Inventoried information assets are categorized based on defined criteria that includes importance to the delivery of the function

Categorization of assets is important for many cybersecurity and operational activities, such as incident response, risk management, threat management, and cybersecurity architecture planning. Information should be categorized according to its sensitivity, value, criticality, interdependencies with other assets, legal requirements, whether the data is collected by, held by, or shared with a third party, or other scheme, including any scheme that is required by regulation or other compliance factor. Categorization provides another level of important description to an information asset that may affect strategies to protect and sustain it. These are examples of categorization schemes: · Confidential, Secret, Top Secret · Regulated, Unregulated, Public · Restricted, Private, Public Whatever scheme is used, the importance of the asset to the delivery of the function should be considered. Additionally, when identifying categories, consider that many cybersecurity activities generate information assets that need to be protected, such as configuration baseline information, risk registers, and even asset inventories themselves.

Related Practices · Input From: Implementing ASSET-2a provides input that may be useful for implementing this practice. · Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ASSET-2c, ASSET-2d.