InterPARES Trust Project Report€¦ · their lifecycle: from creation or receipt, active and controlled business uses, to the secondary uses of SCIAs, including where applicable

1

InterPARES Trust Project Report

Title: Checklist for Developing or Revising Policies for Managing Security Classified Information Assets

Status: FinalDraft

Version: 2.1

Datesubmitted: 09May2017

Lastreviewed: 30May2017

Author: InterPARESTrustProject

Writer(s): InekeDeserno,EngSengsavang,MarieShockley,ShadrackKatuu,JuliaKastenhofer

Researchdomain: TransnationalTeam03

2

DocumentControl

VersionhistoryVersion Date By Versionnotes

1.0 17Aug2016 I.Deserno,E.Sengsavang

Initialdraftchecklist

1.1 19Aug2016 All Draftchecklist

1.2 25Aug2016 All Draftchecklist

1.3 17Sep2016 All DraftchecklistfollowingcommentsfromJensBoel(UNESCO)andAdeleTorrance(UNESCO)

1.4 8Oct2016 All DraftchecklistfollowingcommentsfromTransnationalTeamMeeting,28-29Sept2016

1.4a 17Oct2016 All DraftchecklistfollowinginitialconsiderationofcommentsfromIAEAstaff

1.5 14Jan2017 All DraftchecklistfollowingcommentsfromIAEAstaff,AprilMiller(WorldBank),AndreaDamini(EuropeanCommission),DonnaKynaston(WorldHealthOrganization)andGrantMitchell(InternationalFederationRedCrossandCrescentSocieties)

1.6 23Apr2017 All Draftchecklistfollowingcommentsfrom

NataschaKhramtsovsky,MariaCaravaca(ICCROM),PatriciaFranks(SanJoseStateUniversity)andAliciaBarnard

2.0 9May2017 All FinaldraftchecklistsubmittedforapprovalatTransnationalTeammeetingon15May2017,Geneva,Switzerland

2.1 30May2017 All FinaldraftchecklistincorporatingcommentsfromTransnationalTeammeeting,15May2017,Geneva,Switzerland

3

Checklist for Developing or Revising Policies for Managing Security Classif ied Information Assets

P U R P O S E a n d S C O P E

This checklist is designed to support organizations in the development or revision of policies andproceduresformanagingsecurityclassifiedinformationassets(SCIAs),especiallydigitalinformation,toensurethereliability,authenticity,confidentiality,integrityandavailabilityofsecurityclassifiedrecordsandtheirlong-termpreservation.ThechecklistaimstosupportbestmanagementofSCIAsthroughouttheir lifecycle: fromcreationor receipt, activeandcontrolledbusinessuses, to the secondaryusesofSCIAs, includingwhere applicable eventual declassification, disclosure, archivingor destruction.Whilevariousprofessionalswillbringtheirownrespectiveissuestothetableintheprocessofpolicy-making,thischecklistisnotintendedtocovercomprehensivelyeveryoneofthoseissues.Instead,thechecklistpromotesalong-termapproachtoSCIAmanagementthatespeciallycomplementsinformationsecurityconcernswith thoseof recordsmanagementandarchival requirements. For this reason, thechecklistfocusesonprotectingtheconfidentialityofSCIAsandmanagingchangesintheirclassificationstatus,inaddition to ensuring that information and records management best practices and procedures areappliedtoSCIAs.ItisassumedthatorganizationsmanagingSCIAsalreadyhaveimplementedageneralsecurity framework that includes required security clearances for individuals handling SCIAs, broadphysicalandtechnologicalaccesscontrols,andotherorganizationalsecuritymeasures.

ThechecklistisanopentoolthatmaybeusedbyanyoneinvolvedindraftingoradvisingonpoliciesandproceduresrelatedtothemanagementofSCIAs,forexample:administrative;management;informationsecurity; information technology; legal; information and knowledge management; and recordsmanagement or archival staff. Moreover, the checklist is applicable to many different types oforganizations that create and handle SCIAs, including inter- and non-governmental, governmental,public,andprivateorganizations.Thechecklistwillbeespeciallyrelevantinthedevelopmentofpoliciesandprocedures that focusonSCIAsand theirmanagement. Inaddition, the toolmaybeusefulwhendeveloping other types of policies and procedures that impact SCIAs, such as declassification, access,anddigitalpreservationpolicies.Theterm“policy”isusedthroughoutthechecklisttoreferpotentiallyto multiple policies and procedures within an organization that address the issues in question. Thechecklist uses terminology from the InterPARES Trust TerminologyDatabase, and key terms used aredefinedbelow.Inaddition,aminimumsetofdescriptivemetadataformanagingandpreservingsecurityclassified information assets is proposed in Annex 1, and categories of roles and responsibilities areprovidedinAnnex2.

B A C K G R O U N D

The checklist is developed from a study of existing policies of 17 international organizations, rangingfrom large international organizations within the United Nations (UN) structure, to smaller regionalorganizations in bothNorth America and Europe. The organizations cover awide range of functions,fromhumanitarianassistance,developmentandfinancialagents,tosecurityorganizationsandresearchorganizations.

4

Stafffromparticipatingorganizationscontributedanassemblageofpoliciesandproceduresratherthana singlepolicy,whichhelped todrawa fullerpictureofthematrixofexistingpoliciesandproceduressupporting the management of SCIAs within organizations.In addition to policies dealing specificallywithSCIAs,thetextsanalyzedforthischecklistincludepoliciesforaccesstoinformation,organizationalsecurity, data privacy and digital preservation. The policies addressed a range of informationmanagementissues,suchascontrolandhandling,storageandtransmission,dataprivacy,classificationanddeclassification,andpublicaccess.

D E F I N I T I O N S

Declassification–Theprocessofremovingthesecurityclassificationfromarecordorotherinformationasset.

Declassificationauthority–Theperson(s)orbody(ies)with theauthority todeclassifyan informationasset.

Disposition–Records'finaldestructionortransfertoanarchivesasdeterminedbytheirappraisal.1

Externaldisclosure–Policiesandproceduresrelatedtothereleaseoforganizationalinformationassetstopartiesexternaltoanorganization.

Informationasset–Information,data,documentsorrecordscreatedorreceivedbyanorganizationorperson in any format. In the checklist, we use the abbreviation SCIA to mean “security classifiedinformationasset(s).”

Internaldisclosure–Policiesandproceduresrelatedtothereleaseoforganizationalinformationassetstopartieswithinanorganization.

Public disclosure – The process of making a document orother information assetsavailableto thepublic.

Reclassification – The process of decreasing or downgrading, or increasing the security classificationlevelofarecordorotherinformationasset.

Reclassificationauthority–Theperson(s) orbody(ies)with theauthority to reclassify an informationasset.

Record–Adocumentmadeor received in thecourseofapracticalactivityasan instrumentoraby-productofsuchactivity,andsetasideforactionorreference.2

Security classification authority – The person(s) or body(ies) with the authority to determine thesecurityclassificationofaninformationasset.

Security classified information asset (SCIA) – Information asset of an organization that is securityclassifiedandthereforecontrolled/managedthroughspecificpoliciesandprocedures.

1InterPARESTrust.InterPARESTrustTerminologyDatabase.“Disposition.”http://arstweb.clayton.edu/interlex/term.php?term=disposition2InterPARESTrust.InterPARESTrustTerminologyDatabase.“Record.”http://arstweb.clayton.edu/interlex/term.php?term=record

5

Informationsecurityclassification–1.Theprocessofapplyingdesignatedlevelsofaccesscontrolandprotection on an information asset in compliancewith organizational policy, including correspondingmeasuresformanagementandcontroloftheinformationasset,basedonasecurityassessmentofthedegreeofnegativeimpactthatdisclosureoftheinformationwouldhaveonanorganization,theworkofan organization, and/or third parties. 2. The termmay also refer to the security classification levelsthemselves,whichvaryacrossorganizations,forexampleRestricted,Confidential,etc.

Sensitive but unclassified information asset (SUIA) – An information asset without a securityclassification, to which access is controlled due to the risk that disclosure could harm individual,management,politicalorcommercialinterestsoftheorganizationorotherrelevantparties.Thepoliciesand procedures for managing SUIAs are controlled but may be distinct from those policies andproceduresgoverningthemanagementofsecurityclassifiedinformationassets(SCIAs).

