Wikier

Policy for Classification of Information Assets

Detaljer Skriv ut

Policy for classification of information

Norwegian version - Retningslinje for klassifisering av informasjonsverdier

Topic page about Information security | Pages labeled with information security

Innholdsfortegnelse [-]

  1. Purpose
  2. Applies to
  3. Roles and responsibilities
  4. General principles
  5. Value Assessment and Classification
  6. Classification in Practice
    1. Confidentiality assessment
    2. Integrity Assessment
    3. Accessibility Assessment
    4. Labelling Requirements
  • Document type: Topic specific Policy
  • Managed by : CISO, Digital Security Section
  • Approved by :Director of Organization and Infrastructure
  • Valid from : 01.10.2025
  • Next revision within: 01.10.2027
  • Classification: No
  • Reference ISO: ISO27002:2022 5.9,5.10,5.12,5.13,8.12
  • Reference NSMs principles for ICT-security : 2.7.5
  • Reference Law/Rule: Act relating to national security (Security Act) (Sikkerhetsloven), Act relating to the processing of personal data (The Personal Data Act) (Personvernloven),(Sikkerhetsinstruksen [The Safety Instruction]
  • Reference internal documents: Policy for Information Security

Purpose

The purpose of classifying information is to have an overview of the information assets managed by NTNU.

Applies to

This policy applies to all individuals who have access to, process and manage information at NTNU, including through NTNU's information systems, services, and equipment (NTNU's IT infrastructure).

Roles and responsibilities

Information security work affects the organization at all levels. Responsibility and authority for information security follow the regular line management structure. All roles associated with the management system are defined in the Information Security Policy

For the Policy for Classification of Information, line managers, project managers, and system owners have key roles with corresponding responsibilities.

General principles

a. To meet the requirements for proper handling of information assets, information objects produced and managed by NTNU should be classified.

b. The classification of information produced or accessed within an ICT system or process establishes requirements for securing the ICT system and the workflow involving the use, transport, or storage of the information.

Value Assessment and Classification

An information value refers to information that is defined as something we, as individuals, NTNU, or society, want to protect. Information values can be divided into primary information values, the information itself, and secondary information values, which include premises, systems, and individuals who handle and store information.

a. Information stored and produced at NTNU should undergo a value assessment1. This involves determining the value of the object for NTNU and other stakeholders. Examples of information values at NTNU include:

  • Research – valuable to NTNU as a university, to researchers, and potentially to society.
  • Documentation – system documentation, plans, etc.
  • Systems – some systems are valuable because we depend on them to perform our work, while others are used to store valuable data.
  • Personal data – this is not valuable to NTNU, but it is valuable to the individuals involved. As a result, NTNU is required to store personal data in a specific manner.
  • Physical areas – labs, archive rooms, server rooms, etc., where information and research are created, processed, and stored.

b. Based on the value assessment, the information object is classified according to internal and external requirements for confidentiality, integrity, and availability.

  • Confidentiality implies access control, which means ensuring that information and information systems are only accessible to those with a legitimate need.
  • Integrity means ensuring that information is accurate, valid, and complete, and cannot be unintentionally or maliciously modified.
  • Ensuring availability means that information and information systems are available within the specified availability requirements.

c. The requirements for accurate classification of information values come from various parties and have different goals:

  • Have an overview of the values possessed by NTNU.
  • Determine which information/system/object is most important for achieving NTNU's goals, complying with applicable regulations, and fulfilling contractual agreements.
  • Prioritize information and IT systems in the event of limited capacity.
  • Simplify the process of building an efficient and cost-effective information architecture.

Classification in Practice

Data and information processed at NTNU have varying levels of protection. All information and data must be classified with regard to confidentiality in order to select the appropriate tools and infrastructure. Integrity is also important to ensure that data/information is accurate and not altered by mistake. Availability is often the most critical aspect for system owners, who are responsible for the systems themselves, to ensure they function properly. In practice, the integrity and availability of data will be well maintained if you use one of the solutions presented in the Storage Guide.

Confidentiality assessment

Integrity Assessment

Accessibility Assessment

Labelling Requirements

  • Use sensitivity labeling with tags/labels on documents and emails when the information requires a high level of confidentiality (internal, confidential, strictly confidential, and restricted according to the Security Act).
  • Use appropriate professional systems or tools to process, store, and manage the information securely and efficiently, in line with the system owner's recommendations.
6624 Visninger
IT-info: digital sikkerhet Målgruppe: Medarbeidere Studenter Tema: Lederstøtte Informasjonssikkerhet
Tagger
classification information security data management
Vedlegg
PNG
accessibility.png
PNG
confidentiality.png
JPG
conf.JPG
PNG
integrity.png
JPG
internal.JPG
JPG
strengt fortrolig.JPG
JPG
strictly conf.JPG