Skip to main content

๐Ÿ’ผ 12 Information asset identification and classification - Classification methodology

  • Contextual name: ๐Ÿ’ผ 12 Information asset identification and classification - Classification methodology
  • ID: /frameworks/apra-cpg-234/12
  • Located in: ๐Ÿ’ผ APRA CPG 234

Descriptionโ€‹

Empty...

Similarโ€‹

  • Internal
    • ID: dec-b-b1a83cb1

Sub Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlags
๐Ÿ’ผ 29 In order to identify and classify information assets, an APRA-regulated entity would benefit from maintaining a classification methodology that provides clarity as to what constitutes an information asset, granularity considerations and the method for rating criticality and sensitivity. The rating could take into account the impact of an information security compromise on an information asset. Notably, an information asset could be assessed as having a different rating from the perspective of its criticality and sensitivity.
๐Ÿ’ผ 30 APRA-regulated entities record information assets in various ways, sometimes at a very granular level and sometimes at an aggregated level. For example, a system can be seen as an aggregation of the underlying components (such as applications, databases, operating systems, middleware and data sets) and treated as a single information asset for classification purposes. Alternatively, a regulated entity could choose to treat each ofthe underlying components as individual information assets in their own right. Ultimately, the level of granularity would be sufficient to determine the nature and strength of controls required to protect the information asset.
๐Ÿ’ผ 31 In APRAโ€™s view, where a regulated entity has chosen to aggregate a number of underlying components into a single information asset, the criticality and sensitivity ratings for that asset would typically inherit the criticality and sensitivity ratings of the constituent components with the highest ratings.
๐Ÿ’ผ 32 In order to facilitate information asset registration and mapping of interrelationships to other information assets, APRA-regulated entities typically use an information asset inventory repository such as a configuration management database (CMDB4 ).
๐Ÿ’ผ 33 It is common for APRA-regulated entities to leverage existing business continuity impact analyses to assess an information assetโ€™s criticality. APRA-regulated entities would also typically maintain processes to systematically assess information asset sensitivity.