Classifying Data to Help Secure Business Information - Template fromMicrosoft
Download as DOCX, PDF2 likes3,906 views
This document provides guidance on classifying and protecting business information. It discusses classifying information as high, moderate, or low business impact based on the potential effect of unauthorized disclosure. It also recommends tools for protecting information, such as Information Rights Management, BitLocker encryption, and Secure/Multipurpose Internet Mail Extensions. Guidelines are provided for sending, sharing, storing, backing up, and disposing of information based on its classification.
Classifying Data to Help Secure Business Information - Template fromMicrosoft
- 1. Work Smart by Microsoft IT Classifying and Protecting Your Business Information Customization note: This document is based on the experience of Microsoft IT and contains guidance and/or step-by-step instructions that can be reused, customized, or deleted entirely if they do not apply to your organization’s environment or installation scenarios. All forms of information, including ideas and concepts, have potential business value. Whether you are exchanging emails, sharing documents, or having a phone conversation, it is your responsibility to help protect your company’s confidential information. The greater the information’s value, the more security controls you should put in place to protect it. This guide provides an overview on how to properly classify business information and data according to the potential impact of unintentional disclosure: High, Moderate, and Low Business Impact. It also introduces some solutions that are available to help protect your information before you transmit, share, store, or dispose of it. Topics in this guide include: Classifying your information Protecting your information Classification and data dissemination guidelines Recommended security practices For more information
- 2. 2 | Classifying and Protecting Your Business Information Classifying your information Information can be classified into three areas, according to the potential impact of its unintentional disclosure: High Business Impact (HBI), Moderate Business Impact (MBI), and Low Business Impact (LBI). Table 1. Information classifications HBI HBI applies to any information including emails, documents, messages and phone conversations that, if disclosed without authorization, could result in immediate, direct or considerable impact to the company, the information owner and customers. HBI information should only be shared with those on a “need-to-know” basis. HBI includes Highly Sensitive Personally Identifiable Information (HSPII). MBI MBI applies to information that, if disclosed, could cause indirect, limited impact the company, the asset’s owner and valued customers. MBI information should only be accessible to those people who have a legitimate business need to view the information. MBI includes Personally Identifiable Information (PII). LBI LBI classification applies to information assets that, if disclosed without authorization, could cause limited, or no material loss to the company, the asset owner, or relying parties. Important: The guidance provided in this document is for example purposes and every organization is unique. In the following sections, please be aware that your company’s HBI, MBI, and LBI information and data could require more or less restrictive classification levels. Classification of some common information types Below is table of guidelines that might be helpful in determining a type of data's classification level. Table 2. Guidelines to help determine data classification level Data includes the following info: HBI MBI LBI Email Address X Social Security Number X Documents regarding process or procedure X Private cryptographic keys X Username and Passwords X Publicly accessible information X Company trade secrets X Financial information related to revenue generation X List of Phone Numbers X Employee Zip Codes X Numeric ID sequences / PINs X
- 3. 3 | Classifying and Protecting Your Business Information Tips: Use the more restrictive classification if data falls into more than one classification level or if you are unsure of its classification. Treat information as HBI if it does not have a classification, but is marked “confidential.” Important Notes: It is your responsibility to understand the business value of your information and to apply the correct classification and protection. Remove HBI or MBI information from your computer before retiring it or sending it offsite for repairs. Remember to check your company policies as their classification levels may vary from the examples provided in the table above. Protecting your information Now that you know how to classify your information, you will learn what tools are available to ensure that your data is protected when it is sent, shared, stored, backed up, or deleted. This guide provides an overview of four technologies that can be used to help protect information. Information Rights Management. An Office feature of Rights Management Services (RMS), IRM enables you to apply specific access permissions to documents, workbooks, and presentations to prevent unauthorized forwarding, printing, or copying; and to set expiration dates after which files no longer are available. More information about IRM is available at http://technet.microsoft.com/en-us/library/cc179103.aspx. Secure/Multipurpose Internet Mail Extensions (S/MIME). With S/MIME you can encrypt and/or digitally sign your email messages. Encrypting your messages converts data with a cipher text so that only people who you specify can read it. Digitally signing an email message helps ensure that no tampering occurs while your message and its attachments are in transit. More information about S/MIME is included in the Message Encryption and Filtering topic at http://technet.microsoft.com/en- us/library/jj891023.aspx. BitLocker Drive Encryption. BitLocker Drive Encryption is a data protection feature available in Windows Vista, Windows 7, and Windows 8. BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost, stolen, or decommissioned. More information about BitLocker is available at http://technet.microsoft.com/en- us/library/hh831713.aspx. BitLocker To Go provides drive encryption to prevent unauthorized access on your portable storage drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other removable drives formatted by using the NTFS, FAT, or exFAT file systems.
