Information classification
Download as PPTX, PDF1 like1,532 views
This document provides information on data classification, including its importance, goals, and how to implement a classification system. Classification involves organizing data into categories to facilitate effective use while achieving goals like availability, integrity, compliance and mitigating risks. The document outlines a process for classification that includes understanding information types and risks, creating a classification scheme, implementing policies, and ongoing maintenance through education and improvement.
Information classification
- 1. INFORMATION CLASSIFICATION • SMELLS LIKE A BUSINESS GLOSSARY, • TASTES LIKE A BUSINESS GLOSSARY, • FOR DATA SECURITY AND ASSET MANAGEMENT – THIS IS WHERE YOU START
- 2. ABOUT ME • Contact and Summary Details • LinkedIn: https://www.linkedin.com/in/howarddiesel-infogovernance?trk=hp-identity- name • Twitter: @howarddiesel • Skype: howarddiesel • Mail: howard@modelwaresystems.com
- 3. CLASSIFICATION: PROBLEM RECOGNITION • TRUISM: The Requirement to protect information is required by all organizations • PROTECT • LOSS • EXPOSURE • EFFECT • LOSS: hampers business operations • EXPOSURE: affect reputation and advantage • LOSS • Complete / Destroyed • Inability to Find • CONSEQUENCE: Hoard & Secure Everything (Expensive & Not practical)
- 4. CLASSIFICATION: HOW IMPORTANT IS IT? • Intellectual Property • Privacy • Legal Issues • Sensitivity
- 5. CLASSIFICATION: PURPOSE • Availability, integrity and confidentiality are provided for all identified assets • Return on investment by implementing controls where they are needed the most • Map data protection levels with organizational needs • Mitigate threats of unauthorized access and disclosure • Comply with legal and regulation requirements CLASSIFICATION: GOALS
- 6. CLASSIFICATION: 4 HUSBANDS AND A WIFE • WHAT • Process of organizing data into categories for its most effective and efficient use. • WHY • Achieve our Classification Goals • WHERE • All data storage locations • WHEN • Entire Data Lifecycle until DISPOSED • HOW • Written procedures and guidelines for data classification should define what categories and criteria the organization will use to classify data and specify the roles and responsibilities of employees & systems within the organization regarding data stewardship.
- 7. SYSTEM OF PROCESSES FOR CLASSIFICATION Understand Information • Information Types • Identify Risks to Information • Applicable Regulations Create Classification System • Classification Scheme • Standards and Procedures • Access to data • Classifying Information • Creating and Handling Classified Information • Storing Classified Information • Transmitting Classified Information • Receiving Classified information from External Parties Implement • Classification Policy • Requirement for information classification • Mandate the use of the classification system • Highlight RACI for maintain the classification system • Security grading documents • Provide more detailed level of guidance for a specific area of data • Classification of existing data Educate • Formal training • Awareness campaigns • Staff Induction Maintain • Not a discrete project • Cycle of Continuous Improvement
- 8. CLASSIFICATION: MODEL STRUCTURE • Content: Type of information, irrespective of format and medium. What the information applies to. Typical derived from the related Business Subject Area • Reg Authority: Reference to the regulatory document which specifies storage and/or disposal requirements. • Security Requirement • C: contains sensitive info – handled CONFIDENTLY • I: INTEGRITY, specifically protected against unintentional or unauthorised changes • A: Handled especially with regard to high ACCESSIBILITY
- 9. CLASSIFICATION: MODEL STRUCTURE – CONT’D • Preservation Period • LEG – legal value • ENT – Enterprise critical value • HIST: Historical value • Archive Index (File Plan)
- 10. REFERENCE MATERIAL • Guidelines for Classification of Information Best Practice Document; Produced by UNINETT led working group on Information Security (http://services.geant.net/cbp/Knowledge_Base/Security/Documents/gn3-na3-t4- ufs136.pdf) • Tips for creating a data classification policy (http://searchsecurity.techtarget.com/feature/Tips-for-creating-a-data-classification- policy) • Implementing information classification enterprise (https://www.giac.org/paper/gsec/4198/implementing-information-classification- enterprise/106714) • Drafting data classification policies and guidelines (http://searchfinancialsecurity.techtarget.com/news/1289406/Drafting-data- classification-policies-and-guidelines) • Information classification according to ISO 27001 (http://advisera.com/27001academy/blog/2014/05/12/information-classification- according-to-iso-27001/)
Editor's Notes
- #4: We have to protect against the loss and inappropriate exposure to external parties of organizational information assets.
