Contenu connexe


Electronic data & record management

  1. + Managing The Confidentiality Electronic Data and Records Management
  2. + 2 Objectives of this Module With this module, it is expected that the reader will:  Understand the general concept of confidentiality and intangible asset  Appreciate the risks of data leak to individuals and organizations  Acknowledge the need of information classification through contractual elements and self-management  Learn how to conduct the information classification
  3. + 3 Outline  Confidentiality: what matters for your organization  Intangible assets & liability  Organizational reputation  Overwhelming data  Confidentiality infringement & risks  Cases study  Risk management  Information classification  Objectives & guidelines  Who to play role?  Information handling: creation, update, transmission, publication, deletion  Classification scheme & data handling matrix
  4. + 4 What Constitutes Confidential Information?  Economic value of its existence? Intangible asset Competitive advantage Strategic value  Associated risk when leaking it? Business disruption Diminishing competitiveness Degrading reputation  Something you don’t want to see on the headlines of media?
  5. + 5 Overwhelming Information & Data Records Patent Credit Main concern: to ensure that Product History Pricing Trademarks electronic documentation & Customer records shall only be accessible Copyright Data Marketing Plans to those who are authorized, Human Capital and be restricted from the rest. Health Insurance Record Trade Secrets Nevertheless, there is Business Plans necessity to balance it against Operating Plans Costs the enterprise need to use and Salary Data Management share the information… Changes Vendor Information Profits Shareholders Data Confidentiliaty & EDRM
  6. + 6 What causes infringement to confidentiality?  Accident & negligence  Natural causes  Malicious attack: internal & external factors  Awareness problems
  7. + 7 Case 1 – US: When disposal is not disposal  Secure disposal of computer media is by now a fairly well known requirement. It is widely, although not universally practiced. An uncontrolled disposal, however, can prove fatal. Stories of competitors, or their agents, retrieving old diskettes/CDs/listings/etc from garbage bins are rife.  A network was uncovered which specialized in the recovery and sale of corporate data. One of their methods was to purchase old tapes and diskettes from large companies and then restore the data using their own recovery software. This was then discretely offered for sale to selected competitors!  The hardware fault was not always terminal for the data stored.
  8. + 8 Case 2 – India: Outsourcing breach  British undercover reporter revealed that they managed to obtain a bulk of confidential details of thousand British bank accounts that includes information of addresses, passwords, phone numbers, passport and driving licences details.  This confidential data was purchased for £3 per customer. Financial institutions such as Barclays, Lloyds TSB, the Nationwide and HSBC were affected.  The Sun’s Delhi-based contact boasted that he could sell details of up to 200,000 accounts each month, said the newspaper.
  9. + 9 Case 3 – US: Banking critical data loss  Three HSBC firms have been fined more than £3 million by the Financial Services Authority (FSA) for failing to secure customer data.  The FSA claimed the three firms sent large amounts of unencrypted data – often on discs sent via the post – and staff were untrained on the issue of identity theft.  The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders – also in the post.
  10. + 10 Risk Management  Contractual risk management  Contracting: employment, outsourcing, S&P, SLA, JV…  Non-disclosure agreement (NDA)  EDRM confidentiality policy  Greater information security policy  Information classification matrix & guidelines  Information labeling and handling measures
  11. + 11 Contractual Risk Management  Ensuring confidentiality shall be clearly provided in various contractual establishments by imposing and enforcing non- disclosure agreement (NDA):  Employment contract  employees liability  SLA  reminding vendors & outsourcing service providers of their confidentiality liability
  12. + 12 Information Classification  Objective: To ensure that information assets receive an appropriate level of protection according to level of sensitivity and criticality  Information should be classified to indicate the needs, priorities and degree of protection  Information classification system should be used to define an appropriate set of protection levels and needs for special handling measures  The classification is a shorthand way of determining how information is to be handled and protected
  13. + 13 Why Classify Information 10% 80% 10% Public Internal Use Information Confidential Information Information 100% of all enterprise information
  15. + 15 Who to Play Role? Creator/Developer Owner User
  16. + 16 Who to Play Role?  Responsibility of the originator or nominated owner of information:  Defining the classification of an item of information  Periodically reviewing that classification  Info labeling and handling measures
  17. + 17 Information Labeling & Handling  Output from system containing sensitive or critical information should carry an appropriate classification label. This applies for info output both in physical and electronic forms.  For each classification, handling procedures should be defined to cover the following types of information processing activity:  Copying  Storage  Transmission by post, fax, email, etc  Transmission by spoken word, including mobile phone, voicemail, answering machine  Destruction
  18. + 18 FOUR Classification Rules 1. MYOB – MIND YOUR ORGANIZATION’S BUSINESS. Take into account of business needs for sharing or restricting information and the business impact associated with such needs. Outputs of classified data should be labeled in terms of its value and sensitivity to the organization 2. FLEXIBILITY. Accept the fact that the classification is not fixed for all time, thus it may change according to a predetermined policy 3. SIMPLICITY. Consider appropriate and practical numbers of classification categories. Overly complex scheme may become cumbersome, uneconomic and impractical. Avoid over-classification. 4. FAMILIARITY. Make the policy and guidelines known to everybody involved in the whole information lifecycle – and that includes outsiders.
  19. 19 Information Classification Top Secret It is advisable to restrict the number of information classification levels in your Highly organization to a manageable number as Confidential having too many makes maintenance and compliance difficult. Proprietary The following five levels of classification cover most eventualities: Internal Use Only Public Documents
  20. + 20 Information Classification (cont’d) Top Secret:  Highly sensitive internal documents, e.g. impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public.  Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible.
  21. + 21 Information Classification (cont’d) Highly Confidential:  Information which is considered critical to the organization’s ongoing operations and could seriously impede them if made public or shared internally. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data.  Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.
  22. + 22 Information Classification (cont’d) Proprietary:  Procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates.  Such information is normally for proprietary use by authorized personnel only. Security at this level is high.
  23. + 23 Information Classification (cont’d) Internal Use Only:  Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility.  Examples include: internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal.
  24. + 24 Information Classification (cont’d) Public Documents:  Information in the public domain: annual reports, press statements etc. which have been approved for public use.  Security at this level is minimal.
  25. + 25 Designing info classification matrix A. Classification definitions & examples B. Types of information (structured & unstructured) C. Information protection roles (who to do what) D. Definition of risk zones & their protection measures E. Handling & labeling procedure
  26. + 26 Checklist  General information security policy ______  Information classification matrix ______  Info handling & labeling procedure ______  Confidentiality/NDA provision within  Employment contract ________  Outsourcing contract ________  Joint ventures agreement ________  Service level agreement ________  Standard operating procedures ________  E-mail signatures ________  Presentations materials, e-records, etc ________
  27. + THANK YOU. Copyright: