1

HIC Asset Identification and Classification Policy

Russell A. Findley

Masters of Science in Cyber Security Operations and Leadership, University of San Diego

CSOL-540-02-SP21 – Cyber Security Ops Policy

Author: Russell Findley

Professor Mike Hallman

April 5, 2021
 2

Contents
Introduction......................................................................................................................................................................... 3
Scope.................................................................................................................................................................................... 3
Objectives............................................................................................................................................................................. 3
Asset Classification and Handling......................................................................................................................................4
Responsibilities....................................................................................................................................................................5
Enforcement........................................................................................................................................................................ 6
Review and Revision...........................................................................................................................................................6
References............................................................................................................................................................................ 8
 3

Title: Asset Identification and Classification Policy

Date: April 5, 2021

Approval: HIC's Management Team

Version: 1.0

Introduction

HIC, Inc., produces, stores, and transmits both sensitive employee and customer information. It is essential to

the HIC to protect this data against unauthorized access, modification, and mishandling. Proper management of

information is essential, due to regulatory and privacy obligations such has Health Insurance Portability and

Accountability Act (HIPPA) and California Consumer Privacy Act (CCPA). Due to the varying types of

information held by HIC Inc., classifying information assets will safeguard operational effectiveness and

management information.

Scope

The Asset Identification and Classification Policy applies to all employees, contractors, and third-party vendors

holding HIC data. In addition, any party representing HIC (i.e., brokers, insurers, etc) are subject to comply

with this policy.

Objectives

The Asset Identification and Classification Policy is based on the confidentiality, sensitivity and privacy of

information held by HIC, Inc., and its partners. The information is based on a combination of a Mandatory

Access Control and Discrescary Access Control. As an organization we want users to control how they store

and handle their own data, but at certain levels of customer information such as Protected Health Information,

we will mandate how data is controls and labeled. Mandatory Access Control is leveraged to comply with

privacy and legal requirements.

 4

Asset Classification and Handling

Classification and handling of HIC’s Inc., information assets is critical to maintain compliance with both

privacy and compliance laws. HIC stores and transmits Protected Health Information (PHI), and it is goal of the

 All information stored, processed, or transmitted by HIC, Inc., shall be classified according to Table 1.

 All data assets shall be classified by the risk to confidentiality, value, and risk of the data. Once

determined, an asset owner will be assigned and entered into the register.

 Any information that is not immediately classified will hold a classification level of “Prohibited” until it

is determined. This is done in order to prevent leaking or exfiltration of data assets.

 All third party vendors holding HIC Inc., data assets, are required to comply with this policy and

classification model.

 Mis categorization of information shall be reported to either the steering committee or open a ticket with

helpdesk.

Information Description Example

Category
Prohibited Information that is required by law or  Health Information, including
government regulation. Breach of Protected Health Information (PHI)
confidentiality could result in fine or  Health Insurance policy ID numbers
have severe lasting impact to the  Social Security Numbers
organization.  Credit card numbers
 Financial account numbers
 Driver's license numbers
 Passport and visa numbers

Restricted Restriction information is only  Unpublished research data (at data

accessible to authorized individuals. A owner's discretion)
breach of confidentiality could cause  HIC employee employment
serious damage resulting in the applications, personnel files, benefits,
compromise of activity. salary, birth date, personal contact
information
 Non-public HIC, and internal policies
and policy manuals
 Contracts
 Financial plans
 Employee ID numbers

Confidential Information assets will have  Company Standard Operating

 5

authorized personnel whose Procedures

compromise could cause limited  Company customer software code
damage to HIC Inc.  Company designs for systems and
network
Public 1. The data is intended for public  Publicly accessible financial records
disclosure, or  Newsletters
2. The loss of confidentiality,  Policy and procedure manuals
integrity, or availability of the data designated by the owner as public
or system would have no adverse  Job postings
impact on our mission, safety,  Information in the public domain
finances, or reputation.

Table 1 (Stanford, 2009) Categorization used from Stanford's Classification Policy

Responsibilities

 The Chief Information Officer approves the Asset Identification and Classification Policy.

 The Chief Information Security Officer is responsible for developing, implementing and ongoing care-

and-feeding of the Policy.

 The Information Governance and Security Steering Group is responsible for:

o Approving the Information Classification system

o Socialization of the classification system and information management policies for electronically

stored information.

 HIC Information Technology Team:

o Provide technologies for managing the compliance of the policy and information centrally.

 Information Asset Owners and Information Administrators are responsible for:

o Identifying the appropriate information classification level for any information within their care

o Ensuring that the appropriate management policies about storage, publishing, disposal etc. are

followed. Where information is classified not for public consumption (i.e. Internal, Restricted or

Confidential) this should be clearly articulated to those who have access to such information.

o Ensuring that information is processed and managed in accordance with the HIC’s Information

Governance and Security Policies.

 6

 All members of the HIC Inc., (including staff, and contractors) are responsible for

o Handling of information according to the policy and corresponding classification

o Complying with this policy and with relevant legislation.

Enforcement

Compliance of HIC Asset Identification and Classification Policy is critical to the ongoing success for the

organization. Failure to comply with this policy or associated governance requirements may result in the

termination of employment. Contingent workers may be subject to cancellation of individual or service

provider contracts.

Any request for exception to the policy should be issued to the Chief Information Security Officer, and

approved by the Chief Information Officer. All exceptions must be in writing, tracked by the Governance and

Compliance team, and reviewed at the monthly Security Steering meeting.

Effective Date 

This Policy is effective starting Monday, April 5, 2021.  

Information and Assistance 

Any user with a question about the Policy's requirements should contact the HIC Compliance team at

[email protected].   

Contact Team Member Relations at 888-555-5555 to report non-compliant behavior of another Team Member. 

Review and Revision

Approved By: Date: Title Version

Russell Findley April 5, 2021 Chief Information Security Officer V1.0

 7

Approved: __________________________________ Date: ______________________

Signature/Chief Information Officer

 8

References:

Smyth, N. (2016). Mandatory, Discretionary, Role and Rule Based Access Control. Techotopia.

https://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Contr

ol.

Stanford. (2009, June 15). 6.3.1 Information Security. 6.3.1 Information Security | Administrative Guide.

https://adminguide.stanford.edu/chapter-6/subchapter-3/policy-6-3-1#anchor-24183.