Withhelddate–ThedateanSCIAitemproposedfordowngrading,declassificationorpublicdisclosurehasnotbeenauthorizedtobedowngraded,declassifiedand/orpubliclydisclosed.

6

ChecklistforDevelopingorRevisingPoliciesforManagingSecurityClassifiedInformationAssets

Question Y N N/A3Notes4

1. ScopeandDefinition

1.a. Doesthescopeofthepolicyaddresstherationaleforclassifyinginformationassetsnotonlytoprotecttheorganizationitself,butalsomorebroadlytoprotecttheworkoftheorganizationandthirdpartiesforwhichtheorganizationisaccountable,accordingtoitsmissionandcoreactivities(e.g.casefilesubjects,programbeneficiaries)?

1.b. Doesthepolicyprovideacleardefinitionoftheinformationassetsthatitcovers?5

1.c. Doesthepolicycoverproceduresforclassification,declassification,andreclassification?

1.d. Doesthepolicyenablesecurityclassificationstobeappliedtoasingleinformationasset,agroupofinformationassets,andaclusterofinformationassetgroups(e.g.adatabase)?

1.f. DoesthepolicyapplyretroactivelytoSCIAsthatwereclassifiedpriortothedevelopmentofthepolicy?

2. RolesandResponsibilities

2.a. AretherolesandresponsibilitiesofthepartiesinvolvedinvariousaspectsofmanagingtheSCIAsthroughouttheirlifecycleclearlyidentifiedanddefined?SeeAnnex1foranexampleofCategoriesofRolesandResponsibilities.

2.b. IsthereaninformationsecuritycoordinatorwithintheorganizationresponsibleforaddressingquestionsrelatedtoSCIAsforeachphaseofthelifecyle?

3The‘N/A’columnmeans‘notapplicable’or‘notknown.’4Usethiscolumnfornotes,orwhenthereisneithera‘yes’nor‘no’answer.5Forexample,doesthepolicycoverSCIAsthatarecreatedorreceivedbytheorganization?

7



2.c. Haveallconcernedemployees(asrecordscreatorsorusers)beeninformedandtrainedinordertoensurethattheyfullyunderstandtheSCIApoliciesinplaceandcanconfidentlyperformtheirownpartwithintheoverallframeworkofrolesandresponsibilities?

3. Creation

3.a. Arethelevelsofinformationsecurityclassificationsandthecriteriaforapplyingthemclearlydefinedanddistinguished?

3.b. Isalistofinformationassetcategories(e.g.intelligenceanalyses,politicalanalyses,etc.)andtherationaleforclassifyingtheinformationassetcategoriesprovided?6

4. RecordsManagement

4.a. Inadditiontoasecurityframework,7areSCIAsplacedwithinaninformationorrecordsmanagementframework?Forexample,aretheorganization’sinformationandrecordsmanagementtoolsapplicabletoSCIAS,suchasfileclassificationschemesandrecordsretentionanddispositionschedules;andareSCIAscontextualizedwithinarecordslifecycle?

4.b. DoesthepolicyclearlyindicatethattherationalefordispositionofanSCIAshouldbebasedonanassessmentofthevalueoftheSCIAand/ortheproceduresdefinedintherecordsretentionschedule,ratherthanonthesecurityoftheclassification?

5. HandlingandControl

6Iftheanswerisno,youmayconsidercreatingsuchalistorprovidingexamplesofinformationassetcategoriestoguideusersofthepolicy.7“Framework”referstotheentiretyofdocuments,proceduresandprocessesthatsupportagivenfunction.

8



5.a. DoesthepolicyestablishalinkbetweenregistrationmetadatainaclassifiedinformationregisterandtheSCIAsthemselves?

5.b. DoesthepolicyensureidentificationandretrievalofSCIAsthroughouttheirlifecyclethroughmetadata,control,andhandlingprocedures?

