, etc.)
Vendor information (name, address, product pricing specific to the company, etc.)
Health insurance records (including medical, prescription and psychological records)
 Asset Classification Policy 91

Specific operating plans, marketing plans, or strategies

Consolidated revenue, cost, profit, or other financial results that are not public record
Descriptions of unique parts or materials, technology intent statements, or new technologies and
research that are not public record
Specific business strategies and directions
Major changes in the company’s management structure
Information that requires special skill or training to interpret and employ correctly, such as design
or specification files
If any of these items can be found freely and openly in public records, the company’s obligation to
protect from disclosure is waived.
Internal Use
Definition
Classify information as Internal Use when the information is intended for use by employees when
conducting company business.
Examples
Some examples of Internal Use information are:
Operational business information/reports
Non-company information that is subject to a non-disclosure agreement with another company
Company phone book
Corporate policies, standards, and procedures
Internal company announcements
Public
Definition
Classify information as Public if the information has been made available for public distribution
through authorized company channels. Public information is not sensitive in context or content,
and requires no special protection.
Examples
The following are examples of Public information:
Corporate Annual Report
Information specifically generated for public consumption, such as public service bulletins,
marketing brochures, and advertisements

Part of an effective information classification program is the ability to combine the

requirements with a Records Management Policy. Information assets must be protected,
stored, and then destroyed based on a policy and a set of standards. The information
classification policy will ensure that an owner is assigned to each asset, that a proper
 Information Security Policies and Procedures 92

classification is assigned, and that an information handling set of standards will help
maintain control of information copies.
The Records Management Policy will require that the owner provide a brief
description of the information record and the record retention requirements. These
requirements will be a set of standards that support the Records Management Policy.
We next briefly examine what is typically part of a Records Management Policy.
Table 9. Information Classification Policy
Example 4
Information Management
General
Corporate information includes electronically generated, printed, filmed, typed, or stored.
Information is a corporate asset and is the property of Corporation.
Information Retention
Each organization shall retain information necessary to the conduct of business.
Each organizational unit shall establish and administer a records management schedule in
compliance with applicable laws and regulations, and professional standards and practices, and
be compatible with Corporate goals and expectations.
Information Protection
Information must be protected according to its sensitivity, criticality, and value, regardless of the
media on which it is stored, the manual or automated systems that process it, or the methods by
which it is distributed.
Employees are responsible for protecting corporate information from unauthorized access,
modification, destruction, or disclosure, whether accidental or intentional. To facilitate the
protection of corporate information, employee responsibilities have been established at three
levels: Owner, Custodian, and User.
Owner: Company management of the organizational unit where the information is created, or
management of the organizational unit that is the primary user of the information. Owners are
responsible to:
Identify the classification level of all corporate information within their organizational unit
Define appropriate safeguards to ensure the confidentiality, integrity, and availability of
the information resource
Monitor safeguards to ensure they are properly implemented
Authorize access to those who have a business need for the information
Remove access from those who no longer have a business need for the information
Custodian: Employees designated by the owner to be responsible for maintaining the
safeguards established by the owner.
User: Employees authorized by the owner to access information and use the safeguards
established by the owner.
 Asset Classification Policy 93

Each Vice President shall appoint an Organization Information Protection Coordinator who will
administer an information protection program that appropriately classifies and protects corporate
information under the Vice President’s control and makes employees aware of the importance of
information and methods for its protection.
Information Classification: To ensure the proper protection of corporate information, the owner
shall use a formal review process to classify information into one of the following classifications:
Public: Information that has been made available for public distribution through authorized
company channels. (Refer to Communication Policy for more information.)
Confidential: Information that, if disclosed, could violate the privacy of individuals, reduce the
company’s competitive advantage, or could cause significant damage to the company.
Internal Use: Information that is intended for use by all employees when conducting company
business. Most information used in the company would be classified Internal use.