- 4. 4 | Classifying and Protecting Your Business Information Encrypted File System (EFS). If your computer is not BitLocker compatible, you can use Encrypted File System (EFS) to encrypt specific files and folders by using a certificate. EFS requires that users with whom you share information enter the appropriate decryption key before they can access the encrypted content. More information about EFS is available at http://windows.microsoft.com/en- us/windows/what-is-encrypting-file-system#1TC=windows-7. The following table provide some guidelines about which technology you should use to protect the HBI or MBI information that you transmit, share, or store on your computer: Table 3. Preferred technology used to transmit, share, and store business information IRM S/MIME EFS BitLocker Transmit with internal email Preferred Acceptable N/A N/A Transmit with external email Works only with other federated RMS organizations Preferred N/A N/A Share using SharePoint Online Preferred N/A N/A N/A Storing on computer Acceptable with BitLocker N/A Acceptable with BitLocker Required Storing on removable media Acceptable N/A Acceptable Preferred Notes: Information about applying Information Rights Management to a list or library is available at http://office.microsoft.com/en-us/sharepoint-server-help/apply-information-rights- management-to-a-list-or-library-HA010154148.aspx More information about Information Rights Management is available in “What’s New with Information Rights Management in SharePoint and SharePoint Online?” at http://blogs.office.com/2012/11/09/whats-new-with-information-rights-management-in- sharepoint-and-sharepoint-online/
- 5. 5 | Classifying and Protecting Your Business Information Classification and data dissemination guidelines The following table provides some classification-level guidelines for sending, sharing, storing, backing up, and disposing of business information. Table 4. Guidelines for sending, sharing, storing, backing up, and disposing of business information Action HBI MBI LBI Send data (via file transfer or email) Requires asset owner approval to forward, export, or copy. Requires encryption for internal and external delivery. Requires encryption with S/MIME or IRM for email. Requires encryption for transfer outside of organization. Requires encryption with S/MIME for email sent outside the corporate network. No special requirements. Share (via O365 SharePoint Online) Use IRM to restrict forwarding, copying, and printing. Restrict permissions to those identified by asset owner. Requires formal agreement, which legal approves, for third parties, such as business partners. Restricts permissions to those with legitimate business needs only. Requires formal agreement, which legal approves, for third parties, such as business partners. No special requirements. Store (server, PC, CD, USB) Requires encryption (BitLocker). Allows storage on handheld devices only if device supports strong encryption and authentication security controls. May require encryption (as determined by the asset owner). No special requirements. Back up Performed only by authorized personnel and stored only at a location approved by IT Security. Encrypt storage media. Store in a physically secure location in which backups are logged and access is controlled and monitored. No special requirements. Dispose of Cross-shred or incinerate paper documents. Destroy tapes and other magnetic media. Request that hard disk drives be destroyed. Follow your organization policies for the appropriate disposal of retired hardware and media. Cross-shred or incinerate paper documents. Destroy tapes and other magnetic media. Remove data on hard disks that you plan to reuse or retire. Destroy inoperable hard disk drives. No special requirements.
- 6. 6 | Classifying and Protecting Your Business Information Recommended security practices Use the Microsoft Office System Document Inspector If you plan to share an electronic copy of a Microsoft Office Word document with clients or colleagues, it is a good idea to review the document for hidden data or personal information that might be stored in the document itself or in the document properties (metadata). Document Inspector is a built-in tool that can be used to scan your data before sharing it with others. For more information on how to use Document Inspector, see Remove hidden data and personal information by inspecting documents at http://office.microsoft.com/en-us/word- help/remove-hidden-data-and-personal-information-by-inspecting-documents- HA010354329.aspx. Guard confidential information Do not discuss confidential information in public places. Beware of multiple network connections Never concurrently connect your computer to your corporate network and the Internet, or any other network that your company does not manage. This compromises your company's network security. Review list of group recipients Think globally before posting any content. Before you send or reply to email, post to Yammer, One Drive, or any another social website, or post data to SharePoint, make sure that the information is appropriate for disclosure to everyone who has access to the email or website. Use Outlook Web Access Use Outlook Web Access (OWA) to check your email from your home computer. Be careful if you access corporate resources by using kiosks and other public locations, even though OWA, as key strokes may be monitored if the public network does not have the correct configuration. Do not leave documents or presentations unattended Remove all documents after meetings, and erase whiteboards. Beware of posting on walls or bulletin boards If your document is HBI, do not post it in hallways or on bulletin boards.
- 7. 7 | Classifying and Protecting Your Business Information For more information This guide provides foundational knowledge to help you make better decisions about securing your data. Other guides are available to teach you how to help protect your information. Visit the Modern IT Experience featuring IT Showcase at http://microsoft.com/microsoft-IT and search for the following Work Smart titles: Securing your business information Secure collaboration using SharePoint Online Securing your computer Protecting data with Windows 8 BitLocker The following content may be of interest to you as well: Introduction to IRM for email messages http://office.microsoft.com/en-us/outlook-help/introduction-to-irm-for-email- messages-HA102749366.aspx Video: Getting Started with Encrypting File System in Windows 7 http://technet.microsoft.com/en-us/windows/how-do-i-get-started-with-the- encrypting-file-system-in-windows-7.aspx International Data Protection Standards http://download.microsoft.com/download/B/8/2/B8282D75-433C-4B7E-B0A0- FFA413E20060/international_privacy_standards.pdf Work Smart by Microsoft IT http://aka.ms/customerworksmart This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. © 2014 Microsoft Corporation. All rights reserved.