SlideShare a Scribd company logo

Electronic data & record management

Download as PPTX, PDF
GreenLeafInst, profile picture
GreenLeafInst

The document provides a comprehensive overview of managing confidentiality and electronic data records, emphasizing the importance of understanding and protecting sensitive information within organizations. It outlines risks associated with data leakage, the necessity of information classification, and best practices for data handling and contractual risk management. Case studies illustrate real-world consequences of confidentiality breaches, highlighting the need for robust security measures and clear classification systems.

BusinessEconomy & Finance
1 of 27
Downloaded 40 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
+ Managing The Confidentiality Electronic Data and Records Management www.greenleafinstitute.com
+ 2 Objectives of this Module With this module, it is expected that the reader will:  Understand the general concept of confidentiality and intangible asset  Appreciate the risks of data leak to individuals and organizations  Acknowledge the need of information classification through contractual elements and self-management  Learn how to conduct the information classification
+ 3 Outline  Confidentiality: what matters for your organization  Intangible assets & liability  Organizational reputation  Overwhelming data  Confidentiality infringement & risks  Cases study  Risk management  Information classification  Objectives & guidelines  Who to play role?  Information handling: creation, update, transmission, publication, deletion  Classification scheme & data handling matrix
+ 4 What Constitutes Confidential Information?  Economic value of its existence? Intangible asset Competitive advantage Strategic value  Associated risk when leaking it? Business disruption Diminishing competitiveness Degrading reputation  Something you don’t want to see on the headlines of media?
+ 5 Overwhelming Information & Data Records Patent Credit Main concern: to ensure that Product History Pricing Trademarks electronic documentation & Customer records shall only be accessible Copyright Data Marketing Plans to those who are authorized, Human Capital and be restricted from the rest. Health Insurance Record Trade Secrets Nevertheless, there is Business Plans necessity to balance it against Operating Plans Costs the enterprise need to use and Salary Data Management share the information… Changes Vendor Information Profits Shareholders Data Confidentiliaty & EDRM
+ 6 What causes infringement to confidentiality?  Accident & negligence  Natural causes  Malicious attack: internal & external factors  Awareness problems
+ 7 Case 1 – US: When disposal is not disposal  Secure disposal of computer media is by now a fairly well known requirement. It is widely, although not universally practiced. An uncontrolled disposal, however, can prove fatal. Stories of competitors, or their agents, retrieving old diskettes/CDs/listings/etc from garbage bins are rife.  A network was uncovered which specialized in the recovery and sale of corporate data. One of their methods was to purchase old tapes and diskettes from large companies and then restore the data using their own recovery software. This was then discretely offered for sale to selected competitors!  The hardware fault was not always terminal for the data stored.
+ 8 Case 2 – India: Outsourcing breach  British undercover reporter revealed that they managed to obtain a bulk of confidential details of thousand British bank accounts that includes information of addresses, passwords, phone numbers, passport and driving licences details.  This confidential data was purchased for £3 per customer. Financial institutions such as Barclays, Lloyds TSB, the Nationwide and HSBC were affected.  The Sun’s Delhi-based contact boasted that he could sell details of up to 200,000 accounts each month, said the newspaper.
+ 9 Case 3 – US: Banking critical data loss  Three HSBC firms have been fined more than £3 million by the Financial Services Authority (FSA) for failing to secure customer data.  The FSA claimed the three firms sent large amounts of unencrypted data – often on discs sent via the post – and staff were untrained on the issue of identity theft.  The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders – also in the post.
+ 10 Risk Management  Contractual risk management  Contracting: employment, outsourcing, S&P, SLA, JV…  Non-disclosure agreement (NDA)  EDRM confidentiality policy  Greater information security policy  Information classification matrix & guidelines  Information labeling and handling measures
+ 11 Contractual Risk Management  Ensuring confidentiality shall be clearly provided in various contractual establishments by imposing and enforcing non- disclosure agreement (NDA):  Employment contract  employees liability  SLA  reminding vendors & outsourcing service providers of their confidentiality liability
