+
Managing The Confidentiality
Electronic Data and Records Management
www.greenleafinstitute.com

+ 2
Objectives of this Module
With this module, it is expected that the reader will:
 Understand the general concept of confidentiality and
intangible asset
 Appreciate the risks of data leak to individuals and
organizations
 Acknowledge the need of information classification
through contractual elements and self-management
 Learn how to conduct the information classification

+ 3
Outline
 Confidentiality: what matters for your organization
 Intangible assets & liability
 Organizational reputation
 Overwhelming data
 Confidentiality infringement & risks
 Cases study
 Risk management
 Information classification
 Objectives & guidelines
 Who to play role?
 Information handling: creation, update, transmission, publication,
deletion
 Classification scheme & data handling matrix

+ 4
What Constitutes Confidential
Information?
 Economic value of its existence?
Intangible asset
Competitive advantage
Strategic value
 Associated risk when leaking it?
Business disruption
Diminishing competitiveness
Degrading reputation
 Something you don’t want to see on the headlines of media?

+ 5
Overwhelming
Information &
Data Records
Patent
Credit
Main concern: to ensure that Product History
Pricing Trademarks
electronic documentation & Customer
records shall only be accessible Copyright Data
Marketing Plans
to those who are authorized,
Human Capital
and be restricted from the rest.
Health Insurance Record
Trade Secrets
Nevertheless, there is Business Plans
necessity to balance it against Operating Plans
Costs
the enterprise need to use and Salary Data Management
share the information… Changes
Vendor Information Profits
Shareholders
Data
Confidentiliaty & EDRM

+ 6
What causes infringement to
confidentiality?
 Accident & negligence
 Natural causes
 Malicious attack: internal & external factors
 Awareness problems

+ 7
Case 1 – US: When disposal is not
disposal
 Secure disposal of computer media is by now a fairly well
known requirement. It is widely, although not universally
practiced. An uncontrolled disposal, however, can prove
fatal. Stories of competitors, or their agents, retrieving old
diskettes/CDs/listings/etc from garbage bins are rife.
 A network was uncovered which specialized in the recovery
and sale of corporate data. One of their methods was to
purchase old tapes and diskettes from large companies and
then restore the data using their own recovery software.
This was then discretely offered for sale to selected
competitors!
 The hardware fault was not always terminal for the data
stored.

+ 8
Case 2 – India: Outsourcing breach
 British undercover reporter revealed that they managed to
obtain a bulk of confidential details of thousand British bank
accounts that includes information of addresses, passwords,
phone numbers, passport and driving licences details.
 This confidential data was purchased for £3 per customer.
Financial institutions such as Barclays, Lloyds TSB, the
Nationwide and HSBC were affected.
 The Sun’s Delhi-based contact boasted that he could sell
details of up to 200,000 accounts each month, said the
newspaper.

+ 9
Case 3 – US: Banking critical data
loss
 Three HSBC firms have been fined more than £3 million by the
Financial Services Authority (FSA) for failing to secure customer
data.
 The FSA claimed the three firms sent large amounts of unencrypted
data – often on discs sent via the post – and staff were untrained on
the issue of identity theft.
 The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk
in the post that contained 1,917 pension numbers and addresses.
And, in February 2008, HSBC Life lost an unencrypted disk holding
data on 180,000 policy holders – also in the post.

+ 10
Risk Management
 Contractual risk management
 Contracting: employment, outsourcing, S&P, SLA, JV…
 Non-disclosure agreement (NDA)
 EDRM confidentiality policy
 Greater information security policy
 Information classification matrix & guidelines
 Information labeling and handling measures

+ 11
Contractual Risk Management
 Ensuring confidentiality shall be clearly provided in various
contractual establishments by imposing and enforcing non-
disclosure agreement (NDA):
 Employment contract  employees liability
 SLA  reminding vendors & outsourcing service providers of their
confidentiality liability

+ 12
Information Classification
 Objective: To ensure that information assets receive an appropriate
level of protection according to level of sensitivity and criticality
 Information should be classified to indicate the needs, priorities and
degree of protection
 Information classification system should be used to define an
appropriate set of protection levels and needs for special handling
measures
 The classification is a shorthand way of determining how information
is to be handled and protected

+ 13
Why Classify Information
10% 80% 10%
Public Internal Use Information Confidential
Information Information
100% of all enterprise information

