Professional Documents
Culture Documents
Information Security CIA Guideline: Revision No.: 00
Information Security CIA Guideline: Revision No.: 00
Information Security
CIA Guideline
Revision No.: 00
Release Date:
Issue No.01
AUTHOR/
REVIEWED BY APPROVED BY
OWNER
NAME
DESIGNATION
SIGNATURE
Copyright ©
"No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical including
photocopying and recording or by any information storage or retrieval system except as may be expressly permitted by
((COMPANY NAME)) in writing by the Director or the Management Representative".
((COMPANY NAME))
DOCUMENT CONTROL PAGE
1. REVISION HISTORY
VERSION SECTION/
NO. RELEASE PAGE #
AUTHOR DETAILS OF CHANGES REVIEWED
DATE CHANGED
FROM TO BY
2. DOCUMENT AVAILABILITY
HARD / SOFT
LOCATION AND PERSON WHERE AVAILABLE
COPY
HARD COPY MR Cupboard / Computer
SOFT COPY Location
3. DISTRIBUTION LIST*
* Note: Master copy maintained by ISR and same copy available on the server / individual
user electronically (with access rights / write protected).
((COMPANY NAME)) .
Page 2 of 9
1.0 OBJECTIVE:
The define parameters to allot a value for Confidentiality, Integrity, Availability (CIA)
for an Information Asset in a scale of 1 to 5, where 1 is lowest and 5 is highest.
2.0 VALUES:
The meaning of CIA values is relative to business impact and in the scale of 1-5 is:
Value = 1 means Very Low
Value = 2 means Low
Value = 3 means Medium
Value = 4 means High
Value = 5 means Very High
The guideline for CIA values 1-5 given below is to be followed for each asset
group:
((COMPANY NAME)) .
Page 3 of 9
Asset Group CIA Comment/Remark
value
4 Is available for >= 95% but < 98.5% of the time (on 24x7
basis)
5 Is available for >= 98.5% of the time (on 24x7 basis)
((COMPANY NAME)) .
Page 4 of 9
Asset Group CIA Comment/Remark
value
4 Access controls within premises are available and some
logical controls are in place (like user authentications) for
users accessing externally.
5 All access (physical & logical) are controlled (for internal
and external users) and secured.
I 1 Modification to configuration file or corruption in data
flowing does not have impact on business.
2 Modification to configuration file or corruption in data
flowing result in low impact on business. E.g., rework effort.
3 Modification to configuration file or corruption in data
flowing result in medium impact on business, i.e., data or
information on some important business needs are not as
expected.
4 Modification to configuration file or corruption in data
flowing leads to high impact on core business
operation/sensitive data.
5 Modification to configuration file or corruption in data
flowing leads to total collapse / complete stoppage in entire
business operation.
A 1 Is available for < 80% of the time (on 24x7 basis)
2 Is available for >= 80% but < 90% of the time (on 24x7
basis)
3 Is available for >= 90% but < 95% of the time (on 24x7
basis)
4 Is available for >= 95% but < 98.5% of the time (on 24x7
basis)
5 Is available for >= 98.5% of the time (on 24x7 basis)
Uninterrupted C NOT APPLICABLE
Power Supply I NOT APPLICABLE
(UPS) A 1 Is available < 85% of the time (on 24x7 basis)
2 Is available >= 85% but < 90% of the time (on 24x7 basis)
3 Is available >= 90% but < 95% of the time (on 24x7 basis)
4 Is available >= 95% but < 98.5% of the time (on 24x7
basis)
5 Is available 98.5% of the time (on 24x7 basis)
Power supply C NOT APPLICABLE
(PWS) I NOT APPLICABLE
A 1 Is available for less than 60% of the time (on 24x7 basis)
2 Is available for 70% or above of the time (on 24x7 basis)
3 Is available for 80% or above of the time (on 24x7 basis)
4 Is available for 90% or above of the time (on 24x7 basis)
5 Is available for 99% or above of the time (on 24x7 basis)
Software C 1 Access is freely available to everybody without any
assets (SFW) restriction.
2 Access is available to a group of people without any
restrictions.
3 Only system administrator & permitted users have access.
((COMPANY NAME)) .
Page 5 of 9
Asset Group CIA Comment/Remark
value
4 Only system administrator & permitted users have access
based on privileges granted.
5 Only authorized persons have access to software assets.
I 1 Source code change does not impact business.
2 Source code change resulting in low business impact, eg.,
rework effort, etc.
3 Source code change resulting in medium business impact.
Eg., delay in commitments/deadlines for data/file
submission, etc.
4 Source code change having high business impact resulting
in loss of business opportunities, etc.
5 Source code change having huge business impact
resulting in loss of market share, financial loss etc.
