Information versus Information Systems

            All information must be classified to protect it adequately.
            However, once the data is categorized, it is also vital to
            categorize the information system that is used to display,
            process, store, or transmit the data. An information system can
            never be classified at a lower level than the information it
            contains. In some cases, the system may actually need to be at a
            higher level of classification since the information on the system
            may be subject to aggregation.  Aggregation occurs when a user
            with access to the system may be able to combine the
            information on the network to gain knowledge about the
            information that is protected at a higher level than the individual
            pieces of information.




            Summary of Information Classification

            The classification of each type of information is based on the
            factors of confidentiality, integrity, and availability.
            The information must have an owner that is responsible for
            determining how each information type must be protected and
            ensuring that the data is protected at all times and on all systems.

            Each type of protected information must be labeled clearly
            electronically and/or physically to ensure it is handled
            appropriately.
            There should be a process for declassifying information that no
            longer needs the same level of protection as it did previously.
            The classification of an information system must be at least as
            high as the classification of the information on the network.