+ 12 Information Classification  Objective: To ensure that information assets receive an appropriate level of protection according to level of sensitivity and criticality  Information should be classified to indicate the needs, priorities and degree of protection  Information classification system should be used to define an appropriate set of protection levels and needs for special handling measures  The classification is a shorthand way of determining how information is to be handled and protected
+ 13 Why Classify Information 10% 80% 10% Public Internal Use Information Confidential Information Information 100% of all enterprise information
14 Information Classification Lifecycle 5. ENFORCE THE 1. CREATE/REVIEW IMPLEMENTATION OF POLICY ON INFORMATION MATRIX INFO CLASSIFICATION 4. CREATE INFO 2. CLASSIFY INFO CLASSIFICATION MATRIX BASED ON BUSINESS NEEDS, INCLUDING LABELING IMPACT AND PRIORITIES &HANDLING MEASURES 3. IDENTIFY INFO ORIGINATOR, DEVELOPER, OWNER AND USER
+ 15 Who to Play Role? Creator/Developer Owner User
+ 16 Who to Play Role?  Responsibility of the originator or nominated owner of information:  Defining the classification of an item of information  Periodically reviewing that classification  Info labeling and handling measures
+ 17 Information Labeling & Handling  Output from system containing sensitive or critical information should carry an appropriate classification label. This applies for info output both in physical and electronic forms.  For each classification, handling procedures should be defined to cover the following types of information processing activity:  Copying  Storage  Transmission by post, fax, email, etc  Transmission by spoken word, including mobile phone, voicemail, answering machine  Destruction
+ 18 FOUR Classification Rules 1. MYOB – MIND YOUR ORGANIZATION’S BUSINESS. Take into account of business needs for sharing or restricting information and the business impact associated with such needs. Outputs of classified data should be labeled in terms of its value and sensitivity to the organization 2. FLEXIBILITY. Accept the fact that the classification is not fixed for all time, thus it may change according to a predetermined policy 3. SIMPLICITY. Consider appropriate and practical numbers of classification categories. Overly complex scheme may become cumbersome, uneconomic and impractical. Avoid over-classification. 4. FAMILIARITY. Make the policy and guidelines known to everybody involved in the whole information lifecycle – and that includes outsiders.
19 Information Classification Top Secret It is advisable to restrict the number of information classification levels in your Highly organization to a manageable number as Confidential having too many makes maintenance and compliance difficult. Proprietary The following five levels of classification cover most eventualities: Internal Use Only Public Documents
+ 20 Information Classification (cont’d) Top Secret:  Highly sensitive internal documents, e.g. impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public.  Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible.
+ 21 Information Classification (cont’d) Highly Confidential:  Information which is considered critical to the organization’s ongoing operations and could seriously impede them if made public or shared internally. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data.  Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.
+ 22 Information Classification (cont’d) Proprietary:  Procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates.  Such information is normally for proprietary use by authorized personnel only. Security at this level is high.
+ 23 Information Classification (cont’d) Internal Use Only:  Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility.  Examples include: internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal.
+ 24 Information Classification (cont’d) Public Documents:  Information in the public domain: annual reports, press statements etc. which have been approved for public use.  Security at this level is minimal.
+ 25 Designing info classification matrix A. Classification definitions & examples B. Types of information (structured & unstructured) C. Information protection roles (who to do what) D. Definition of risk zones & their protection measures E. Handling & labeling procedure
+ 26 Checklist  General information security policy ______  Information classification matrix ______  Info handling & labeling procedure ______  Confidentiality/NDA provision within  Employment contract ________  Outsourcing contract ________  Joint ventures agreement ________  Service level agreement ________  Standard operating procedures ________  E-mail signatures ________  Presentations materials, e-records, etc ________
+ THANK YOU. Copyright: www.greenleafinstitute.com

