Page 75 - CISSO_Prep_ Guide
P. 75
The reason to determine asset value is to ensure that the
selection of controls is appropriate. An organization should not
spend more to protect an asset than it is worth, but it should not
ignore a risk that could have been mitigated at a reasonable cost.
Information Classification
Information classification is a crucial component in determining
asset value. This is evidenced by the requirement in most
privacy regulations to declare an information owner that must be
responsible for the classification and protection of information.
The purpose of information classification is to ensure that
information receives an appropriate level of security. No
organization wants to waste money and resources protecting
information that does not require protection, or no longer
requires protection. Nor does an organization want to face the
liability and responsibility for not having protected information
that should have been preserved.
Information protection is about setting in place the procedures,
policies, and tools necessary to protect information at all points
in the information lifecycle - from when it is first received
throughout its various processes, storage, communications, and
finally, its deletion. Information should be protected consistently
and effectively from both internal and external misuse. The
information should be protected at all times and in all locations.
This is why the role of the information owner is so important.
Information that comes into an organization may be stored or
processed on several different systems, and those systems may
all have different owners. The responsibility of the information
owner is to set out the rules for the protection of the information
that must be followed by all system owners regardless of what
