Chapter 9 provides a deep dive into the key questions and decision points in the secure and classify stage of the life cycle. We offer 24 more specific questions intended to guide your thinking about how to secure and classify information assets and to prevent liabilities. The questions also form the basis of an audit of information assets. An audit should ask and answer all of the questions listed in this chapter. From these answers you should be able to judge the strength or weakness of assets in this stage of their life cycles.
These questions are organized into five easy to remember categories to help you work through them as you work on your strategy. We do not offer answers to these questions because only you can determine which answers best suit your environment. There is no single right or wrong answer. Short explanations are provided for key concepts as background and context. These explanations also serve as a working reference source for both business and information professionals.
Your strategy should explain….
The organization’s essential definition of harm?
The circumstances under which information may result in liabilities?
The harm that may result from the mismanagement of information assets?
The levels of harm that may result?
The representation of levels of harm as security classes?
The overall coverage of harm by the security classification scheme?
the impact that security and classification may have on access and use of information assets
Your strategy should explain when ….
Security classes are assigned to information assets – when the asset is created, when it is designated as official, or another event that would trigger its classification?
Your strategy should explain where….
Where security is applied – to the whole document? To parts of the document? To whole projects or folders? To entire applications or repositories?