More Related Content

PDF
Under Lock And Key
Yarko Petriw
 
PDF
Solutions for privacy, disclosure and encryption
Trend Micro
 
PDF
Self-Protecting Information for De-Perimiterised Electronic Relationships
Jeremy Hilton
 
PDF
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
PDF
Data Breaches Preparedness (Credit Union Conference Session)
NAFCU Services Corporation
 
PPTX
Cloud Privacy Update: What You Need to Know
Act-On Software
 
PDF
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
PDF
Cloud Privacy
Act-On Software
 
Under Lock And Key
Yarko Petriw
 
Solutions for privacy, disclosure and encryption
Trend Micro
 
Self-Protecting Information for De-Perimiterised Electronic Relationships
Jeremy Hilton
 
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Data Breaches Preparedness (Credit Union Conference Session)
NAFCU Services Corporation
 
Cloud Privacy Update: What You Need to Know
Act-On Software
 
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
Cloud Privacy
Act-On Software
 

What's hot (20)

PDF
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking
 
PPTX
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
William LaPorte
 
PDF
Data Breach Response Guide (Whitepaper))
NAFCU Services Corporation
 
PDF
Ssi Data Protection Solutions V0.2
olambel
 
PDF
The Need for DLP now - A Clearswift White Paper
Ben Rothke
 
PDF
Information Governance for Smarter Government Strategy and Solutions
IBMGovernmentCA
 
PPSX
test
William LaPorte
 
PDF
Sept 2012 data security & cyber liability
DFickett
 
PPT
Ecommerce Chap 10
Pimsat University
 
PPTX
“The Fountain of Truth” Web-based Contract Management for Starwood Hotels –
TEAM Informatics
 
PDF
Information Governance-a programmatic perspective on driving value through RI...
Ledjit
 
PDF
Security Built Upon a Foundation of Trust
lmgangi
 
PDF
Contractor Exposed Manufacturer's Sensitive Data
Digital Shadows
 
PDF
Breached! The First 48
Resilient Systems
 
PDF
Configuration File of Trojan Targets Organization
Digital Shadows
 
PDF
Tape vaulting audit and encryption usage analysis
Thomas Bronack
 
PDF
1 s2.0-s0167404801002097-main
Caio Sanchez Christino
 
PDF
Solix EDMS Data Masking
Solix Technologies, Inc.
 
PPTX
Dynamic access control sbc12 - thuan nguyen
Thuan Ng
 
DOCX
Securing Business-Information from Microsoft -Presented by Atidan
David J Rosenthal
 
IBM Banking: Automated Systems help meet new Compliance Requirements
IBM Banking
 
Taxonomy Management, Automatic Metadata Tagging & Auto Classification in Shar...
William LaPorte
 
Data Breach Response Guide (Whitepaper))
NAFCU Services Corporation
 
Ssi Data Protection Solutions V0.2
olambel
 
The Need for DLP now - A Clearswift White Paper
Ben Rothke
 
Information Governance for Smarter Government Strategy and Solutions
IBMGovernmentCA
 
test
William LaPorte
 
Sept 2012 data security & cyber liability
DFickett
 
Ecommerce Chap 10
Pimsat University
 
“The Fountain of Truth” Web-based Contract Management for Starwood Hotels –
TEAM Informatics
 
Information Governance-a programmatic perspective on driving value through RI...
Ledjit
 
Security Built Upon a Foundation of Trust
lmgangi
 
Contractor Exposed Manufacturer's Sensitive Data
Digital Shadows
 
Breached! The First 48
Resilient Systems
 
Configuration File of Trojan Targets Organization
Digital Shadows
 
Tape vaulting audit and encryption usage analysis
Thomas Bronack
 
1 s2.0-s0167404801002097-main
Caio Sanchez Christino
 
Solix EDMS Data Masking
Solix Technologies, Inc.
 
Dynamic access control sbc12 - thuan nguyen
Thuan Ng
 
Securing Business-Information from Microsoft -Presented by Atidan
David J Rosenthal
 
Ad

Similar to Electronic data & record management (20)

PPTX
Information awareness program
khattar31
 
PDF
Strategic Information Management Through Data Classification
Booz Allen Hamilton
 
PDF
Prepare For Breaches Like a Pro
Resilient Systems
 
PDF
How to Secure Your Files with DLP and FAM
Imperva
 
PPT
FTC Protecting Info A Guide For Business Powerpoint
Bucacci Business Solutions
 
PDF
Protecting Personal Information: A Guide for Business
- Mark - Fullbright
 
PPTX
Data Management - NA CACS 2009
CISA1567
 
PPTX
Information governance process & technology
GNetadmin
 
PDF
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.
 
PPT
Responsible for information
Dunton Environmental
 
PPTX
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
Resilient Systems
 
PPTX
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
PDF
The Effective eDocument Retention Program - Policies, Processes and Solutions
Ledjit
 
PPTX
Best Practice For Public Sector Information Security And Compliance
Oracle
 
PDF
Why Have A Digital Investigative Infrastructure
Kevin Wharram
 
PDF
Business Identity Theft Kit
- Mark - Fullbright
 
PDF
Information for Businesses - ca
- Mark - Fullbright
 
PPTX
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
PPTX
Cybertopicsecurity_3
Anne Starr
 
PPT
Powerpoint mack jackson
aiimnevada
 
Information awareness program
khattar31
 
Strategic Information Management Through Data Classification
Booz Allen Hamilton
 
Prepare For Breaches Like a Pro
Resilient Systems
 
How to Secure Your Files with DLP and FAM
Imperva
 
FTC Protecting Info A Guide For Business Powerpoint
Bucacci Business Solutions
 
Protecting Personal Information: A Guide for Business
- Mark - Fullbright
 
Data Management - NA CACS 2009
CISA1567
 
Information governance process & technology
GNetadmin
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Seccuris Inc.
 
Responsible for information
Dunton Environmental
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
Resilient Systems
 
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
The Effective eDocument Retention Program - Policies, Processes and Solutions
Ledjit
 
Best Practice For Public Sector Information Security And Compliance
Oracle
 
Why Have A Digital Investigative Infrastructure
Kevin Wharram
 
Business Identity Theft Kit
- Mark - Fullbright
 
Information for Businesses - ca
- Mark - Fullbright
 
Protecting the Crown Jewels – Enlist the Beefeaters
Jack Nichelson
 
Cybertopicsecurity_3
Anne Starr
 
Powerpoint mack jackson
aiimnevada
 
Ad

Recently uploaded (20)

PDF
Chapter 5_Foreign Exchange Market in .pdf
sophatphoniu
 
PDF
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
PPTX
Business Ethics - An introduction and its overview.pptx
Keerthana Chinnathambi
 
DOCX
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
PDF
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
PPT
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
PPTX
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
PDF
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PDF
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
PDF
A Brief Introduction About Julia Allison
Julia Allison
 
PPTX
Probability Distribution, binomial distribution, poisson distribution
gayusakktivel
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PPTX
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
PPTX
Amazon (Business Studies) management studies
AbhirupVerma
 
PDF
Business model innovation report 2022.pdf
pradvapal
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
PDF
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
PDF
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
PDF
MSPs in 10 Words - Created by US MSP Network
Mayur Gudka
 
Chapter 5_Foreign Exchange Market in .pdf
sophatphoniu
 
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
Business Ethics - An introduction and its overview.pptx
Keerthana Chinnathambi
 
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
A Brief Introduction About Julia Allison
Julia Allison
 
Probability Distribution, binomial distribution, poisson distribution
gayusakktivel
 
Chapter four Project-Preparation material
argachewbochena1
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
Amazon (Business Studies) management studies
AbhirupVerma
 