A 1 Is available for < 80% of the time (on 24x7 basis)
2 Is available for >= 80% but < 90% of the time (on 24x7
basis)
3 Is available for >= 90% but < 95% of the time (on 24x7
basis)
4 Is available for >= 95% but < 99% of the time (on 24x7
basis)
5 Is available for >= 99% of the time (on 24x7 basis)
Storage C 1 Storage media is available publicly without any restriction.
Media (MED) 2 Storage media is available to internal users without any
restriction.
3 Storage media is available to a group of assigned users
without any restriction.
4 Storage media is available to a group of assigned users
with controls imposed.
5 Storage media is available to assigned users based on
privileges and user rights for access.
I 1 No formal backup & restoration policies exist.
2 Backups are taken but not regularly & are not verified.
3 Backups are taken at regular frequency and occasionally
verified by restoring.
4 Backups are taken, labeled & documented properly and
verified at defined periodic intervals.
5 Backups of data/files are taken as per formal policy and
restoration of backups is verified as per policy.
A 1 Is available < 80% of the time (on 24x7 basis)
2 Is available >= 80% but < 90% of the time (on 24x7 basis)
3 Is available >= 90% but < 95% of the time (on 24x7 basis)
4 Is available >= 95% but < 99% of the time (on 24x7 basis)
5 Is available 99% of the time (on 24x7 basis)
Information C 1 Data/file is publicly available to all users (internal &
assets (INF) external).
2 Data/file is available to all internal users but not to any
external users.
((COMPANY NAME)) .
Page 6 of 9
Asset Group CIA Comment/Remark
value
3 Data/file is available to all internal users within a
department/site/group.
4 Data/file is available to all users having defined privileges
of department/ site/ group.
5 Data/file is available only to authorized persons of the
department/ site/ group.
I 1 Information corruption does not impact business.
2 Information corruption results in low business impact, i.e.,
with little re-effort reliable information can be available.
3 Information corruption results in medium business impact,
i.e., few decisions go wrong due to improper information.
4 Information corruption resulting in high business impact.
E.g., competitors taking advantage.
5 Information corruption resulting in huge business impact.
E.g. financial loss, loss of market reputation etc.
A 1 Is available for < 80% of the time (on 24x7 basis)
2 Is available for >= 80% but < 90% of the time (on 24x7
basis)
3 Is available for >= 90% but < 95% of the time (on 24x7
basis)
4 Is available for >= 95% but < 99% of the time (on 24x7
basis)
5 Is available for >= 99% of the time (on 24x7 basis)
Service C NOT APPLICABLE
assets (SRV) I NOT APPLICABLE
A 1 Is available < 80% of the time (on 24x7 basis)
2 Is available >= 80% but < 90% of the time (on 24x7 basis)
3 Is available >= 90% but < 95% of the time (on 24x7 basis)
4 Is available >= 95% but < 98.5% of the time (on 24x7
basis)
5 Is available >= 98.5% of the time (on 24x7 basis)
Miscellaneous C NOT APPLICABLE
assets (MIS) I NOT APPLICABLE
A 1 Is available for < 65% of the time (on 12x7 basis)
2 Is available for >= 65% but < 75% of the time (on 12x7
basis)
3 Is available for >= 75% but < 85% of the time (on 12x7
basis)
4 Is available for >= 85% but < 95% of the time (on 12x7
basis)
5 Is available for >= 95% of the time (on 12x7 basis)
Air C NOT APPLICABLE
Conditioners I NOT APPLICABLE
(AIR) A 1 Is available for < 65% of the time (on 12x7 basis)
2 Is available for >= 65% but < 75% of the time (on 12x7
basis)
((COMPANY NAME)) .
Page 7 of 9
Asset Group CIA Comment/Remark
value
3 Is available for >= 75% but < 85% of the time (on 12x7
basis)
4 Is available for >= 85% but < 95% of the time (on 12x7
basis)
5 Is available for >= 95% of the time (on 12x7 basis)
((COMPANY NAME)) .
Page 8 of 9
3.0 ASSET VALUE:
Asset value is a function of:
Impact On On On On On Total
Parameter Business Company Internal External Stakeholders
Asset Group Image Customers Customers (vendors,
partners,
etc.)
Server (SER) 1 1 1 1 1 5
Personal
Computers 1 0 1 0 0 2
(PCS)
Printers (PRN) 1 0 1 0 0 2
Network
1 1 1 1 1 5
(NET)
Uninterrupted
Power Supply 1 1 1 1 1 5
(UPS)
Power supply
1 1 1 1 1 5
(PWS)
Software
1 1 1 1 1 5
assets (SFW)
Storage Media
1 0 1 1 0 3
(MED)
Information
1 1 1 1 1 5
assets (INF)
Service assets
1 1 1 1 1 5
(SRV)
Miscellaneous
1 1 0 0 1 3
assets (MIS)
Air
Conditioners 1 1 1 1 1 5
(AIR)
((COMPANY NAME)) .
Page 9 of 9