Asset Classification, Protection, Labeling & Handling Scheme

Document Reference
Item Description Document Title Department Reference ID Version No Status File Name Type Revision Date Publish Date DOC Dd/mm/yyyy Dd/mm/yyyy Asset Classification, Protection, Labeling & Handling Scheme Xxxxxxxxxxxx Xxxxxxxxxxx 1.0 DRAFT

Author(s) Name xxxxxxxx Reviewed By Name xxxxxxxx Approved By Name xxxxxxxx

Functional Section, Department Xxxxxxxx Functional Section, Department Xxxxxxxx Functional Section, Department Xxxxxxxx

Signature / Date xxxxxxxx Signature / Date xxxxxxxx Signature / Date xxxxxxxx

Status: Draft Ref: Func-Type-Dept-xxxx

Release: 1.0 Issue Date: dd/mm/yyyy

Page 2 of 9 Initials: xxxx

Control Page

Document Amendment Record

Change No.
x.x

Date

Changed By
Xxx

Brief Explanation

Dd/mm/yyyy xxx

Copies of this Document will be held by:

1. Information Security Planning Department

Status: Draft Ref: Func-Type-Dept-xxxx

Release: 1.0 Issue Date: dd/mm/yyyy

Page 3 of 9 Initials: xxxx

Table of Contents

1 Asset Classification Scheme.............................................................................................................5 1.1 Asset Classification Criteria........................................................................................................5 1.1.1 Confidentiality Criteria..........................................................................................................5 1.1.2 Integrity Criteria....................................................................................................................7 1.1.3 Availability Criteria...............................................................................................................7 2 Asset Protection Scheme..................................................................................................................8 3 Asset Labeling and Handling Matrix..................................................................................................8

Status: Draft Ref: Func-Type-Dept-xxxx

Release: 1.0 Issue Date: dd/mm/yyyy

Page 4 of 9 Initials: xxxx

1 Asset Classification Scheme

1.1 Asset Classification Criteria
Information Systems assets must be accorded a classification level in accordance with the Asset Classification and Control Policy. This document provides the criteria based on which the assets are to be classified and classification levels for each criterion. All assets are not equally important for ETs operations and for achieving its vision and mission. Some assets are more important than others and therefore need additional care and protection to keep ET in business. Similarly, the resources available at the disposal of ET are limited and could be used for a number of different purposes. Risk classification will enable ET to focus asset protection mechanisms on those assets that are most susceptible to specific risks. Information assets will be assigned classifications based on their susceptibility to risk. The risks affecting information assets are: Loss of Confidentiality Loss of Integrity Loss of Availability Please note that classification scheme is different from a labeling scheme for an asset. The classification scheme would determine whether and how an asset would be labeled and the content of the label (see section 3).

1.1.1 Confidentiality Criteria

1.1.1.1 Confidentiality criteria define the level of confidentiality to be accorded to the information assets and consequently the level of accessibility to the information it contains or represents. Risk Rating Very Low Accessibility Public Impact Public Information No Impact. Such information comes from public sources or is provided by ET to the general public. Examples include periodicals, public bulletins, published company financial statements, published press releases, etc. Internal Information (All departments and personnel) Such information is the property of ET. ET 3has the sole right over this information (exception: subjects of the information in most cases will also have rights to the information, such as a plan member having access rights to their contract). This form of information must be used within ET and not shared with third parties. Examples include staff memos, company newsletters, staff awareness program
Page 5 of 9 Initials: xxxx

Low Internal

Status: Draft Ref: Func-Type-Dept-xxxx

Release: 1.0 Issue Date: dd/mm/yyyy

Medium Departmental

High Confidential

Very High

Highly Confidential

documentation or bulletins etc. Internal Information (Individual departments) Such information is the property of Egypt Trust has the sole right over this information (exception: subjects of the information in most cases will also have rights to the information, such as a plan member having access rights to their contract). This form of information must be used within ET and not shared with third parties. Such information must be restricted to departmental personnel only. Examples include departmental memos, work programs, schedules, departmental plans etc Confidential Information Confidential information is a sensitive form of information. This information is distributed on a Need to Know basis only. Examples include employee personal information, business plans, unpublished financial statements, etc. Highly Confidential Information Highly confidential information is the most sensitive form of information. It is so sensitive that disclosure or usage would have a definite impact on ETs business and future and/or national security of Egypt. Extremely restrictive controls need to be applied (e.g., very limited audience). Examples include strategic plans, investment decisions etc.