Business model innovation report 2022.pdf
pradvapal
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
MSPs in 10 Words - Created by US MSP Network
Mayur Gudka
 

Electronic data & record management

  • 1. + Managing The Confidentiality Electronic Data and Records Management www.greenleafinstitute.com
  • 2. + 2 Objectives of this Module With this module, it is expected that the reader will:  Understand the general concept of confidentiality and intangible asset  Appreciate the risks of data leak to individuals and organizations  Acknowledge the need of information classification through contractual elements and self-management  Learn how to conduct the information classification
  • 3. + 3 Outline  Confidentiality: what matters for your organization  Intangible assets & liability  Organizational reputation  Overwhelming data  Confidentiality infringement & risks  Cases study  Risk management  Information classification  Objectives & guidelines  Who to play role?  Information handling: creation, update, transmission, publication, deletion  Classification scheme & data handling matrix
  • 4. + 4 What Constitutes Confidential Information?  Economic value of its existence? Intangible asset Competitive advantage Strategic value  Associated risk when leaking it? Business disruption Diminishing competitiveness Degrading reputation  Something you don’t want to see on the headlines of media?
  • 5. + 5 Overwhelming Information & Data Records Patent Credit Main concern: to ensure that Product History Pricing Trademarks electronic documentation & Customer records shall only be accessible Copyright Data Marketing Plans to those who are authorized, Human Capital and be restricted from the rest. Health Insurance Record Trade Secrets Nevertheless, there is Business Plans necessity to balance it against Operating Plans Costs the enterprise need to use and Salary Data Management share the information… Changes Vendor Information Profits Shareholders Data Confidentiliaty & EDRM
  • 6. + 6 What causes infringement to confidentiality?  Accident & negligence  Natural causes  Malicious attack: internal & external factors  Awareness problems
  • 7. + 7 Case 1 – US: When disposal is not disposal  Secure disposal of computer media is by now a fairly well known requirement. It is widely, although not universally practiced. An uncontrolled disposal, however, can prove fatal. Stories of competitors, or their agents, retrieving old diskettes/CDs/listings/etc from garbage bins are rife.  A network was uncovered which specialized in the recovery and sale of corporate data. One of their methods was to purchase old tapes and diskettes from large companies and then restore the data using their own recovery software. This was then discretely offered for sale to selected competitors!  The hardware fault was not always terminal for the data stored.
  • 8. + 8 Case 2 – India: Outsourcing breach  British undercover reporter revealed that they managed to obtain a bulk of confidential details of thousand British bank accounts that includes information of addresses, passwords, phone numbers, passport and driving licences details.  This confidential data was purchased for £3 per customer. Financial institutions such as Barclays, Lloyds TSB, the Nationwide and HSBC were affected.  The Sun’s Delhi-based contact boasted that he could sell details of up to 200,000 accounts each month, said the newspaper.
  • 9. + 9 Case 3 – US: Banking critical data loss  Three HSBC firms have been fined more than £3 million by the Financial Services Authority (FSA) for failing to secure customer data.  The FSA claimed the three firms sent large amounts of unencrypted data – often on discs sent via the post – and staff were untrained on the issue of identity theft.  The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders – also in the post.
  • 10. + 10 Risk Management  Contractual risk management  Contracting: employment, outsourcing, S&P, SLA, JV…  Non-disclosure agreement (NDA)  EDRM confidentiality policy  Greater information security policy  Information classification matrix & guidelines  Information labeling and handling measures
  • 11. + 11 Contractual Risk Management  Ensuring confidentiality shall be clearly provided in various contractual establishments by imposing and enforcing non- disclosure agreement (NDA):  Employment contract  employees liability  SLA  reminding vendors & outsourcing service providers of their confidentiality liability
