Text Size:   A+ A- A   •   Text Only
Site Image
Information Asset Classification
Purpose and Objectives
mouse and pencil
The purpose of statewide Information Asset Classification policy 107-004-050 (effective 7/30/2007) is to ensure State of Oregon information assets are identified, properly classified, and protected throughout their lifecycles. Information, like other assets, must be properly managed from its creation to disposal. As with other assets, not all information has the same value or importance to the agency and therefore information requires different levels of protection. Information asset classification and data management are critical to ensure that the state’s information assets have a level of protection corresponding to the sensitivity and value of the information asset.
The provisions of the policy collectively apply to all information assets, including but not limited to paper, electronic, and film. The term “information asset” is not used within this framework to refer to the technology that is used to store, process, access and manipulate the information.
The objective of the information asset classification initiative is to develop and implement processes that allow an agency to continually assess and classify its information assets and provide information asset classification plans for assessment purposes. Information asset classification allows an agency to:
  • Continually assess what types of precautions must be taken to ensure the confidentiality, integrity, and availability of its information assets related to their value.
  • Collect documentation on its information assets:
    • Compliance requirements
    • Information owner
    • Associated business function, such as business continuity planning
    • Archive and retention requirements
A Community of Practice, consisting of representatives from eight state agencies, developed a suite of agency resources and identified other tools and best practices that may assist agencies as they undertake this initiative. These documents and resources are linked below.

Agency Resources
Resources created by the Information Asset Classification Community of Practice

  • Information Asset Classification policy -- revised
  • Information Asset Classification methodology
  • Awareness materials for managers
  • Awareness materials for employees
  • Information Forum presentation (1/30/2008)


  • Information Asset Classification strategy model
  • Sample methodologies
  • Risk Assessment Tool
  • GSA E-Authentication Risk and Requirements Assessment Tool
  • Definitions, Examples, Handling matrix
  • Threats and Security Concerns matrix
  • Sample Information Asset List
  • Dept. of  Homeland Security Privacy Impact Assessment
  • Dept. of  Homeland Security Privacy Threshold Analysis
  • Dept. of  Homeland Security Privacy Impact Assessment Template

Agency Provided Material
  • PERS - Acceptable Use Policy
  • PERS - Acceptable Use of Information Systems Exception Request form
  • PERS - Release of Sensitive Information Policy

Other Resources
Resources created by other entities

  •  Information Security Oversight Office -- Classified National Security Information Basics
    • Original Classification Authority -- Provides Federal requirements of who classifies and how to classify
    • Derivative Classification -- Provides Federal requirements when using portions of previously classified information in a new document
    • Marking Classified National Security Information -- Provides Federal requirements for labeling
    • Safeguarding Classified Information -- Provides Federal safeguard requirements