Skip Navigation LinksASIS International / Membership / Member Center / Security Spotlight / Appendix B - Quick Reference Guide For Information Asset Protection

Appendix B - Quick Reference Guide For Information Asset Protection

This guide is designed to help every employee or trusted associate of an organization determine the proper classification of material and relevant procedures for handling sensitive information. It is adapted from the ASIS International Information Asset Protection Guideline, May 2007.


This document is a quick reference guide for information asset owners and users. For more detailed information on specific topics, please see the policy, practices, and procedures manual available at ______________________.

Listed below are the four categories used to classify information and a brief explanation of the procedures to be followed for each classification. All information should be classified under one of the following four categories: Unrestricted, Internal Use, Restricted, or Highly Restricted. Only information under the categories of Internal Use, Restricted, or Highly Restricted is required to be marked. Share or disseminate this information following the procedures listed below for each category. If the information has not yet been classified, proceed to Step 2.



Did you create or otherwise own the information?

NO, but I would like to share it. Share information following the guidance provided in the chart in STEP 1. If you have a strong feeling that unmarked information should be marked because it may have a value to competitors or may have proprietary value, contact the information owner to share your concerns. It is the information owner's or creator's responsibility to initially mark and update information classifications.

YES, I need to determine classification and I have the authority to classify my information. I will determine the information classification using the following questions. The column with the most selections suggests the protection classification. Caveats: (1) Use good business judgment when sharing any business information; and (2) Share documents in read-only form.




If the information does not meet the minimum criteria for "Internal Use" above, it might be considered public information, unless it falls under a special category such as data restricted by financial, healthcare, or privacy regulations. Check with your IAP Program Manager.



Listed below are examples and suggested procedures to follow for the marking and dissemination of documents. Note: International, federal, state, or local laws or regulations may supersede protection requirements. For all electronic systems, the employee must use the organization's owned or approved software, media, and tools.