Professional Documents
Culture Documents
The purpose of this paper is to present an asset identification and classification policy.
The end goal of this paper is to provide concise, user-friendly guidance for HIC employees in the
handling of company data. The driving principle of this classification policy is Role Based
Access Control (RBAC). A large organization like HIC can benefit from the flexibility of
RBAC. RBAC addresses the needs for authorization control over objects, adding
maintenance/administration features of grouping users that have the same permissions/needs into
roles. (Carvalho, 2017) Careful implementation of RBAC will allow protection of our company’s
Classification levels (Classes of information) There are four classification levels of information
1) Business Confidential – Information collected and used by HIC in the conduct of its business
to employ people, to provide infrastructure and operation support to caregivers, and to manage
all aspects of corporate finance operations. (ISO/IEC, 2009) Some examples of this type of
protected from external access. Unauthorized access could influence HIC's operational
effectiveness, cause financial loss, derail a strategic initiative, provide a significant gain to a
3) Protected Health Information (PHI) – This is the most critical category and requires the
most stringent classification. There are three elements of PHI. First, PHI is patient information
located in a medical record. The second is that the information can be used to identify an
CSOL 540 – Module 5 / Jon Boucher Assignment 5 (Asset Protection)
individual. Finally, to qualify as PHI, the information was created, used or disclosed during
providing a healthcare service. (Patrick 2014) The table below refers to the 18 “identifiers”
4) Unclassified Public Information – This information is completely available to the public and
accessible to all employees. This type of information could include marketing material,
RBAC scheme will grant access to an individual only if that person has been assigned the
appropriate role or responsibility in the organization. All rights assignments are made by “role”
in an RBAC environment. (Cole, 2002) Roles are assigned on the following criteria: (1) need to
know, job function, level of experience and trustworthiness. Note the entries below are just a
sample of the number “role” available at HIC, Inc. (Access Privileges: Read – R; Write – W;
Execute – E; None – N)
Carvalho M. (September 2017) “Access Control Capabilities and Healthcare Informatics Needs.”
Information Systems Security Association International. Retrieved on 14 April 2018 from:
http://c.ymcdn.com/sites/www.issa.org/resource/resmgr/journalpdfs/feature0917.pdf
Cole K. (2002) SANS Institute – Global Information Assurance Certification Paper - “HIPPA
Compliance: Role Based Access Control Model.” Retrieved on 14 April 2018 from:
https://www.giac.org/paper/gsec/1394/hipaa-compliance-role-based-access-control-
model/102605
Patrick P. (Summer 2014) Association of Healthcare Internal Auditors – “PHI Mapping: Do You
Know Where Your Data Is?” Retrieved on 15 April 2018 from:
http://www.resourcenter.net/images/AHIA/Files/2014/NP/PHImapping.pdf