Order Now

Information Security Management Assignment Sample

6500 Project Delivered
4.9/5 User Rating

Information Security Management Assignment Sample


Get free samples written by our Top-Notch subject experts for taking online Assignment Help services.

Information classification is specifically used for confirming that the recipient of information assets has a proper protection level. There would be required internal information or label public. Author or owner based on such information proportion as sensitivity and how their all information has intended to be shared and handled.  


Concept of data classification policy 

Data classification policy is mainly concerned with such information management for confirming that the information is sensitive and that it is as well handled concerning its threat. This also factors how it has gathered its information and is being structured and used within the organization to allow the authorization for getting the correct data at the proper time. In the opinion of Alshaikh et al. (2018), aiding that information is personally authorized and capable of viewing all their data. The actual database contains such information that offers in their sensitivity level, e.g. few data are more sensitive than other data. Security policy, data classification, and risk analysis are particularly related to the functions that most organizations have used to increase their security. A policy as the data classification is an organization's personification and risk tolerance. 

Any security policy has a plan as high level to start in the management that intent as the particular corresponding on how their security is proficient in their organization. The most acceptable actions and the risk magnitude of an organization are personally prepared for accepting that. Moreover, specific data security and their policy could perform an individual risk assessment or might have the data classified by the organization.  

Most of the organization and its risk assessment have balance instead of the loss threat. That is a catalyst to improve their countermeasures or safeguard that certainly reduces the risk. As per the view of Banker and Feng (2019), therefore the risk analysis and the data classification policies are very different concepts, which certainly fall under the specific security policy.

The way to work of data classification 

The data classification policy has been mapping out such different components in the organization. After that, it considered each kind of data belonging to the specific organization and classified that data as per the permission and storage rights. These data might be categorized as public, sensitive, personal, or confidential. A data classification policy must consider any particular data classification that is adopted through the industry standard and regulations. As cited by Bliss (2021), this particular policy of the data classification has activated the organizations for applying the proper security level to lower the company's overall risk. 

Procedure guide of data classification and handling


The procedure guide for such a university community was created to assist them in effectively managing their data in the daily mission that relates to all activities. It should be determined how to handle and protect the data depending on the information considerations and the importance, type, and usage. According to Da Veiga et al. (2020), the outline of the data classification procedure and the lower level of protection are essential while performing some proper activities. This is based on the information classification, and it is well being handled. However, classification is essential for knowing that of the security practices, and that also must be used for protecting various kinds of data. More data protection has required many practices, which certainly needs. 

Suppose any parts of the data that needs much control are stringent due to the regulatory, statutory, and contractual obligation. In the opinion of Diesch et al. (2018), after that, the most or highest stringent protection needs a data subset that impacts and shall govern the overall data set. Though the entire data set and the procedure guide have attempted to cover most conditions in the university, this is not inclusive and not intended to represent all protections that might be essential for every condition. 

Applies to

University employees (staff, faculty, student employees) and others have covered personally (i.e. vendors, affiliates, independent contractors, and many others) in handling the data, records, and information. Data handling has been included, but this is not limited to the particular following collecting, creating, viewing, accessing, storing, using, mailing, transferring, preserving, managing, or might be destroyed (Gschwandtner et al. 2018).

Data Collection 

Data stewards might wish to assign a personal classification for collecting data, which is common in a specific function or purpose. In the opinion of Johnston et al. (2019), while classifying a data collection, the most confining classification of any individual data components must be used. For example, suppose any data collection consists of the address, student's name, and social security number. In that case, the particular data collection must be classified as confined by the address, student's name, and public data. 

Information classification according to ISO 27001 

Information classification is a procedure in which an organization assesses the whole data, which they certainly hold and the protection level that must be given. According to Jung and Agulto (2019), organizations generally classify confidential information, e.g., grants access for seeing. A very typical system that would be included about four levels about confidentiality,

  • Restricted (most of the employees have access)
  • Confidential (Just senior management have to access)
  • Public Information (Each people has access)
  • Internal (all workers have access)

As expected, a more complex and larger organization would require more levels. Take hospitals, for example- nurses and doctors require access to their patient's individual information, including medical histories that are very sensitive. Nevertheless, most of them should not access such other kinds of sensitive data, like financial information and data.

The fit of ISO 27001

Organizations that are very serious about data protection must follow all guidelines and the set out of ISO 27001. They describe as standard and the best practices to create and maintain such "Information security management system (ISMS)", and the data classification has played some significant role. Control the objectives of A8.2, titled 'Information classification', which instructs the organizations and confirms that the data has received some proper protection level. As cited by Kampová et al. (2020), the proper standard has not explained how they did that, but the actual procedure is relatively very simple. It only requires four easy steps.

  • i) Enter assets in inventory 

This is the first step, and it is for collating all their information in much of the inventory. It also should note the person responsible for it and the format that about the database, electronic documents, storage media, paper documents, and many others). 

  • ii) Classification

After the first step, it would be required to identify and classify the information. The owners of assets are mainly responsible for this, but actually, this is a good idea for their senior management to supply some guidelines on the real outcome of the particular organization and its ISO 27001 risk assessment. As per the view of Li et al. (2021), much information that specifically would be affected through some larger risk that generally must be given in the larger levels confidentially. 

