In terms of the Identify function, its primary objective is to assist government organizations to understand their ICT resources that include systems, people, assets, data, and capabilities and the risks associated with resources in order to manage cybersecurity risk.
An Information Asset is any information that has a value to the organization to perform its organizational functions. The government organization must identify all assets and provide adequate protection to the said assets. Identification of information assets must be done with an intention of protecting assets from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure integrity, confidentiality, and availability of assets.
Government organizations should establish, record and maintain an Information Asset Register (IAR) which is a formal catalogue (inventory) of all security classified information assets an organization holds and processes that is to be maintained at a central location. The Information Asset Registry should be accurate, up to date, consistent and aligned with other inventories. It is the responsibility of the Deputy HOO to ensure that the IAR is formulated and maintained. The RMC, in concurrence with the IAO shall develop the IAR. and other users.
The IAR should include the following:
The IAR should have a default classification of CONFIDENTIAL because of the detail it provides on other security classified information. It is to be reviewed and maintained at least annually to ensure it meets the requirements of the Sri Lanka Government Information Classification Framework and organizational needs.
The IT Hardware Asset registry shall contain at a minimum,
The IT Software Assets registry shall contain at a minimum,
License Information
Purchase Information
The IT Asset Registries should be accurate, up to date, consistent and aligned with other inventories.
An Asset Owner and Custodian should be identified for each Asset. An Information Asset Owner is an individual who has the responsibility for controlling the whole lifecycle of an asset. The Custodian of the information asset will be responsible for the protection of the asset and for implementing the controls (as identified and approved by the owner of the information asset) related to the protection of the asset. Owner and Custodian is responsible for managing the entire lifecycle of the asset – from creation, modification to destruction. HOO, in concurrence of the Functional Heads shall nominate an IOA/CA.
Organization should identify the users who should have access to Information Assets and IT Assets. User should be identified based on the on the Need-to-Know and Need-to-Use principles.
In the Need-to-know principle, users are only granted access to the information they need to perform their tasks In Need-to-use principle, users are only granted minimum privilege access to IT Assets that needed to perform their task or job.
RMC in collaboration with IAOs, should conduct a comprehensive risk assessment to determine the threats to and vulnerabilities of the organization’s assets, and their impact on Assets. Objective of the risk management is to
RMC should classify Assets (Information Assets and IT Assets) to ensure that assets receive an appropriate level of protection in accordance with legal & operational requirements, value, criticality and sensitivity to unauthorized disclosure or modification whilst taking into consideration the level of impact to the organization if confidentiality, integrity or availability of the particular organization is compromised.
Levels of Security Classification
Broadly, five levels (four classification levels plus – Unclassified) of security classification have been defined as part of the Information Classification Framework including Unclassified, Pubic, Limited sharing, Confidential and Secret.
A. Unclassified
All Government information, until such time they are evaluated and classified, must be allocated the interim classification status “Unclassified”. Any unclassified information should be treated similar or higher to information classified as Limited sharing.
Prior authorization must be obtained from the information owner to release unclassified material to the public (which is in effect changing the classification of the information).
B. Public
Any information which is easily available to the public, Government employees, organizations, regulators, project managers, support staff and contractors including information deemed public by legislation or through a policy of routine disclosure can be classified as “Public”. This type of information requires minimal or no protection from disclosure. Examples of public information include:
C. Limited Sharing
Information is security classified as “Limited Sharing” when compromise of information may lead to minor probability of causing limited damage to Sri Lankan Government, commercial entities or members of the public. Unauthorized disclosure of this information will cause negligible or no damage to internal security, Sri Lankan forces or Sri Lanka ‘s foreign relations. Examples of Limited sharing information are:
D. Confidential
Information is classified as “Confidential” when compromise of information may lead to a high probability of causing damage to national security, internal stability, national infrastructure, forces, commercial entities or members of the public.
In the case of material marked ‘CONFIDENTIAL’ the information asset is subject to the disclosure of which may be limited or prohibited. Examples of Confidential information are:
E. Secret
Information is classified as “Secret” when compromised could cause serious damage to national security, Government, nationally important economic and commercial interests or threaten life. It could also raise international tension and seriously damage relations with other governments, shut down or substantially disrupt significant national infrastructure and seriously damage the internal stability of Sri Lanka or other countries. Examples of Secret information are:
The diagram below represents Sri Lanka Government Information Classification model details of each of elements are described in sections below:
Address
Sri Lanka CERT,
Room 4-112, BMICH, Bauddhaloka Mawatha,
Colombo 07, Sri Lanka.
Phone
+94 11 269 1692 / +94 11 269 5749
+94 11 267 9888
Email
cert@cert.gov.lk