Identify assets, owners, users, and risk

Government organizations should establish, record and maintain an Information Asset Register (IAR) which is a formal catalogue (inventory) of all security classified information assets an organization holds and processes that is to be maintained at a central location. The Information Asset Registry should be accurate, up to date, consistent and aligned with other inventories. It is the responsibility of the Deputy HOO to ensure that the IAR is formulated and maintained. The RMC, in concurrence with the IAO shall develop the IAR. and other users.

The IAR should include the following:

• Name or unique identifier of asset or group of assets;
• Description of information asset;
• Location of information asset, including the device on which it is stored;
• Information owner and information custodian;
• Classification of the information asset;
• Date of classification with details of the authority of the classifier; and
• Reason for the classification of the information asset.
• Date to review classification (if known)
• Users and usage of the information
• Number of copies in circulation and their location
• Disposal details where information has been disposed of (if applicable)

The IAR should have a default classification of CONFIDENTIAL because of the detail it provides on other security classified information. It is to be reviewed and maintained at least annually to ensure it meets the requirements of the Sri Lanka Government Information Classification Framework and organizational needs.

The IT Hardware Asset registry shall contain at a minimum,

• Device Name
• Serial Number
• Machine reference / Label if any
• Type of Asset
• User
• Location
• Risk Exposure
• Classification
• Purchase date
• Warranty period
• Warranty expiration
• Vendor supplier detail
• Printer/Scanner
• HDD / RAM if applicable
• License Details
• Operating System

The IT Software Assets registry shall contain at a minimum,

Software Description
• Application Identification Number
• Application Name
• Description
• Version

License Information

• License Type
• Expiry/Renewal Date
• Serial Number
• Qty Purchased


Purchase Information

• Purchase Date
• Purchase Order / Payment Voucher No.
• Purchase Cost
• Vendor Name
• Contact Person
• Contact No.

The IT Asset Registries should be accurate, up to date, consistent and aligned with other inventories.

An Asset Owner and Custodian should be identified for each Asset. An Information Asset Owner is an individual who has the responsibility for controlling the whole lifecycle of an asset. The Custodian of the information asset will be responsible for the protection of the asset and for implementing the controls (as identified and approved by the owner of the information asset) related to the protection of the asset. Owner and Custodian is responsible for managing the entire lifecycle of the asset – from creation, modification to destruction. HOO, in concurrence of the Functional Heads shall nominate an IOA/CA.

Organization should identify the users who should have access to Information Assets and IT Assets. User should be identified based on the on the Need-to-Know and Need-to-Use principles.

In the Need-to-know principle, users are only granted access to the information they need to perform their tasks In Need-to-use principle, users are only granted minimum privilege access to IT Assets that needed to perform their task or job.

RMC in collaboration with IAOs, should conduct a comprehensive risk assessment to determine the threats to and vulnerabilities of the organization’s assets, and their impact on Assets. Objective of the risk management is to

1. Asset Identification, in which the RMC shall identify all information assets and collect relevant data to identify IT related risks associated with assets.
2. Evaluate threats and vulnerabilities, associated with the information assets and the likelihood of their occurrence.
3. Evaluation of Impact, The outcome of a threat exploiting a vulnerability is the Impact. The Impact can vary in magnitude and will be attributable to the severity of the breach and the time. The RMC should identify all potential impacts of the threats.
4. Calculation of Risk, The RMC should implement a risk calculation process to estimate risk exposure to assets by taking into consideration the probability of occurrence and magnitude of the impact. Thereby, a risk level matrix is to be defined to calculate the risk exposure.
5. Evaluation of and Response to Risk Exposure – The RMC is to develop a Risk response plan/strategy in terms of Risk mitigation, acceptance, avoidance and Transfer. The countermeasures should be identified in terms of preventive, detective and corrective controls. Furthermore, Periodic reviews should be conducted to review the risks identified and its outcomes.

RMC should classify Assets (Information Assets and IT Assets) to ensure that assets receive an appropriate level of protection in accordance with legal & operational requirements, value, criticality and sensitivity to unauthorized disclosure or modification whilst taking into consideration the level of impact to the organization if confidentiality, integrity or availability of the particular organization is compromised.

Levels of Security Classification

Broadly, five levels (four classification levels plus – Unclassified) of security classification have been defined as part of the Information Classification Framework including Unclassified, Pubic, Limited sharing, Confidential and Secret.

A. Unclassified

All Government information, until such time they are evaluated and classified, must be allocated the interim classification status “Unclassified”. Any unclassified information should be treated similar or higher to information classified as Limited sharing.

Prior authorization must be obtained from the information owner to release unclassified material to the public (which is in effect changing the classification of the information).

B. Public

Any information which is easily available to the public, Government employees, organizations, regulators, project managers, support staff and contractors including information deemed public by legislation or through a policy of routine disclosure can be classified as “Public”. This type of information requires minimal or no protection from disclosure. Examples of public information include:

• Government acts and policies;
• Organization contact persons;
• Information on public services provided to citizens by Government;
• Weather Information; and
• Advertisement for job postings.

C. Limited Sharing

Information is security classified as “Limited Sharing” when compromise of information may lead to minor probability of causing limited damage to Sri Lankan Government, commercial entities or members of the public. Unauthorized disclosure of this information will cause negligible or no damage to internal security, Sri Lankan forces or Sri Lanka ‘s foreign relations. Examples of Limited sharing information are:

• Organization processes and information
• Personal information of citizens
• Minutes of meetings and file notes of Organizations
• Government evaluation on a company’s products
• Inventory data

D. Confidential

Information is classified as “Confidential” when compromise of information may lead to a high probability of causing damage to national security, internal stability, national infrastructure, forces, commercial entities or members of the public.

In the case of material marked ‘CONFIDENTIAL’ the information asset is subject to the disclosure of which may be limited or prohibited. Examples of Confidential information are:

• Personal case files such as benefits, program files or personnel files
• Tax returns or financial health of organization
• Sharing of personal health information of individual
• Trade secrets
• Salary information

E. Secret

Information is classified as “Secret” when compromised could cause serious damage to national security, Government, nationally important economic and commercial interests or threaten life. It could also raise international tension and seriously damage relations with other governments, shut down or substantially disrupt significant national infrastructure and seriously damage the internal stability of Sri Lanka or other countries. Examples of Secret information are:

• Details of sex offenders and victims;
• Criminal investigations for major crime;
• Data related to foreign affairs;
• Cabinet documents; and
• Provincial Budget prior to public release.

The diagram below represents Sri Lanka Government Information Classification model details of each of elements are described in sections below: