Information Security CIA Guideline: Revision No.: 00

Doc. No.
Information Security
CIA Guideline
Revision No.: 00
Release Date:
Issue No.01
AUTHOR/
REVIEWED BY APPROVED BY
OWNER
NAME
DESIGNATION
SIGNATURE
Copyright ©
"No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical including
photocopying and recording or by any information storage or retrieval system except as may be expressly permitted by
((COMPANY NAME)) in writing by the Director or the Management Representative".
((COMPANY NAME))
DOCUMENT CONTROL PAGE
1. REVISION HISTORY
VERSION SECTION/
NO. RELEASE PAGE #
AUTHOR DETAILS OF CHANGES REVIEWED
DATE CHANGED
FROM TO BY
2. DOCUMENT AVAILABILITY
HARD / SOFT
LOCATION AND PERSON WHERE AVAILABLE
COPY
HARD COPY MR Cupboard / Computer
SOFT COPY Location
3. DISTRIBUTION LIST*
DESINATION / DEPARTMENT COPY NO.

Information Security representative (ISR) 01 (Original / Master Copy)
Copy for Certification Body and audits 02 (retained by ISR)
* Note: Master copy maintained by ISR and same copy available on the server / individual
user electronically (with access rights / write protected).
((COMPANY NAME)) .
Page 2 of 9
1.0 OBJECTIVE:
The define parameters to allot a value for Confidentiality, Integrity, Availability (CIA)
for an Information Asset in a scale of 1 to 5, where 1 is lowest and 5 is highest.
2.0 VALUES:
The meaning of CIA values is relative to business impact and in the scale of 1-5 is:
Value = 1 means Very Low
Value = 2 means Low
Value = 3 means Medium
Value = 4 means High
Value = 5 means Very High
The guideline for CIA values 1-5 given below is to be followed for each asset
group:
Asset Group CIA Comment/Remark

value
Server (SER) C 1 Access (physical& logical) is available without any
restrictions.
2 Some physical access controls are available but no logical
access controls are available.
3 Controls (physical & logical) for access are available within
premises but no logical controls in place for users
accessing externally.
4 Access controls within premises are available and some
logical controls are in place (like user authentications) for
users accessing externally.
5 All access (physical & logical) are controlled (for internal
and external users) and secured.
I 1 Changes have no impact on business operation.
2 Changes result in low business impact. E.g., loss of data
but not affecting core business operation
3 Changes result in medium business impact. E.g., loss of
important data pertaining to core business operation
4 Changes resulting in high business impact. E.g., loss of HR
data
5 Changes resulting in huge business impact. E.g. loss of
financial data.
A 1 Is available for < 80% of the time (on 24x7 basis)
2 Is available for >= 80% but < 90% of the time (on 24x7
basis)
basis)
((COMPANY NAME)) .
Page 3 of 9
value
4 Is available for >= 95% but < 98.5% of the time (on 24x7
basis)
5 Is available for >= 98.5% of the time (on 24x7 basis)
Personal C 1 Data/file is available publicly without any restriction.

Computer 2 All users of shared folders can view the data/file without
(PCS) password.
3 All users can view the information of shared folders with
password.
4 Only the admin and the concerned user can view the
information (data/files).
5 Only the concerned user can view the information
(data/files).
I 1 Data/File can be changed without any restriction.
2 Some business critical data/file is password protected but
other important data/files can be changed.
3 All important & critical data/files are protected with
password but any body within group can change data/file.
4 Only the administrator and the authorized users can
change data/file.
5 Only the concerned user can make modifications to
data/file.
basis)
basis)
basis)
5 Is available for >= 98% of the time (on 12x7 basis)
Printers C NOT APPLICABLE

(PRN) I NOT APPLICABLE
A 1 Is available < 80% of the time (on 12x7 basis)
2 Is available >= 80% but < 85% of the time (on 12x7 basis)
5 Is available >= 95% of the time (on 12x7 basis)
Network C 1 Access (physical& logical) is available without any