11 RECORDS MANAGEMENT POLICY

An organization’s records are one of its most important and valuable assets. Almost every
employee is responsible for creating or maintaining organization records of some kind,
whether in the form of paper, computer data, optical disk, electronic mail, or voice-mail.
Letters, memoranda, and contracts are obviously information records, as are things such
as a desk calendar, an appointment book, or an expense record.
Organizations are required by law to maintain certain types of records, usually for a
specified period of time. The failure to retain such documents for these minimum time
periods can subject an organization to penalties, fines, or other sanctions, or could put it
at a serious disadvantage in litigation. Therefore, every organization should implement a
Records Management Policy to provide standards for maintaining complete and accurate
records in order to ensure that employees are aware of what records to keep and for how
long, what records to dispose of, and how to dispose of them.
Cost of storage and administration problems involved in retaining material beyond its
useful life are a few important reasons to establish a Records Management Policy.
Consideration should also be given to the impact that a failure to produce subpoenaed
records might have on the organization when defending itself against a lawsuit.
Determining the proper retention periods for information records is a requirement in
today’s operating environment. Information records should be kept only as long as they
serve a useful purpose, or until legal requirements are met. At the end of the retention
period, records should be destroyed in a verifiable manner. Implementing effective
information classification and records management policies makes sound business sense
and shows that management is practicing its due diligence.
Before drafting a Records Management Policy, consult with your legal staff to ensure
that the policy reflects any relevant statutes. The retention standards that support the
policy should be reviewed annually when an information asset inventory is conducted
organizationwide.
 Information Security Policies and Procedures 94

11.1 Sample Records Management Policy

See Table 10.

12 INFORMATION HANDLING STANDARDS MATRIX

Later in the book we discuss standards and how they support the implementation of the
policy. Because information classification and records management are unique in their
standards requirements, I thought it appropriate to give examples now of what these
standards might look like. When you are developing your standards, use these as a
guideline—not a standard.

12.1 Printed Material

See Table 11.

12.2 Electronically Stored Information

See Table 12.

12.3 Electronically Transmitted Information

See Table 13.

12.4 Records Management Retention Schedule

See Table 14.

13 INFORMATION CLASSIFICATION METHODOLOGY

The final element in an effective information classification process is to provide

management and employees with a method with which to evaluate information and
provide them with an indication of where the information should be classified. To
accomplish this, it may be necessary to create an information classification worksheet
(see Exhibit 8). These worksheets can be used by the business units to determine what
classification of information they have within their organization.
To complete this worksheet, the employee would fill in the information requested at
the top of the sheet:
• Organization: the department designated as the information owner.
• Group: the reporting group of the individual performing the information classification
process.
 Asset Classification Policy 95

• Review performed by/Phone: the name and phone number of the individual performing
the review.
• Date: the date of the review.
• Information Name/Description: an identifier and description of the information being
reviewed.
Table 10. Sample Records Management Policy
Records Management Policy
Introduction
It is the policy of the Company to accommodate the timely storage, retrieval, and disposition of
records created, utilized, and maintained by the various departments. The period of time that
records are maintained is based on the minimum requirements set forth in State and Federal
retention schedules.
1. Role of Retention Center
The role of the Retention Center is to receive, maintain, destroy, and service inactive records that
have not met their disposition date. Each business unit is to establish schedules to comply with the
minimum amount of time records should be maintained in compliance with State and Federal
guidelines. Retention requirements apply whether or not the records are transferred to the Retention
Center. Copies of the schedules must be maintained by the business unit and available for
inspection.
2. Role of Records Manager
The role of the Records Manager is to administer the Records Management program. The Records
Manager is well acquainted with all records and/or record groups within an agency and has
expertise in all aspects of records management. The duties of the Records Manager include
planning, development, and administration of records management policies. These duties also
include the annual organization-wide inventory of all information assets to be conducted by the
business unit manager with reports sent to the Records Manager.
3. Role of Management Personnel
Management Personnel are responsible for records under their control.
4. Role of Departmental Records Coordinator
The Departmental Records Coordinator is to be a liaison between the department and the Retention
Center. It is recommended that each department appoint a Records Coordinator in writing. The
letter of appointment should include the Records Coordinator’s full name, department, and
telephone extension. The letter should be forwarded to the Retention Center and maintained on file.
5. Type of Documents Maintained in Retention Center
5.1 Record Retention accepts only public records that are referenced in the State Retention
Schedule, except student transcripts. Copies of student transcripts may be obtained from
Records and Admissions located at the Student Service Center.
5.2 Record Retention does not accept personal, active, or non-records.
5.3 Record Retention stores only inactive and permanent records until final disposition
according to State and Federal retention schedules. Examples include personnel files,
purchase orders, grade books, or surveys.
 Information Security Policies and Procedures 96

