Navigation bar
  Start Previous page  61 of 77  Next page End Home Contents  56 57 58 59 60 61 62 63 64 65 66  

An IT Architecture for Emory University
Adopted by CIRT
Security Domain Architecture
February 20, 2002
ITA Version 1.9.8
© 2000 Emory University
Page 12-17
A-6. Provide an asset security classification scheme. 
Status: Adopted
The Security Architecture should include a classification scheme that allows
owners of resources to indicate the level of protection needed for a resource in
terms that are understandable to the owner and that can be linked to specific
protective measures. The classification scheme should use no more categories
than are needed to capture real differences in protection. 
Example 10.
A university needed to ensure that its IT assets were appropriately protected. Since not all
resources needed the same level of protection, it created a rating scheme that was intended to be
understandable by university officials and balance the need for simplicity and the need to provide sufficient
information. The scheme rated IT assets according to their criticality, data sensitivity, and technology risk.
These attributes were given values as follows. Criticality could be vital, critical, important, or valued.
Sensitivity could be restricted, confidential, proprietary, or public. Technology risk could be high, medium or
low. They defined the meanings of these terms and obtained ratings from all those responsible for or who
depended directly upon the assets. With the help of their IT staff they were able to translate the ratings into
requirements for physical protection, firewall protection, default accessibility, scanning for vulnerabilities,
backup frequency and storage, etc.
Justification
§
The means of protecting assets need to be separated from statements of the level of
protection needed, so that owners can specify their needs in terms relevant to them
without having to understand countermeasures that can vary over time, be technically
intricate, and be specific to the technologies involved.
Implications
1.
The owners classify their resources, which determines what custodians can do.
2.
The owner is responsible for ensuring that classification of a resource occurs, but
could delegate doing that to a steward.
3.
An analyst role is needed to determine countermeasures.
4.
Technologies to implement common countermeasures need to be in place so that the
countermeasures can be offered as soon as they are needed.
Previous page Top Next page