(NET) restrictions.
2 Some physical access controls are available but no logical
access controls are available.
3 Controls (physical & logical) for access are available within
premises but no logical controls in place for users
accessing externally.
((COMPANY NAME)) .
Page 4 of 9
value
4 Access controls within premises are available and some
logical controls are in place (like user authentications) for
users accessing externally.
5 All access (physical & logical) are controlled (for internal
and external users) and secured.
I 1 Modification to configuration file or corruption in data
flowing does not have impact on business.
2 Modification to configuration file or corruption in data
flowing result in low impact on business. E.g., rework effort.
flowing result in medium impact on business, i.e., data or
information on some important business needs are not as
expected.
flowing leads to high impact on core business
operation/sensitive data.
flowing leads to total collapse / complete stoppage in entire
business operation.
basis)
basis)
4 Is available for >= 95% but < 98.5% of the time (on 24x7
basis)
5 Is available for >= 98.5% of the time (on 24x7 basis)
Uninterrupted C NOT APPLICABLE
Power Supply I NOT APPLICABLE
(UPS) A 1 Is available < 85% of the time (on 24x7 basis)
4 Is available >= 95% but < 98.5% of the time (on 24x7
basis)
5 Is available 98.5% of the time (on 24x7 basis)
Power supply C NOT APPLICABLE
(PWS) I NOT APPLICABLE
A 1 Is available for less than 60% of the time (on 24x7 basis)
2 Is available for 70% or above of the time (on 24x7 basis)
Software C 1 Access is freely available to everybody without any
assets (SFW) restriction.
2 Access is available to a group of people without any
restrictions.
3 Only system administrator & permitted users have access.
((COMPANY NAME)) .
Page 5 of 9
value
4 Only system administrator & permitted users have access
based on privileges granted.
5 Only authorized persons have access to software assets.
I 1 Source code change does not impact business.
2 Source code change resulting in low business impact, eg.,
rework effort, etc.
3 Source code change resulting in medium business impact.
Eg., delay in commitments/deadlines for data/file
submission, etc.
4 Source code change having high business impact resulting
in loss of business opportunities, etc.
5 Source code change having huge business impact
resulting in loss of market share, financial loss etc.
basis)
basis)
basis)
Storage C 1 Storage media is available publicly without any restriction.
Media (MED) 2 Storage media is available to internal users without any
restriction.
3 Storage media is available to a group of assigned users
without any restriction.
4 Storage media is available to a group of assigned users
with controls imposed.
5 Storage media is available to assigned users based on
privileges and user rights for access.
I 1 No formal backup & restoration policies exist.
2 Backups are taken but not regularly & are not verified.
3 Backups are taken at regular frequency and occasionally
verified by restoring.
4 Backups are taken, labeled & documented properly and
verified at defined periodic intervals.
5 Backups of data/files are taken as per formal policy and
restoration of backups is verified as per policy.
5 Is available 99% of the time (on 24x7 basis)
Information C 1 Data/file is publicly available to all users (internal &
assets (INF) external).
2 Data/file is available to all internal users but not to any
external users.
((COMPANY NAME)) .
Page 6 of 9
value
3 Data/file is available to all internal users within a
department/site/group.
4 Data/file is available to all users having defined privileges
of department/ site/ group.
5 Data/file is available only to authorized persons of the
department/ site/ group.
I 1 Information corruption does not impact business.
2 Information corruption results in low business impact, i.e.,
with little re-effort reliable information can be available.
3 Information corruption results in medium business impact,
i.e., few decisions go wrong due to improper information.
4 Information corruption resulting in high business impact.
E.g., competitors taking advantage.
5 Information corruption resulting in huge business impact.
E.g. financial loss, loss of market reputation etc.
basis)
basis)
basis)
Service C NOT APPLICABLE
assets (SRV) I NOT APPLICABLE
4 Is available >= 95% but < 98.5% of the time (on 24x7
basis)
5 Is available >= 98.5% of the time (on 24x7 basis)
Miscellaneous C NOT APPLICABLE
assets (MIS) I NOT APPLICABLE
basis)
basis)
basis)
Air C NOT APPLICABLE
Conditioners I NOT APPLICABLE
(AIR) A 1 Is available for < 65% of the time (on 12x7 basis)
basis)
((COMPANY NAME)) .
Page 7 of 9
value
basis)
basis)
((COMPANY NAME)) .
Page 8 of 9
3.0 ASSET VALUE:
Asset value is a function of:
Impact On On On On On Total
Parameter  Business Company Internal External Stakeholders
Asset Group Image Customers Customers (vendors,
partners,
etc.)
Server (SER) 1 1 1 1 1 5
Personal
Computers 1 0 1 0 0 2
(PCS)
Printers (PRN) 1 0 1 0 0 2
Network
1 1 1 1 1 5
(NET)
Uninterrupted
Power Supply 1 1 1 1 1 5
(UPS)
Power supply
1 1 1 1 1 5
(PWS)
Software
1 1 1 1 1 5
assets (SFW)
Storage Media
1 0 1 1 0 3
(MED)
Information
1 1 1 1 1 5
assets (INF)
Service assets
1 1 1 1 1 5
(SRV)
Miscellaneous
1 1 0 0 1 3
assets (MIS)
Air
Conditioners 1 1 1 1 1 5
(AIR)
((COMPANY NAME)) .
Page 9 of 9

Information Security CIA Guideline: Revision No.: 00

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security CIA Guideline: Revision No.: 00

Uploaded by

Copyright:

Available Formats

Doc. No.

DESINATION / DEPARTMENT COPY NO.

Asset Group CIA Comment/Remark

Personal C 1 Data/file is available publicly without any restriction.

Printers C NOT APPLICABLE

Network C 1 Access (physical& logical) is available without any

You might also like