5.4 Record Retention receives and stores inactive permanent records from TVI departments
until final disposition according to State and Federal retention guidelines.
5.5 Record Retention ensures records are classified according to State and Retention
guidelines.
5.6 Record Retention ensures records are tracked and entered into an electronic records
management software system that tracks record boxes, assigns retention schedules,
permanent box numbers, destruction dates, and shelf locations.
6. Services
6.1 If a department has obsolete records that are deemed confidential or sensitive, or copies of
non-records, a special request for shredding may be sent to the Record Retention Center.
The records can be shredded by the Record Retention Center staff or transferred to the
State Record Center for destruction.
6.2 Departments must complete a Request for Destruction form for confidential or non-records
to be shredded. Departments are required to purchase forms from Central Stores at
Shipping & Receiving.
6.3 The Record Retention Center provides consulting services to departments on filing systems
and maintenance of records.
7. Transferring Records
7.1 Departments should transfer records in January, July, and October to Record Retention for
storage.
7.2 Records with a retention period of two years or more should be transferred to Record
Retention.
8. Record Retrieval
8.1 Records are retrieved and delivered to customers by request, given a 24hour notice.
8.2 Records can be retrieved for customers on an emergency basis, as requested.
8.3 Management personnel, the records coordinator, or the requester will sign for receipt of
records. Records are to be checked out for no longer than 30 days. If a longer period is
required, a written request should be sent to the Retention Center. If records are checked
out for more than a year, the records will be permanently withdrawn from inventory.
8.4 Permanent Withdrawal: If a department wishes to withdraw a record permanently from
storage, forward a request to Record Retention by phone, fax, or inter-office mail. The
department will complete a Withdrawal Request form and the records will be deleted from
inventory
8.5 Second-Party Withdrawal: If a department requests a record originating from another
department, then the requesting department must contact the department of origin to obtain
authorization. The department of origin will contact Record Retention for records
withdrawal. The department requester must view the requested records at the Record
Retention Center.
8.6 Records should not be returned via inter-office mail due to the confidential nature of the
documents.
9. Record Destruction
 Asset Classification Policy 97

9.1 Record Retention destroys records in January, July, and October according to State
guidelines.
9.2 Records are destroyed by Record Retention according to State and Federal guidelines
when legal requirements are met. A Destruction Request form will be sent to the
originating department for review and signature by the Departmental Records
Coordinator and by management personnel. Only when the Destruction Request has
been reviewed, signed, and returned to Record Retention will the expired records be
destroyed. Authorized personnel will shred confidential records. If departments wish to
keep the records past their assigned destruction date, management personnel can extend
the date no longer than one year unless a litigation, audit, or investigation is pending.
Records kept by the department past the retention date of destruction will be
permanently withdrawn from inventory.
9.3 All records scheduled for destruction are reviewed by the Institute’s Records Manager
and by State Records Analysts for approval.
10. Supplies
10.1 Records must be stored in the appropriate record retention boxes, which are obtained
from Central Stores at Shipping & Receiving.
10.2 Storage Ticket forms and Request for Destruction forms are obtained from Central
Stores at Shipping & Receiving.

In the section for Information Name/Description, it will be necessary to enter the

information type. For example:
• Employee Records:
– Employee performance review records
– Timecards
– Employee discipline documents
– Pay records
– Medical records
• Group Administrative Records:
– Monthly status reports
– Yearly status reports
– Yearly business objectives
• Business Process Records:
– Purchasing contracts
– Quarterly financial reports
– Project management tasks, schedules
– Reference manuals
– Contract negotiations
• Operations Information:
– Business partner information
 Information Security Policies and Procedures 98

