ISO/IEC 27001 Control 5.12: Classification of information

Control

Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

MidPoint has a native information classification feature, which can be used to set up classification and clearance schemes.

Implementation Details

There are pre-configured archetypes for classifications and clearances in midPoint, that can be used to build classification and clearance schemes. Policy rules can be used to set up requirements for individual classifications and applied transitively to all objects giving access to classified asset (usually roles). Classification is a generic mechanism, that can apply to variety of objects: roles, organizational units, projects and services. Object governance features can be used to track owners accountable for assets - and even custodians for individual classifications and clearances. Access request and approval process can be used in addition to automatic rules, which might provide access control on a finer level. Additional approval levels can be set up for access to application with higher classification levels.

Implementation Notes

  • Control 5.15 (access control) asks for consistency between access rights and classification (controls 5.12, 5.13), which is given in midPoint by employing policy rules in classifications.

  • There are pre-configured archetypes for classifications and clearances in midPoint 4.9 and later. There are also pre-configured collections and views.

Rationale

As midPoint has integrated information classification mechanism, it can easily couple classifications, clearances and access control policies. This creates high-level governance policies that can be used to control correctness of complex configurations or RBAC structures. This approach is necessary to keep policies maintainable in large deployments.

Documentation

Version Title Description
Development Information Classification and Clearances Introduction of classification schemes, example of classification scheme based on EU NIS1
4.8 Information Classification and Clearances Introduction of classification schemes, example of classification scheme based on EU NIS1
Was this page helpful?
YES NO
Thanks for your feedback