  • iii) Labeling 

Once classified the general information, the proper asset and the owner should create a particular system to label it. They have required various procedures for all of the information, specifically stored physically and digitally, but this must be consistent and very clear as soon as possible. For example, they might decide that the specific paper documents would be labeled on such a front page and in the top-right corner of every subsequent page, the folder should contain the particular document. 

  • iv) Handling

This is the last step, and here they should establish some rules on how they protect every data on the format and classification. For example, they might say that the inclusive and the internal paper and their documents could be kept in such an unlocked cabinet, which most employees could access. However, confined data must be placed in the confidential data store and locked cabinet in a very secure location (Sauerwein et al. 2019). 

Research of General Data Protection Regulation regarding data handling and classification  

General data protection regulation (GDPR) could be considered the best set of pacific data protection rules worldwide. This rule has increased how many people could access the data on them and the position limit on their organizations that could be done with some individual information. In the opinion of Schuetz et al. (2020), the regulation has existed as such a proper framework for the specific laws across the continent, the last data protection directive of 1995. The final GDPR form has come around more than 4 years of negotiation and discussion. This was particularly adopted through the European council and European parliament in April 2016. The particular underpinning as the directive and regulation was specially published at the very end of April 2016.

GDPR came into force on 25th May of 2018. Many countries in Europe were given such capability to make small changes to suit their particular requirement. In the UK, this specific flexibility has led to the quickness of the data protection act in 2018 that superseded the last data protection act of 1998 (Tsaregorodtsev et al. 2018). The proper strength of the GDPR has specifically been lauded as a very positive approach to how people's data must be compared and handled, and that has been made with such consumer privacy act of California.

Application of GDPR 

At the GDPR heart is individual data. Vastly, this is information that particularly permits such a living person as directly or indirectly, recognized from available such information. This as well could be something certain, like the person's name, clear online username, and the location data, or this could be something that might be very lower than instantly apparent cookie identities and IP addresses. As per the view of Wang et al. (2019), these as well could be considered as individual data. Under the GDPR, there are also some special categories about very sensitive individual data, which are generally given greater protection. This individual data has included data about the ethnic and racial origin, religious beliefs, political opinions, trade union membership, biometric and genetic data. 

Proper classification scheme and policy statement  

A data classification policy is a comprehensive plan that is specifically used for categorizing the store of company information based on the sensitivity level, confirming the perfect handling, and the less organizational risk. A data classification policy has recognition and support to protect confidential or sensitive data and that with such rules, framework, procedures, and processes for every class. Thereby the policy development team should focus on making effective policies and also makes their system more flexible in that context. In addition, the presence of risks in the management process not only hampers the consumer’s engagement for the organization but also incorporated the trust issue in the culture that lead to financial loss. Apart from that, in the context of mitigating the security risk the management team should give proper training to employees regarding the use of various new tools.[Refer to appendix].

While they can recognize all kinds of information and data their organization holds, determine the actual relative value to their self-organization, assess all threats about their all data, they could be confirmed then that very confidential or sensitive data that is handled as much care with due respect about all threats that poses in the organization. As cited by Weishäupl et al. (2019), at a similar period, having the policy of data classification would confirm that they are particularly not wasting the resources to protect their data in their organization.[Refer to appendix]. From the table of the risk assessment, it can be stated that in the way of information management process various risks are there that effectively contribute to making the process of management more complex as well as financially challenged. It has been seen that among other risks the confidential risks are the most effective ones that may occur in the process of data access and gathering data. In this context, the technical development team needs to follow the effective strategic implication and tools for risk assessment that in turn can help to suppress such constrain. On the other hand, various integrity risks can be also faced by the policyholders in their way of incorporating the data policies in the information process.

A successful data classification policy must contain such following sections,

  • At a high level, a specific data classification policy has existed for supplying the framework to protect the data they created, processed, stored, or transmitted in their organization. As contradict by Yue (2018), this is the main formulating foundation on particular procedures, policies, and controls essential to protect confidential data. 
  • According to Alshaikh et al. (2018), the scope has discussed whether this specific policy has applied to all of the data and the system in the organization or whether there would be such expectations.
  • The main outlines that the major people in their organization who particularly would be involved to create the particular policy, stakeholders on the security of best practices, recognizing the risks to data, improve controls, and keep up-to-date of the controls and also confirm their all compliance with such proper data policy of classification.    


In the overall study, it is concluded that the GDPR in the UK is a data privacy law, which governs the procedure of such individual data from the personal inside. The data classification policy has specifically mapped out various elements in an organization. ISO 27001 is a management security system that holds and classifies the organization's data. 

It’s Time to Boost Your Grades with Professional Help
  • Improved Scores

    Get Better Grades In Every Subject

  • Timely Delivery

    Submit Your Assignments On Time

  • Experienced Writers

    Trust Academic Experts Based in UK

  • Safety is Assured

    Your Privacy is Our Topmost Concern

Rapid Assignment Help
Just Pay for your Assignment
  • Turnitin Report
  • Proofreading and Editing
  • Formatting
  • Unlimited revisions
  • Quality Check
  • Total
Let's Start
35% OFF
Get best price for your work
  • 6500+ Projects Delivered
  • 503+ Experts 24*7 Online Help

offer valid for limited time only*