5.c. Doesthepolicyaddressthesecurityclassificationofsystemsthatholdorconveyclassifiedinformation,forexampleregistriesorelectronicrecordsmanagementsystems?

6. Metadata

6.a. Doesthepolicyprovidesufficientprovisionsforthepreservationofdescriptiveandtechnicalmetadata,includingmetadatarelatedtoinformationclassifications?

6.b. DoesthepolicyestablishaminimumsetofmetadataforSCIAs?SeeAnnex2forarecommendedminimumsetofmetatdata.

6.c. DoesthepolicyestablishprovisionsfortheretentionofaudittrailrecordsthroughoutthelifecycleofSCIAs?

6.d. DoesthepolicydistinguishbetweenthesecurityclassificationofthecontentversusthemetadataofSCIAs?Forexample,doesthepolicyconsiderwhethercertainkindsofmetadata,butnotallmetadataofSCIAsshouldalsobeclassified?

7. InformationSecurity8

7.a. DoesthepolicyaddressphysicalsecurityrequirementsofSCIAssuchasstoragearea,personnelandequipment?

8TheinformationsecuritystandardconsultedforthischecklististheISO27001:2013andISO27002:2013.

9



7.b. DoesthepolicyestablishcontrolsandprocedurestoensureintegrityandmitigateagainstcorruptionortamperingofSCIAs,includinginautomatedsystems,duringinternalandexternaltransmissionandinstorage?

7.c. Doesthepolicyaddresstheprotectionofsystemsthatholdorconveyclassifiedinformation,forexampleregistriesorelectronicrecordsmanagementsystems,throughproceduressuchassecurityaudits?

7.d. Ifthepolicyrequiresorenablessecurityencryptionorothersecuritymechanismsfordigitaldata,arethereprovisionsforlong-termaccessandpreservationoftheSCIAsbymaintainingcorrespondingdecryptionmechanismsovertime?

8. DigitalInformationAssetsandLong-TermPreservation

8.a. Isthepolicyapplicabletoallformatsandmedia,includingaudiovisualanddigitalformats?

8.b. DoesthepolicycoverSCIAsnotinthephysicalcustodyoftheorganization,butstillunderthecontroloftheorganization,forexampleSCIAsmanagedusingthird-partycloudcomputingservices?

8.c. DoesthepolicyacknowledgechangesresultingfromtheprocessofcopyingSCIAsfromonedigitalmediumtoanother?9

8.d. DoesthepolicyacknowledgechangesresultingfromtheprocessoftransformingSCIAsfromoneformatorformatversiontoanother?10

9Alsoknownas‘refreshing.’InterPARES3Project.TerminologyDatabase.“Refreshing.”http://interpares.org/ip3/ip3_terminology_db.cfm?letter=r&term=51310Alsoknownas‘conversion.’InterPARES3Project.TerminologyDatabase.“Conversion.”http://interpares.org/ip3/ip3_terminology_db.cfm?letter=r&term=194

10



8.e. DoesthepolicyacknowledgechangesresultingfromtheprocessofmovingortransferringSCIAsfromonesystemtoanother?11

8.f. DoesthepolicycoverchangestosystemshandlingSCIAsresultingfromroutinesystemupdatesorupgrades?

8.g. Doesthepolicyaddresstheacknowledgedchangestothemedium,format,orsystemsofSCIAswithmechanismsthatensureSCIAsmaintaintheirauthenticity,confidentiality,reliability,integrityandusabilityovertime?

8.h. DoesthepolicyensurethatanycontractualservicesengagedbytheorganizationthatimpactSCIAsenableuserstobecompliantwiththepolicy?

9. ReclassificationandDeclassification

9.a. Arethecriteria,timeframeandmethodforreclassificationanddeclassificationofSCIAsclearlyindicated?

9.b. Ifyourorganizationdistinguishesbetweendeclassificationandpublicaccess,thendoesthepolicyreflectthat?

9.c. IsthereasystematicprocessfordowngradinganddeclassificationofSCIAsafteracertainlapseoftime?

9.d. IsthereaprocesstoupdatetheaccesspermissionstoSCIAsfollowingreclassificationordeclassificationofSCIAs?

