Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Information awareness program
Similaire à Information awareness program (20)
Dernier
Dernier (20)
Information awareness program
- 1. Approach to Information Security Rahul Khattar
- 2. Approach to Information Security Setting the Agenda • Making Information available to all users, is essential for the enterprise to conduct its business • Leakage of such information may impact the organization adversely Five step approach to make information available and secure Information Location Classification Protection Audit Training
- 3. Approach to Information Security Where does Information Reside? On File-Servers (FTP) Shared Within DMS folders Backup Content Emails Management Backup Tapes Extracts from BI tools Laptops Removable Mobile Printer hard disk media devices This Information is shared with Employees/ Vendors/ Partners/ Desktops Email Consultants/ Contractors/ Auditors Recognize where information exists Information Location Classification Protection Audit Training
- 4. Approach to Information Security Classification What is Information Classification? It is the science to describe principles that need to be followed to protect information It guides you on how and to whom you can distribute information with a particular classification Why Classify? Classification of information is essential for every business because without classification everyone treats the same piece of information differently, which could have major consequences Classified data helps to better define and implement protection policies Information Location Classification Protection Audit Training
- 5. Approach to Information Security Protection What is Protection? Ensure that only legit users have access to the data Control data with internal/external users Define and apply policies based on Classification Why Protect? Protection enables the enterprises to manage the usage and consumption of its valuable data Information Location Classification Protection Audit Training
- 6. Approach to Information Security Audit Auditing Information Usage Track all end user actions on protected information Generate and analyze reports Keep a close eye on all your data that resides within or outside the organization Why Audit Information Usage? To understand the Information consumption pattern To showcase the shortcomings of existing policies To fine tune “Control-Policies” for your confidential data Information Location Classification Protection Audit Training
- 7. Approach to Information Security End User Training What is Training Educate employees on Information Usage Ensure participation, role play for users Using email, standees, flyers, KM portal as a medium of knowledge transfer Why Train Staff? Helps enterprise define better control-policies on data Minimize accidental misuse of information Ensure technology platform is well accepted Training ensures User participation and acceptance Information Location Classification Protection Audit Training
- 8. Approach to Information Security Importance of DFA in building better policies Data Flow Analysis is an activity to understand what is valuable information and which department holds it It also helps in tracking the information and the consumption pattern & risk DFA maps the information flow for a particular business process DFA clearly points out the security issues attached with a piece of information at different stages of its lifecycle DFA sharpens classification and protection policies on information
- 9. More Info? www.seclore.com +91-22-6130-4200 9
Notes de l'éditeur
- Thank you for being present today.The agenda of this presentation is to lay down a very simple and a basic approach for us to understand on what steps need to taken to protect the enterprise from the risk of its information being put to misuse. The assumption being made here is that , We recognize the need to protect information, however, we still need to identify what is that piece of information that is most valuable to the company and finally lay down the way forward.This presentation is an attempt to provide all of us with the ways and means of getting to answers to the following questions..1) Why should I be protecting my information?2) What is information classification and on Why it is a means to getting to where we want to go?3) How do I get an understand on the risk that my business is exposed to and finally around the business controls that are available to Protect my Information?So lets start by answering the 1st questions..… “Why should I be protecting my information?” Read the 1st 2 para of the slide deck…Information is exchanged by people across the enterprise. So for example an escalation about a customer transaction or perhaps a job on the design floor may end up reaching the HEAD of the given department or the CIO. Information in this case traverses across the company and you do not need a policy to hinder this flow of escalation . In fact once the issue is sorted you may need to ensure that the information is not put to misuse. Another example would be quotations that you send to customers or information that business partners receive to complete a given assignment. What would be the risk to your information that is now with an external user? Does your NDA report back to you in case information is accidentally put to misuse. . So in simple words every bit of information , during its lifecycle is exposed to some or the other risk of misuse and this risk can be measured and quantified in terms of financial loss and legal liabilities if you have not protected the confidential information that the other party has handed to youWhat would we cover… we would stich together words such as [read the 3rdpara..]Where do I start from…[next slide]
- Information classification is an approach, a science, a set of guidelines that an enterprise needs to understand & follow. It would help you understand on what is valuable to you and on how we should protect informationClassification is a means to helping different people or systems understand on how they should behave , react, behave and act when they receive information with a specific classification attached to it.
- Using a technique know as “Data Flow Analysis” we can get a grip of what information does a specific department hold and for how long. This technique provides us a map of the existing business risk that we are exposed to.Read Para 1,2,3Once we have this information I can now identify the correct policies and classification that needs to fall in place .What is now needed is a technology tool to automate some of this work. Using a plain technology approach to automate discovery and classification does not work