  • 12. + 12 Information Classification  Objective: To ensure that information assets receive an appropriate level of protection according to level of sensitivity and criticality  Information should be classified to indicate the needs, priorities and degree of protection  Information classification system should be used to define an appropriate set of protection levels and needs for special handling measures  The classification is a shorthand way of determining how information is to be handled and protected
  • 13. + 13 Why Classify Information 10% 80% 10% Public Internal Use Information Confidential Information Information 100% of all enterprise information
  • 14. 14 Information Classification Lifecycle 5. ENFORCE THE 1. CREATE/REVIEW IMPLEMENTATION OF POLICY ON INFORMATION MATRIX INFO CLASSIFICATION 4. CREATE INFO 2. CLASSIFY INFO CLASSIFICATION MATRIX BASED ON BUSINESS NEEDS, INCLUDING LABELING IMPACT AND PRIORITIES &HANDLING MEASURES 3. IDENTIFY INFO ORIGINATOR, DEVELOPER, OWNER AND USER
  • 15. + 15 Who to Play Role? Creator/Developer Owner User
  • 16. + 16 Who to Play Role?  Responsibility of the originator or nominated owner of information:  Defining the classification of an item of information  Periodically reviewing that classification  Info labeling and handling measures
  • 17. + 17 Information Labeling & Handling  Output from system containing sensitive or critical information should carry an appropriate classification label. This applies for info output both in physical and electronic forms.  For each classification, handling procedures should be defined to cover the following types of information processing activity:  Copying  Storage  Transmission by post, fax, email, etc  Transmission by spoken word, including mobile phone, voicemail, answering machine  Destruction
  • 18. + 18 FOUR Classification Rules 1. MYOB – MIND YOUR ORGANIZATION’S BUSINESS. Take into account of business needs for sharing or restricting information and the business impact associated with such needs. Outputs of classified data should be labeled in terms of its value and sensitivity to the organization 2. FLEXIBILITY. Accept the fact that the classification is not fixed for all time, thus it may change according to a predetermined policy 3. SIMPLICITY. Consider appropriate and practical numbers of classification categories. Overly complex scheme may become cumbersome, uneconomic and impractical. Avoid over-classification. 4. FAMILIARITY. Make the policy and guidelines known to everybody involved in the whole information lifecycle – and that includes outsiders.
  • 19. 19 Information Classification Top Secret It is advisable to restrict the number of information classification levels in your Highly organization to a manageable number as Confidential having too many makes maintenance and compliance difficult. Proprietary The following five levels of classification cover most eventualities: Internal Use Only Public Documents
  • 20. + 20 Information Classification (cont’d) Top Secret:  Highly sensitive internal documents, e.g. impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public.  Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible.
  • 21. + 21 Information Classification (cont’d) Highly Confidential:  Information which is considered critical to the organization’s ongoing operations and could seriously impede them if made public or shared internally. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data.  Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.
  • 22. + 22 Information Classification (cont’d) Proprietary:  Procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates.  Such information is normally for proprietary use by authorized personnel only. Security at this level is high.
  • 23. + 23 Information Classification (cont’d) Internal Use Only:  Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility.  Examples include: internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal.
  • 24. + 24 Information Classification (cont’d) Public Documents:  Information in the public domain: annual reports, press statements etc. which have been approved for public use.  Security at this level is minimal.
  • 25. + 25 Designing info classification matrix A. Classification definitions & examples B. Types of information (structured & unstructured) C. Information protection roles (who to do what) D. Definition of risk zones & their protection measures E. Handling & labeling procedure
  • 26. + 26 Checklist  General information security policy ______  Information classification matrix ______  Info handling & labeling procedure ______  Confidentiality/NDA provision within  Employment contract ________  Outsourcing contract ________  Joint ventures agreement ________  Service level agreement ________  Standard operating procedures ________  E-mail signatures ________  Presentations materials, e-records, etc ________
  • 27. + THANK YOU. Copyright: www.greenleafinstitute.com