"A risk assessment of the Piql Services" by FFI

protected and the corresponding value, or degree of sensitivity, of that information. Defined in very broad terms, the user class is divided into the business or public sectors, storing sensitive or non-sensitive information. A new potential Piql partner can quite easily locate the user class within which it belongs, and thus gain a generic understanding of which risks apply to their organisation and which corresponding security measures should be put in place. The level of sensitivity of the information is further divided into sub-categories. A measure of sensitivity is how critical its loss would be. The degree of sensitivity can vary greatly depending on how important the information is from one situation to another, from one period of time to another, and sensitivity is also often a matter of subjective judgement. As a frame of reference, we have chosen to use Norwegian legislation detailing which rules and regulations apply to different levels of sensitive information. Similar legislation can be found specifically for other nations. For the purposes of this report, the levels of sensitivity are divided into five groupings, outlined in table 5.2 below.

Sensitivity level

Description

Classified or confidential information, as specified by national acts on protective security services [18].

Public highly sensitive

Information exempt for public consumption, as specified by national regulations governing access to documents in the public administration [24]. Proprietary information, as specified by national regulations governing the management of information in need of protection for other reasons than those mentioned in the national act on protective security services, including regulations [25]. Business confidential or proprietary information, as specified by the individual enterprise. Personal data, as specified by national acts regulating the processing of personal data [26].

Public sensitive I

Public sensitive II

Business sensitive

Public sensitive and

business sensitive

Table 5.2 The classifications of sensitive information

Information that falls within the category non-sensitive is kept separate from the overview in table 5.2, as it solely depicts the various degrees of sensitivity of information which has already been deemed sensitive. Most of the digital information generated today is non-sensitive, and this category will undoubtedly comprise most of the information which is stored with the Piql Preservation Services. It is not to say that this information is not valuable and in need of long- term preservation: it is simply not sensitive, understood as information not needed to be withheld from the public. Non-sensitive information can certainly be valuable, such as the very high value cultural artefacts have to a society. Preserving the cultural heritage of a society is

28

FFI-RAPPORT 16/00707