ISO/IEC 27001 Control 5.12: Classification of information
Control
Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
Necessity of MidPoint
MidPoint is necessary to implement this control properly.
MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.
Implementation Overview
MidPoint has a native information classification feature, which can be used to set up classification and clearance schemes.
Implementation Details
There are pre-configured archetypes for classifications and clearances in midPoint, that can be used to build classification and clearance schemes. Policy rules can be used to set up requirements for individual classifications and applied transitively to all objects giving access to classified asset (usually roles). Classification is a generic mechanism, that can apply to variety of objects: roles, organizational units, projects and services. Object governance features can be used to track owners accountable for assets - and even custodians for individual classifications and clearances. Access request and approval process can be used in addition to automatic rules, which might provide access control on a finer level. Additional approval levels can be set up for access to application with higher classification levels.
Implementation Notes
-
Control 5.15 (access control) asks for consistency between access rights and classification (controls 5.12, 5.13), which is given in midPoint by employing policy rules in classifications.
-
There are pre-configured archetypes for classifications and clearances in midPoint 4.9 and later. There are also pre-configured collections and views.
Rationale
As midPoint has integrated information classification mechanism, it can easily couple classifications, clearances and access control policies. This creates high-level governance policies that can be used to control correctness of complex configurations or RBAC structures. This approach is necessary to keep policies maintainable in large deployments.
Documentation
Version | Title | Description |
---|---|---|
Development | Information Classification and Clearances | Introduction of classification schemes, example of classification scheme based on EU NIS1 |
4.8 | Information Classification and Clearances | Introduction of classification schemes, example of classification scheme based on EU NIS1 |
Related Features
Related Controls
-
ISO/IEC 27001 5.8: Information security in project management
-
ISO/IEC 27001 5.9: Inventory of information and other associated assets
-
ISO/IEC 27001 5.10: Acceptable use of information and other associated assets
-
ISO/IEC 27001 5.19: Information security in supplier relationships
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.21: Managing information security in the ICT supply chain
-
ISO/IEC 27001 5.31: Legal, statutory, regulatory and contractual requirements
-
ISO/IEC 27001 6.3: Information security awareness, education and training
-
ISO/IEC 27001 6.6: Confidentiality or non-disclosure agreements
-
ISO/IEC 27001 8.27: Secure system architecture and engineering principles