- #5: There are myriad reasons for protecting information. Examples include1: • Intellectual Property. The compromise of this type of information could result in the loss of a competitive advantage and market share. In a recent example, InstallShield accused a rival software manufacturer of using proprietary information to design software to help customers migrate to their competing product2. • Privacy. Privacy is becoming a significant issue for all companies and increasing legislation in the area requires companies to be aware of their responsibilities for protecting this type of data. • Legal issues. Non-disclosure contracts, archive acts and requirements of taxation law are all examples of external influences on your data classification requirements. It is important that you are aware of all relevant requirements in this area prior to formulating a classification scheme. • Sensitivity. While the release of some information may not damage the company or breach privacy legislation, it may still be desirable to protect sensitive data such as the companies payroll details.
- #9: Owner The organizational unit or process which holds ownership of the information Content Type of information, irrespective of format and medium. What the information applies to. Typical derived from the related Business Subject Area Regulatory Authority Reference to the regulatory document which specifies storage and/or disposal requirements. Storage Location The name of the system and/or physical archive in which the information object is located in the storage period Unrestricted data Open or Public data (still may include handling requirements Security Classification The degree of protection required for the information object. An object may contain more than one level of classification (Email) Classification Level Definition: Open Internal Sensitive Highly Sensitive Security requirement Special security considerations based on confidentiality, integrity and/or accessibility of information objects: C – object contains sensitive information and should be handled confidently I – Integrity of information object shall be specifically protected against unintentional or conscious unauthorised changes A – object shall be handled especially with regard to high accessibility Maximum down-time Maximum acceptable time for which electronically stored information object can be inaccessible. Recommended periods are: 1 Hour 1 Day 1 Week 1 Month Preservation Period Preservation period is a criterion which specifies the relative importance the information has for the organization: LEG – legal value ENT – Enterprise Critical value HIST – Historical value Personal Data If the information object contains or may contain personal data: Personal Data (P) – data that can be associated with an individual Sensitive Personal Data (S) – data relating to racial, ethnic, political, religious Archive Index (File Plan) An archive index is a system for organizing documents based on one or more classification principles. Normally use a sorting principle based on Subject areas. The subject groups, and thereby the folders in the physical archive, are organized per the decimal system. Examples: Class 1 is Finance Main Group 13 is Accounting and Auditing Group 133 is Completed Accounts
- #10: Owner The organizational unit or process which holds ownership of the information Content Type of information, irrespective of format and medium. What the information applies to. Typical derived from the related Business Subject Area Regulatory Authority Reference to the regulatory document which specifies storage and/or disposal requirements. Storage Location The name of the system and/or physical archive in which the information object is located in the storage period Unrestricted data Open or Public data (still may include handling requirements Security Classification The degree of protection required for the information object. An object may contain more than one level of classification (Email) Classification Level Definition: Open Internal Sensitive Highly Sensitive Security requirement Special security considerations based on confidentiality, integrity and/or accessibility of information objects: C – object contains sensitive information and should be handled confidently I – Integrity of information object shall be specifically protected against unintentional or conscious unauthorised changes A – object shall be handled especially with regard to high accessibility Maximum down-time Maximum acceptable time for which electronically stored information object can be inaccessible. Recommended periods are: 1 Hour 1 Day 1 Week 1 Month Preservation Period Preservation period is a criterion which specifies the relative importance the information has for the organization: LEG – legal value ENT – Enterprise Critical value HIST – Historical value Personal Data If the information object contains or may contain personal data: Personal Data (P) – data that can be associated with an individual Sensitive Personal Data (S) – data relating to racial, ethnic, political, religious Archive Index (File Plan) An archive index is a system for organizing documents based on one or more classification principles. Normally use a sorting principle based on Subject areas. The subject groups, and thereby the folders in the physical archive, are organized per the decimal system. Examples: Class 1 is Finance Main Group 13 is Accounting and Auditing Group 133 is Completed Accounts