9.e. Doesthepolicyspecifywhetheranappealsprocessisinplaceforunsuccessfuldowngradingordeclassificationrequests,withclearlydefinedroles?

11Alsoknownas‘migration.’InterPARES3Project.TerminologyDatabase.“Migration.”http://interpares.org/ip3/ip3_terminology_db.cfm?letter=r&term=501

11



10. PublicAccessandDisclosure

10.a. IsthereasystematicprocessforpublicdisclosureofSCIAsafteracertainlapseoftime,toensurethatthemajorityofrecordsdonotremainsecurityclassifiedindefinitely?

10.b. Arethecriteria,timeframeandmethodforpublicdisclosureclearlyindicated?

10.c. IsthereaprocesstoupdatethepublicaccesspermissionstoSCIAsfollowingthedisclosureoftheSCIAs?

10.d. IsthereaprocesstotransfertheSCIAsfromtheprotectedenvironmenttoamoreaccessibleenvironment,followingsuccessfuldisclosureofSCIAsforpublicaccess?

12

A n n e x 1 . M i n i m u m D e s c r i p t i v e M e t a d a t a f o r M a n a g i n g a n d P r e s e r v i n g S e c u r i t y C l a s s i f i e d I n f o r m a t i o n A s s e t s

1. Informationsecurityclassification

2. Classificationauthority

3. Eligibledatefordowngradinganddeclassification

4. Reclassification/declassificationdate

5. Reclassification/declassificationauthority

6. Eligibledateforpublicdisclosure

7. Publicdisclosuredate

8. Publicdisclosureauthority

9. Withhelddate(ifapplicable)

10. Reasonsforwithholding(ifapplicable)

11. Audittrailofpersonswhoaccessedtheinformation/document

12. Versionhistory

13

A n n e x 2 . C a t e g o r i e s o f R o l e s a n d R e s p o n s i b i l i t i e s

Eachof the rolesoutlinedbelow representgeneraldescriptivedesignations (e.g. InformationSecurityCoordinators,etc.)relatedtotheirfunctions,andnotnecessarilytheirrealpositiontitles,whichwillvaryacrossorganizations.Additionally,withinorganizationstheremaybemorethanonepersonfulfillingaroleorfulfillingspecificaspectsofarole.1.0 SeniorManagement

• AreresponsiblefortheprotectionofSCIAswithintheorganization.ThisincludesSCIAsgatheredorgeneratedbytheorganization,aswellasthosereceivedfrommemberpartiesinthecaseofinternationalorganizations;

• Appointstheorganization’sInformationSecurityCoordinator(s)orISC(s);• Approvestheorganization'sproceduresandinformationsecurityclassificationlevels;• Actsasthefinalauthorityontheapplicationofinformationsecurityclassificationlevelsfortheir

area of functional responsibility, in consultation with the ISC(s), in cases of disagreement oruncertaintyamongstaff;

• CoordinatesregulatorycomplianceinthemanagementofSCIAs;• Approves,onacase-by-casebasis,anyexceptionstothisprocedure.

2.0 InformationSecurityCoordinator(s)(ISCs)

• ISCs are responsible for all institution-wide information security issues and provide guidanceregardinginformationassetclassificationandprotection.SpecificdutiesofISCsinclude,butarenotlimitedto:

• Ensureeffectivecontrolsfortheprotectionofclassified informationassetsare implemented–technicallyaswellasadministratively;

• Supportqualifiedstaffandoriginators(ifpossible)indeterminingthelevelofclassificationofaninformationasset;

• Maintaintheorganization'sinformationsecuritypolicy;• Provideassistancefortheprotectionofclassifiedinformationassets.

3.0 InformationAssetOriginators

• Classification decisions should be made by staff with knowledge of the contents of theinformationassetandtheclassificationcriteria. Inmostcasesthiswillbetheoriginatoroftheinformationasset.

• Theoriginatoristhestaffmemberwhocreatesaninformationasset(suchasadocument).Thisstaffmember isthusthefirstpersonwithinthe institutiontoencounterthe informationassetand todetermine theproper classification. Forexample, a staffmemberdraftingadocumentshould make a determination of the classification level based upon its content and theclassificationcriteria.