14
Information Classification Lifecycle
5. ENFORCE THE 1. CREATE/REVIEW
IMPLEMENTATION OF POLICY ON
INFORMATION MATRIX INFO CLASSIFICATION
4. CREATE INFO
2. CLASSIFY INFO
CLASSIFICATION MATRIX
BASED ON BUSINESS NEEDS,
INCLUDING LABELING
IMPACT AND PRIORITIES
&HANDLING MEASURES
3. IDENTIFY INFO
ORIGINATOR,
DEVELOPER,
OWNER AND USER

+ 15
Who to Play Role?
Creator/Developer Owner User

+ 16
Who to Play Role?
 Responsibility of the originator or nominated owner of
information:
 Defining the classification of an item of information
 Periodically reviewing that classification
 Info labeling and handling measures

+ 17
Information Labeling & Handling
 Output from system containing sensitive or critical information should carry an
appropriate classification label. This applies for info output both in physical
and electronic forms.
 For each classification, handling procedures should be defined to cover the
following types of information processing activity:
 Copying
 Storage
 Transmission by post, fax, email, etc
 Transmission by spoken word, including mobile phone, voicemail,
answering machine
 Destruction

+ 18
FOUR Classification Rules
1. MYOB – MIND YOUR ORGANIZATION’S BUSINESS. Take into
account of business needs for sharing or restricting information and the
business impact associated with such needs. Outputs of classified data
should be labeled in terms of its value and sensitivity to the organization
2. FLEXIBILITY. Accept the fact that the classification is not fixed for all
time, thus it may change according to a predetermined policy
3. SIMPLICITY. Consider appropriate and practical numbers of
classification categories. Overly complex scheme may become
cumbersome, uneconomic and impractical. Avoid over-classification.
4. FAMILIARITY. Make the policy and guidelines known to everybody
involved in the whole information lifecycle – and that includes outsiders.

19
Information Classification
Top
Secret
It is advisable to restrict the number of
information classification levels in your Highly
organization to a manageable number as Confidential
having too many makes maintenance and
compliance difficult. Proprietary
The following five levels of classification
cover most eventualities: Internal Use Only
Public Documents

+ 20
Information Classification (cont’d)
Top Secret:
 Highly sensitive internal documents, e.g. impending mergers or
acquisitions, investment strategies, plans or designs that could
seriously damage the organization if lost or made public.
 Information classified as Top Secret has very restricted
distribution and must be protected at all times. Security at this
level is the highest possible.

+ 21
Information Classification (cont’d)
Highly Confidential:
 Information which is considered critical to the organization’s ongoing
operations and could seriously impede them if made public or shared
internally. Such information includes accounting information, business
plans, sensitive information of customers of banks (etc), patients'
medical records, and similar highly sensitive data.
 Such information should not be copied or removed from the
organization’s operational control without specific authority. Security
should be very high.

+ 22
Information Classification (cont’d)
Proprietary:
 Procedures, operational work routines, project plans, designs
and specifications that define the way in which the organization
operates.
 Such information is normally for proprietary use by authorized
personnel only. Security at this level is high.

+ 23
Information Classification (cont’d)
Internal Use Only:
 Information not approved for general circulation outside the
organization where its disclosure would inconvenience the
organization or management, but is unlikely to result in financial
loss or serious damage to credibility.
 Examples include: internal memos, minutes of meetings,
internal project reports. Security at this level is controlled but
normal.

+ 24
Information Classification (cont’d)
Public Documents:
 Information in the public domain: annual reports, press
statements etc. which have been approved for public use.
 Security at this level is minimal.

+ 25
Designing info classification matrix
A. Classification definitions & examples
B. Types of information (structured & unstructured)
C. Information protection roles (who to do what)
D. Definition of risk zones & their protection measures
E. Handling & labeling procedure

+ 26
Checklist
 General information security policy ______
 Information classification matrix ______
 Info handling & labeling procedure ______
 Confidentiality/NDA provision within
 Employment contract ________
 Outsourcing contract ________
 Joint ventures agreement ________
 Service level agreement ________
 Standard operating procedures ________
 E-mail signatures ________
 Presentations materials, e-records, etc ________

+
THANK YOU.
Copyright:
www.greenleafinstitute.com