Close
This page supports policy statement 6.1 in the new Information Security Policy
Summary of Policy Requirements
- Record important information about all information assets in an asset register.
- Classify all information assets according to the importance of their confidentiality, integrity and availability.
How to Comply
An information asset is a piece of information that has some interest or value to UCL, which can be a definable set of structured data or a collection of unstructured information. An information asset register is an inventory of information assets, where important information about each asset is recorded. Information assets can be stored digitally in IT systems or on physical media.
Controls
A good way to start complying with the policy statement about information asset classification is to implement Appropriate Security Controls, the most relevant of which is the following baseline security control in the Risk Management category. Other baseline security controls are designed to preserve the confidentiality, availability and integrity of information assets.
Control description
- The information assets processed by all systems/services/applications are identified and documented.
Control purpose or benefit
- To establish a comprehensive and centralised inventory of information assets to enable status tracking, effective risk management, protection, and accountability.
Control implementation and self-assessment guidance
- For information assets containing personal data: The UCL Record of Processing Activities (ROPA) is up to date.
- For other information assets: There is a local record of information assets stored or processed by the local systems.
A Data Owner should submit a Data Protection Impact Assessment (DPIA) if any of their data contains personal data stored or processed by any UCL systems. The Data Protection team will use the DPIA to update UCL’s ROPA if appropriate.
At a minimum, the following information about each asset should be recorded in an asset register.
- Name of Data Owner
- Confidentiality, integrity and availability classifications
- Storage system identifier
- Storage location or filesystem path
Classification and labelling
Each information assets should be classified according to the importance of its confidentiality, integrity and availability, which are defined as follows.
- Confidentiality is the property that information is not made available or disclosed to unauthorised individuals, entities, or processes.
- Integrity is the property of accuracy and completeness.
- Availability is the property of being accessible and usable on demand by an authorised entity.
The following table shows all the possible confidentiality, integrity and availability classifications.
Importance | Confidentiality classification | Integrity classification | Availability classification | Labelling required? |
Not important | Public | Low | Low | No |
Important | Confidential | Medium | Medium | Yes |
Critical | Highly Confidential | High | High | Yes |
Information assets should be labelled according to their confidentiality, integrity and availability classifications, as described above.
The following Risk Impact Assessment Criteria from ISD's Risk Assessment Process can be used to evaluate the impact of potential breaches of confidentiality, integrity and availability involving information assets.
* ADD RISK IMPACT ASSESSMENT CRITERIA TABLE *
Use the following flowcharts to classify information assets using the Risk Impact Assessment Criteria above.
* ADD INTEGRITY FLOW CHART *
* ADD AVAILABILITY FLOW CHART *
Roles, responsibilities and further questions
Data Owners can delegate classification and asset register management to Information Custodians.
If you have any questions that haven’t been answered by the information on this page, please don’t hesitate to ask the Information Security Group.
Policy statement
Data Owners must ensure that all information assets are identified, classified and documented.