Dear Records Management Community,To view the list archives go to: https://www.jiscmail.ac.uk/
Apologies if this is not the correct mailing list, and please do direct me if there is a more appropriate one.
I have a question regarding information asset owners, end user classification and the associated security and handling rules.
From a dataset perspective, for example a database; an information asset owner e.g. Head of business function (Department or Faculty) would define which datasets correspond to which information security classifications e.g. Public, Restricted or Confidential, based on sensitivity and value, and the classification would in turn determine the associated security controls and handling rules.
Now in the case of email or an office document which the end user is required to mark with an appropriate information classification, are they considered a creator of information and/or the information asset owner? I believe they are the creator of information, and classifying based on the rules set out by the information owner. For example an HR staff member composes a staff email to discuss recruitment with an internal manager of a department. The information owner i.e head of HR in this example would have previously defined a rule along the lines of; communication internally within the organisation for limited distribution, but without personally identifiable information PII = classify as Restricted. If also containing PII mark as Confidential. Based on this the HR staff end user creating the email would apply these rules and select the appropriate information classification for the email to be sent.
I'm currently working on a set of policies and documenting for what constitutes an Information Asset Owner and providing examples. I have seen differing opinions with regard to the end user, and if they are solely a creator of information, enacting upon the direction of the information owner and the defined rules, or if they are also the information owner themselves.
I would welcome your comments and thought on this matter.
Best wishes,Tim
Tim Lucas, MSc, CISSP
IT Security Manager
Information Technology
Birmingham City University
cgi-bin/webadmin?A0=RECORDS- To unsubscribe from this list, send an email to [log in to unmask] with the words UNSUBSCRIBE RECORDS-MANAGEMENT-UK For any technical queries re JISC please email [log in to unmask] For any content based queries, please email RECORDS-MANAGEMENT-UK-request@MANAGEMENT-UK jiscmail.ac.uk