CSOL 540 – Module 5 / Jon Boucher Assignment 5 (Asset Protection)

The purpose of this paper is to present an asset identification and classification policy.

The end goal of this paper is to provide concise, user-friendly guidance for HIC employees in the

handling of company data. The driving principle of this classification policy is Role Based

Access Control (RBAC). A large organization like HIC can benefit from the flexibility of

RBAC. RBAC addresses the needs for authorization control over objects, adding

maintenance/administration features of grouping users that have the same permissions/needs into

roles. (Carvalho, 2017) Careful implementation of RBAC will allow protection of our company’s

data availability, integrity and confidentiality.

Classification levels (Classes of information) There are four classification levels of information

to be protected at HIC. They are defined below:

1) Business Confidential – Information collected and used by HIC in the conduct of its business

to employ people, to provide infrastructure and operation support to caregivers, and to manage

all aspects of corporate finance operations. (ISO/IEC, 2009) Some examples of this type of

information include: monthly financial reports, payroll information, contracts/subcontracts,

strategic business development roadmaps, non-disclosure agreements, teaming agreements, etc.

2) Business Proprietary – Information is restricted to management approved internal access and

protected from external access. Unauthorized access could influence HIC's operational

effectiveness, cause financial loss, derail a strategic initiative, provide a significant gain to a

competitor, or cause a major drop in customer confidence. (ISO/IEC, 2009)

3) Protected Health Information (PHI) – This is the most critical category and requires the

most stringent classification. There are three elements of PHI. First, PHI is patient information

located in a medical record. The second is that the information can be used to identify an
CSOL 540 – Module 5 / Jon Boucher Assignment 5 (Asset Protection)

individual. Finally, to qualify as PHI, the information was created, used or disclosed during

providing a healthcare service. (Patrick 2014) The table below refers to the 18 “identifiers”

designated by HIPPA as protected. (Patrick 2014)

1-Names 2-Geographic 3-All dates 4-Telephone 5-Fax 6-Email addresses

subdivisions except numbers numbers
smaller than a years
state
7-Social 8-Medical 9-Health 10-Account 11- 12-Vehicle
Security Record Plan numbers Certificate numbers and
numbers Numbers Beneficiary and/or serial number
numbers License including license
numbers plates
13-Device 14-Web 15-Intenet 16-Biometric 17-Photos 18-Any unique
identifiers URLs Protocol identifies identifying
and serial addresses (retinal scans, number
numbers palm geometry)

4) Unclassified Public Information – This information is completely available to the public and

accessible to all employees. This type of information could include marketing material,

brochures, financial information reliable to the public, website information, etc.

Class of Security Authorized Users Access Responsibilities /

Information Label / Penalties for violations
Importance
Business BUSCON Designated people from the Responsibility to safeguard
Confidential (High following departments: personally identifiable
Value) Finance, Human Resources, information (PII) and personal
Contracts, and Legal. privacy regulations /
mishandlings and violations
could result in adverse
performance evaluations, up to
and including termination
Business BUSPROP Director level and above Competition sensitive material /
Proprietary (Medium Proposal development mishandlings and violations
High Value) specialists, Legal and could result in adverse
Strategic Development performance evaluations, up to
and including termination
Patient PHIINFO Medical caregivers Safeguarding PHI / Penalties
Confidential (Very High (Physicians, nurses, could include termination and
(PHI) Value) surgeons, physical therapists,
CSOL 540 – Module 5 / Jon Boucher Assignment 5 (Asset Protection)

etc.) and employees charged personal fines under HIPPA

with handling any PHI. regulations.
UNCLASS Virtually everyone in the None / None
Unclassified (Low value) company has access to this
Public information
Information

RBAC scheme will grant access to an individual only if that person has been assigned the

appropriate role or responsibility in the organization. All rights assignments are made by “role”

in an RBAC environment. (Cole, 2002) Roles are assigned on the following criteria: (1) need to

know, job function, level of experience and trustworthiness. Note the entries below are just a

sample of the number “role” available at HIC, Inc. (Access Privileges: Read – R; Write – W;

Execute – E; None – N)

Role Business Business Patient Unclassified

Confidential Proprietary Confidential Public
(PHI) Information
Physician N N R, W, E R
Director (Strategic R, W, E R, W, E N R, W
Development)
Specialist (Finance R, W R R R
– Payroll)
CSOL 540 – Module 5 / Jon Boucher Assignment 5 (Asset Protection)

Carvalho M. (September 2017) “Access Control Capabilities and Healthcare Informatics Needs.”
Information Systems Security Association International. Retrieved on 14 April 2018 from:
http://c.ymcdn.com/sites/www.issa.org/resource/resmgr/journalpdfs/feature0917.pdf

Cole K. (2002) SANS Institute – Global Information Assurance Certification Paper - “HIPPA
Compliance: Role Based Access Control Model.” Retrieved on 14 April 2018 from:
https://www.giac.org/paper/gsec/1394/hipaa-compliance-role-based-access-control-
model/102605

ISO/IEC (July 2009). ISO/IEC 27001:2005 A.7.2.1 – Information Classification Policy.

Retrieved on 14 April 2018 from:
http://www.iso27001security.com/ISO27k_Model_policy_on_information_classification.pdf

Patrick P. (Summer 2014) Association of Healthcare Internal Auditors – “PHI Mapping: Do You
Know Where Your Data Is?” Retrieved on 15 April 2018 from:
http://www.resourcenter.net/images/AHIA/Files/2014/NP/PHImapping.pdf