– Asset allocation
– Trading activities
Table 11. Information Handling Matrix for
Printed Material
Confidential Internal Use Public
Labeling of Document should identify owner and No special Document may be
documents be marked “CONFIDENTIAL” on requirements marked “PUBLIC”
cover or title page on cover or title page
Duplication of Information owner to determine Duplication for No special
documents permissions business purposes requirements
only
Mailing of No classification marking on Mailing No special
documents external envelope; requirements requirements
“CONFIDENTIAL” marking on determined by
cover sheet; confirmation of receipt information owner
at discretion of information owner
Disposal of Owner observed physical destruction Controlled No special
documents beyond ability to recover physical requirements
destruction
Storage of Locked up when not in use Master copy Master copy secured
documents secured against against destruction
destruction
Read access to Owner establishes user access rules; Owner establishes No special
documents generally highly restricted user access rules; requirements;
generally widely generally available
available within and outside
company
Review of Information owner to establish Information owner No special
document specific review date (not to exceed to review at least requirements
classification one year) annually
level

– Production formulas
– Production cost information
– Customer lists
• Distribution Records:
– Distribution models
– Inventory records
– Parts supplies
Using the definitions, the person(s) performing the review would place a checkmark in
the appropriate column—only one check for each item being reviewed. This process
would allow the user department to identify
 Asset Classification Policy 99

Table 12. Information Handling Matrix for

Electronically Stored Information
Confidential Internal Use Public
Storage on fixed Unencrypted Unencrypted Unencrypted
media (access
controlled)
Storage on fixed Encrypted Unencrypted Unencrypted
media (not access
controlled)
Storage on removable Encrypted Unencrypted Unencrypted
media
Read access to Information owner to Information owner to No special
information (includes authorize individual users define permissions on requirements
duplication) user, group, or function
basis
Update access to Information owner to Information owner to Information owners
information authorize individual users define permissions on to define
user, group, or function permissions
basis
Delete access to Information owner to Information owner to Information owner
information authorize individual users; define permissions on to define
user confirmation required user, group, or function permissions
basis; user confirmation
required
Print hardcopy report Output to be routed to a Information owner to No special
of information predefined, monitored define permissions requirements
printer
Internal labeling of Notification of No special requirements Notification of
information at the “CONFIDENTIAL” to “PUBLIC” may
application or appear at top of display optionally appear at
screen/display level top of display
External labeling of Media must identify owner Marking at discretion of No special
exchangeable media and be marked owner requirements
CONFIDENTIAL
Disposal of electronic Owner observed physical Physical destruction No special
media (diskettes, destruction beyond ability requirements
tapes, hard disks, to recover
etc.)

Confidential Internal Use Public

Disposal of Delete by fully writing over Delete files through No special
information information normal platform delete requirements
command, option, or
 Information Security Policies and Procedures 100

Review of classified Information owner to
information for establish specific review
reclassification date (not to exceed one
year)
Logging access Log all access attempts;
activity information owner to
review all access and
violation attempts
Access report Information owner to
retention determine retention of
requirements access logs (not to exceed
one year)
facility
Information owner to Information
review annually owner to review
annually
Log all violation No special
attempts; information requirements
owner reviews as
appropriate
Information owner to No special
determine retention of requirements
violation logs (not to
exceed six months)

all the various types of information found in their department and then be able to
determine into which classification they probably fall.

14 AUTHORIZATION FOR ACCESS

To establish a clear line of authority, some key concepts must be established. As

discussed above, there are typically three categories of employee responsibilities.
Depending on the specific information being accessed, an individual may fall into more
than one category. For example, an employee with a desktop workstation becomes the
owner, custodian, and user. To better understand the concepts, the responsibilities of each
category are listed below.

14.1 Owners
Minimally, the information owner is responsible for:
• Judging the value of the information resource and assigning the proper classification
level
• Periodically reviewing the classification level to determine if the status should be
changed
Table 13. Information Handling Matrix for
Electronically Transmitted Information
Confidential Internal Use Public
By FAX Attended at receiving FAX Information owner to No special
define requirements requirements
By WAN Confirmation of receipt required; No special No special
encryption optional requirements; requirements
encryption optional
 Asset Classification Policy 101

By LAN Confirmation of receipt required; No special No special

encryption optional requirements; requirements
encryption optional
By Inter-office No external labeling on envelope; No special No special
mail normal labeling on document requirements requirements
By voice-mail Confirmation of receipt required No special No special
(sender); remove message after requirements requirements
receipt (recipient)
By electronic Confirmation of receipt required; No special No special
messaging (e- encryption optional requirements requirements
mail)
By wireless or Do not transmit No special No special
cellular phone requirements requirements