Status: Draft Ref: Func-Type-Dept-xxxx

Release: 1.0 Issue Date: dd/mm/yyyy

Page 6 of 9 Initials: xxxx

1.1.2 Integrity Criteria

1.1.2.1 Integrity of information relates to the impact of unauthorized modification to an information asset or loss of the information asset or data contained therein. Risk Rating Very Low Low Impact No impact Loss of integrity of the information asset (either partially or completely) could cause minor embarrassment to ET. The integrity of the information can be easily recovered without significant effort. Loss of integrity of the information asset (either partially or completely) could cause some level of embarrassment and /or negative publicity to ET. The integrity of the information can be recovered with some level of effort and minimal financial cost. Loss of integrity of the information asset (either partially or completely) could cause embarrassment and /or negative publicity to ET The integrity of the information may be recovered at a moderate financial cost to ET Loss of integrity of the information asset (either partially or completely) could cause significant embarrassment and /or negative publicity to ET and could have a direct impact to ETs core activities. The integrity of the information either cannot be recovered or may be totally or partially recoverable at a significant an material financial cost.

Medium

High

Very High

1.1.3 Availability Criteria

1.1.3.1 Availability criteria relates to the impact of an information asset being unavailable. Availability criteria are further subdivided into long-term unavailability and short-term unavailability. Risk Rating Very Low Classification Non critical Impact No impact. Asset can be easily replaced. These assets may be interrupted for an extended period of time, at little or no cost to the company, and require little or no catching up when restored. Unavailability of the asset will not significantly affect ETs operations and services. Asset can be replaced within an acceptable timeframe without significantly affecting operations. These assets can be replaced by manual processes at a tolerable cost for an extended period of time. While they can be performed manually it is usually a difficult process and requires additional staff to perform. Unavailability of the asset will not significantly affect ETs operations and services. These assets
Page 7 of 9 Initials: xxxx

Low

Sensitive

Medium
Status: Draft Ref: Func-Type-Dept-xxxx

Vital

Release: 1.0 Issue Date: dd/mm/yyyy

High

Critical

Very High

Highly Critical

can be replaced by manual processes - but only for a brief period of time. There is a higher tolerance to interruption than with critical and highly critical systems and therefore somewhat lower costs of interruption provided that functions are restored within a certain timeframe. (usually 5 days or less) Unavailability of the asset will affect individual operations and services. These assets cannot be operated unless they are replaced by identical or similar capabilities. Critical assets cannot be replaced by manual methods. Tolerance to interruption is low; therefore cost to interruption is high Unavailability of the asset for any time frame will significantly affect multiple operations and services. These assets cannot be operated unless they are replaced by identical capabilities. Highly critical assets cannot be replaced by manual methods. Tolerance to interruption is very low; therefore cost to interruption is very high.

2 Asset Protection Scheme

Asset Protection is the process of defining controls to effectively protect an information asset. It includes the classification of the asset to be protected and the implementation of labeling, handling, and destruction procedures according to the assets classification. The controls over the asset to mitigate the risks affecting the asset will be determined using the risk mitigation process as explained in the Information Risk Management Framework.

3 Asset Labeling and Handling Matrix

All Information Assets must be labeled and handled in accordance with the Information Labeling and Handling Policy. In addition, reference must be made to the Information Labeling Procedure, Naming Convention Guidelines, Documentation Structure & Control document and the COM-009 Scoping Document. The following matrix shows the labeling and handling requirements for different types of assets.

Status: Draft Ref: Func-Type-Dept-xxxx

Release: 1.0 Issue Date: dd/mm/yyyy

Page 8 of 9 Initials: xxxx

Storage on fixed media Storage on exchangeable media Copying Faxing Sending by public network (e.g. Internet) Disposal Release to third parties Electronic media labeling required Hardcopy labelling required Internal and external packaging Granting access rights Tracking process by log

Highly Confidential Encrypted

Confidential

Departmental Physical Access Control Physical Access Control Permission of owner required Permission of owner required Encryption Optional

Internal Encryption Optional Encryption Optional No restriction No restriction Encryption Optional

Public Clear Clear No restriction No restriction Clear Normal disposal Not required

Physical Access Control Encrypted Physical Access Control Permission of Permission of owner required owner required Permission of Permission of owner required owner required Encrypted Encrypted Secure disposal Owner approval (NDA) External labeling Each page Secure disposal Owner approval (NDA) External labeling Each page

Secure Normal disposal disposal Owner Owner approval approval (NDA) (NDA) No label No required required

Secure packaging Owner

Secure packaging Owner

A log of Not required recipients copies made

label Date of release to public and classification No label Date of required release to public and classification Single Single Single envelope with envelope with envelope no marking no marking with no marking Departmental Departmental No Manager Manager restrictions Not required Not required Not required

Status: Draft Ref: Func-Type-Dept-xxxx

Release: 1.0 Issue Date: dd/mm/yyyy

Page 9 of 9 Initials: xxxx