ISO-5: Classification of Assets

In the previous article we discussed the need for creating Asset Inventory as part of the Context setting.

In the process, we identified four different aspects such as “Data Storage Points”, “Data Collection Points”, Data Processing Points” and “Data Disclosure Points” to be identified in a network to create the Asset inventory. We also discussed the concept of “Data Valuation”. We did not stop at looking at Data Value from the abstract concept of “Everything that assists the business has a value” but went on to underscore the need for assigning the rupee value of the asset that can be brought into the balance sheet if need be.

If we want the CFO to sanction a budget for ISMS, then he has to be convinced that there is an X crores worth of data that needs to be protected and the ISMS will mitigate the risk of loss or erosion of this X Crore asset value. For this purpose assessing the rupee value of the asset is important and Naavi’s DVSI (Data Value Standard of India) tries to suggest some methodology for the purpose particularly for the Personal data.

In the context of ISO 27001, the valuation in rupee terms is relevant since if there is a ransomware attack, the hacker would ask for a ransom based on his estimated value of the data. His valuation of data may either be based on the market value for the data in the Dark Web or the amount upto which the organization would pay to protect its reputation damage or save on cost of reconstruction of data. For the organization therefore “Opportunity Cost” and ” potential damage” is a measure of value. For the hacker the “Realisable market value” is a measure of its value.

If the ISMS manager wants to assign a value it may depend on the nature of the activity of the organization. If Data is a raw material in the business of the Company and gets converted into finished goods at the end of a process (Eg Data Analytics Company) then the value can be computed on the basis of the accumulated cost from generation of the data to its current status in the life cycle moderated by revaluation based on the market value. If data is only a tool of business, its value is based on the cost of creation only.

Whatever be the methodology used for valuation and whether it is only an approximation for the purpose of a “Note to the Accounts” or to be incorporated in the balance sheet as a “Contra Item”, there is a need to first classify the information into different value buckets.

In the ISMS context, data classification is based on the “Risk Potential” and hence it is common to observe a classification as “Confidential”, “Restricted”, “Internal” and “Public”.

Some examples of classification on this basis are

  • Confidential: This level of classification applies to information that could cause serious harm to the organization if it were disclosed to unauthorized individuals. Examples of confidential information include trade secrets, financial data, and customer information.
  • Restricted: This level of classification applies to information that could cause some harm to the organization if it were disclosed to unauthorized individuals. Examples of restricted information include employee records, marketing plans, and product development information.
  • Internal: This level of classification applies to information that is not confidential or restricted, but that should not be disclosed to the public. Examples of internal information include employee training materials, meeting minutes, and financial reports.
  • Public: This level of classification applies to information that is not confidential, restricted, or internal. Examples of public information include press releases, product brochures, and website content.

On the other hand, a PII classification has to be done under scales based on the “Sensitivity” . For examples as against a general categorization of “Personal Data”, one can create a category “Sensitive Personal Data” or “Critical Personal Data” based on different risk profiles of the data itself.

Hence Data has to be first classified as “Personal” and “Non Personal”, and then Non Personal Data should be classified based on the Confidential, Restricted, Internal and Public criteria and Personal data classified as is relevant for the applicable law.

PDPCSI or any other Privacy frameworks therefore use a classification different from the ISO 27001. PDPCSI goes a step further than other frameworks since it recommends sensitivity based classification on whether the data belongs to the Employees or others, Minors or Adults , Deceased individuals or Living Individuals etc.

The classification suggested under A 5.12 of ISO 27001 states….

“Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.”

ISO 27701:2019 refers to EU GDPR in its introductory reference but does not provide clear guidelines within the document. Hence classification based on GDPR will drive ISO 27701.

On the other hand, PDPCSI pitches the classification requirement to be “Compliance Based” and states as follows

“The organization shall classify  data based on nature of personal data, its sensitivity, type of data subject, whether   minor data or employee data is involved,   the country of origin, etc”

Thus the Context setting includes creation of a data inventory along with the classification.

Apart from creating an “Inventory of Data” where it lies in storage, it is also necessary to identify the “Process Inventory” which lists all the processes where the input data and output data is different. The modification of data that occurs within a process is to be captured for risk assessment (eg Automated Decision making risks). This will also assist in designating “Process Controllers”, “Consent Controllers”, “Disclosure Regulators” and “Data Custodians” who are all different organs of the ISMS Manager.

To further take control of the Data inventory, it is necessary to identify the Data Input points and Data Disclosure points so that the Inventory of data in storage and data in process can be managed from the point of view of CIA principles. Data Disclosure in this context is mainly to the external parties since internal data disclosure gets merged with transfer of data from one process to another as an input data into the next process.

To summarize, after setting the context for ISMS, we should have a proper understanding of the classified data based on an acceptable criteria. We should know where the data is stored, where all they are processed, which are the input and exit points to be secured.

In the Planning stage these are important steps that needs to be completed before we go further into the creation of the ISMS Governance structure. Then we go into creation of policy documents, then to implementation of controls, then to review and correction. These are the steps that ISMS has to go through .

(To Be Continued)

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.