• Assessing and defining appropriate controls to assure that information created is

properly safeguarded from unauthorized access, modification, disclosure, and
destruction
• Communicating access and safeguard requirements to the information custodian and
users
• Providing access to those individuals with a demonstrated business need for access
• Assessing the risk of loss of the information and assuring that adequate safeguards are
in place to mitigate the risk to information integrity, confidentiality, and availability
• Monitoring safeguard requirements to ensure that information is being adequately
protected
• Assuring a business continuity plan has been implemented and tested to protect
information availability

14.2 Custodians
At a minimum, the custodian is responsible for:
• Providing proper safeguards for processing equipment, information storage, backup,
and recovery
• Providing a secure processing environment that can adequately protect the integrity,
confidentiality, and availability of information
• Administering access requests to information properly authorized by the owner

14.3 User
The user must:
• Use the information only for the purpose intended.
• Maintain the integrity, confidentiality, and availability of information accessed.
 Information Security Policies and Procedures 102

Being granted access to information does not imply or confer authority to grant other
users access to that information. This is true whether the information is electronically
held, printed, hardcopy, manually prepared, copied, or transmitted
Table 14. Sample Record Retention Schedule
Record Retain
Accounts payable schedules Permanent
Accounts receivables schedules Permanent
Bank drafts and paid notices 10 Years
Bank statements and reconciliations 10 Years
Bills of lading 7 Years
Cancelled checks 10 Years
Cash disbursements journals Permanent
Cash receipts journals Permanent
Claims register 7 Years
Corporate minutes book Permanent
Correspondence 10 Years
Counter tickets 7 Years
CPA audit reports Permanent
Credit memos 7 Years
Customer files 7 Years
Customer repair orders (both office and hard copy) 7 Years
Documents pertaining to litigation Permanent
Duplicate deposit slips 10 Years
Employee earning and history record Permanent
Employment contracts Permanent
Federal revenue agents’ reports and related papers Permanent
Federal tax returns Permanent
Financial statements Permanent
General journals Permanent
General ledgers Permanent
Insurance policies Until Expiration
Internal repair orders (hard copy only) 7 Years
Internal sales journals Permanent
 Asset Classification Policy 103

Journal vouchers Permanent

Miscellaneous schedules Permanent
New and used vehicle records 7 Years
New vehicle sales journals Permanent
Office receipts 7 Years
Parts, accessories, and service sales journals Permanent
Payroll journals Permanent
Prepaid and accrued expense schedule 2 Years
Property tax returns Permanent
Purchase journals Permanent
Purchase orders 7 Years
Receiving reports 7 Years
Repair order check sheet 2 Years
Repair orders—internal (office copy only) 2 Years
Sales invoices 7 Years
Salesperson’s commission reports Permanent
Social security tax returns Permanent
State and local sales tax returns Permanent
State annual reports Permanent
State franchise tax returns Permanent
Sundry invoices 7 Years
Time cards 2 Years
U.S. and state unemployment tax returns Permanent
Used and repossessed vehicles journals Permanent
Vehicle invoices 7 Years
Vendor invoices 7 Years
Withholding tax returns Permanent

15 SUMMARY

Information classification drives the protection control requirements and this allows
information to be protected to a level commensurate with its value to the organization.
The costs of overprotection are eliminated and exceptions are minimized. With a policy
and methodology, specifications are clear and accountability is established.
 Information Security Policies and Procedures 104

There are costs associated with implementing a classification system. The most
identifiable costs include labeling classified information, implementing and monitoring
controls and safeguards, and proper handling of confidential information.
Information, wherever it is handled or stored, must be protected from unauthorized
access, modification, disclosure, and destruction. All information is not created equal.
Consequently, segmentation or classification of information into categories is necessary
to help identify a framework for evaluating the information’s relative value. By
establishing this relative value, it will be possible to establish cost-effective controls that
will preserve the information asset for the organization.
The information classification program will require the identification of the record
type, the owner, and the classification level. Two thirds of this information may already
be gathered by the record management program. Link these two vital processes together
to ensure that employee time is not wasted on redundant activities. By combining the
effort, the organization will have a better overall information security program.