What is it?
Information classification is an on-going risk management process that helps identify critical information assets - data, records, files - so that appropriate information security controls can be applied to protect them. It is the cornerstone of an effective and efficient business-aligned information security program.
Your agencies retain a wide variety of information assets, many of which are sensitive and/or critical to your mission and business functions and services. Information is being accessed through, and maintained in, a wider variety of formats and environments. If you do not know what information assets you have, their value to the business, and where they are stored, how can you assure they are protected properly?
Why is it important?
We are obligated to protect the information that New York State (NYS) citizens and business partners have entrusted to our care. Agency heads are ultimately responsible for assuring this occurs. Loss of information can lead to operational and productivity impact, compliance, legal, financial and reputational risk and potential loss of public trust. It is far less expensive to apply resources toward ensuring appropriate controls, than to experience a breach and have to notify affected parties and remediate after-the-fact.
What resources are available to me?
Resources to support your information classification efforts are available for download below:
Information Classification Toolkit
- Information Security Policy
- Information Asset Identification and Classification Form
- NIST 800-53B Security Control Baselines
- Secure System Development Life Cycle (SDLC) Standard
For further information, please contact the Office of Information Technology Services Chief Information Security Office at 518-242-5200 or email at [email protected].