• Incaseofuncertaintyabouttheclassificationlevel,theresponsiblesupervisorinthehierarchyshouldbeconsulted.

14

4.0 InitialClassifiers

• Amajorityof thetimethe InitialClassifier is the informationassetoriginator.However, in thesituation where the organization receives the information asset, and therefore is not theoriginator, the receiver within the institution is the initial classifier and must make theclassificationdeterminationbasedontheinstitution'sclassificationdefinitions.

• The initial classifier could be a staff member receiving information directly from anmemberparty,orcouldbethearchivesandrecordsmanagementunitas the initial recipientofofficialinformationreceived.

5.0 InformationAssetStewards

• The institution is the owner of all information assets that are created by its staff. Theorganization is responsible for ensuring an asset’s confidentiality, authenticity, reliability,integrity,andavailability.

• The information asset steward (hereinafter referred to as steward) is responsible for theclassificationandproperhandlingoftheinformationassets.

• TheoriginatoroftheSCIAmayinsomecasesalsobethedesignatedsteward.However,inmostcases,stewardshipisvestedinthesupervisoroftheadministrativeunitinwhichtheinformationassetoriginates.

6.0 AuthorizedDerivativeClassifiers

• In the case of a question or difference of opinion regarding the security classification of aninformationasset,theAuthorizedDerivativeClassifierisastaffmemberwhoisauthorizedandcertified to determine the security classification of an information asset, over and above thedecisionsoftheinitialclassifierandInformationAssetSteward.

• TheAuthorizedDerivativeClassifierbases their information securityclassificationassessmentsondefinedorganizationalguidanceandpolicies.

7.0 DeclassificationandReclassificationAuthorities

• Declassification and Reclassification Authorities are the issuers of authorized declassificationand/or reclassification decisions resulting from the proper enactment ofdeclassification/reclassificationpoliciesandproceduresoftheorganization.

• Inmanycasestherewillbeseveralpartiesinvolvedindeclassification/reclassificationdecisionsandprocedures,suchasdesignatedstaffmembers,committeemembersand/ormemberstateparties.

• DeclassificationandReclassificationAuthoritiesaredistinctfromanyoftheserolesinthattheyareauthorizedtoissuethefinaldeclassificationdecisiononbehalfoftheorganization.Insomecasestheymaybeacommitteeofrepresentativesratherthanasinglepersonorstaffmember,ortheymaybeacombinationofacommitteeandoneorseveraldesignatedstaffmembers.

• In many organizations, the original classifier may also act as a Declassification andReclassificationAuthority.

15

8.0 UsersofInformationAssets

• Users of information assets must protect the information asset in accordance with therequirements outlined in organizational policies governing SCIAs. This includes the securityrequirements for handling, storing, marking, protection from unauthorized or incidentalviewing,andforreportingsecurityincidentstotheSC.

• Before sharing SCIAs with another staff member, the user is responsible for ensuring therecipientisauthorizedtoreceivesuchinformationandisawareoftheprotectionrequirements.

• ItisalsotheresponsibilityoftheusersofSCIAstobringtotheattentionoftheirsupervisors,andthe ISC, situationswhere information isnotbeingadequatelyprotectedorwhere the currentproceduresdonotprovidesufficientorconsistentguidance.

• EachuserisencouragedtoraiseissuesonappropriatenessofclassificationifheorshebelievestheSCIAisnotcorrectlyclassified.

9.0 InformationAssetCustodians

• The information asset custodian is a staff member or an organizational unit that has beenassigned the responsibility for safekeeping of information assets, such as recordkeeping andinformation management staff/units, and information technology staff who have technicalresponsibility for supporting systems in which SCIAs are managed. All information assetcustodiansareresponsibleforcomplyingwithrelevantinformationassetpolicies.

• Thismight happen on a temporary or permanent basis. The custodianmust ensure that theinformation is protected in accordance with the requirements set in the relevant policiesgoverningthemanagementofSCIAs.

Documents

InterPARES Trust Project Report€¦ · their lifecycle: from creation or receipt, active and controlled business uses, to the secondary uses of SCIAs, including where applicable