Determinants of health, dimensions of health, positive health and spectrum of...
Information classification
1. INFORMATION
CLASSIFICATION
• SMELLS LIKE A BUSINESS GLOSSARY,
• TASTES LIKE A BUSINESS GLOSSARY,
• FOR DATA SECURITY AND ASSET MANAGEMENT – THIS IS WHERE YOU START
2. ABOUT ME
• Contact and Summary Details
• LinkedIn: https://www.linkedin.com/in/howarddiesel-infogovernance?trk=hp-identity-
name
• Twitter: @howarddiesel
• Skype: howarddiesel
• Mail: howard@modelwaresystems.com
3. CLASSIFICATION: PROBLEM RECOGNITION
• TRUISM: The Requirement to protect information is required by all organizations
• PROTECT
• LOSS
• EXPOSURE
• EFFECT
• LOSS: hampers business operations
• EXPOSURE: affect reputation and advantage
• LOSS
• Complete / Destroyed
• Inability to Find
• CONSEQUENCE: Hoard & Secure Everything (Expensive & Not practical)
5. CLASSIFICATION: PURPOSE
• Availability, integrity and confidentiality are provided for all identified assets
• Return on investment by implementing controls where they are needed the most
• Map data protection levels with organizational needs
• Mitigate threats of unauthorized access and disclosure
• Comply with legal and regulation requirements
CLASSIFICATION: GOALS
6. CLASSIFICATION: 4 HUSBANDS AND A WIFE
• WHAT
• Process of organizing data into categories for its most effective and efficient use.
• WHY
• Achieve our Classification Goals
• WHERE
• All data storage locations
• WHEN
• Entire Data Lifecycle until DISPOSED
• HOW
• Written procedures and guidelines for data classification should define what
categories and criteria the organization will use to classify data and specify the roles
and responsibilities of employees & systems within the organization regarding data
stewardship.
7. SYSTEM OF PROCESSES FOR CLASSIFICATION
Understand Information
• Information Types
• Identify Risks to Information
• Applicable Regulations
Create Classification System
• Classification Scheme
• Standards and Procedures
• Access to data
• Classifying Information
• Creating and Handling Classified Information
• Storing Classified Information
• Transmitting Classified Information
• Receiving Classified information from External
Parties
Implement
• Classification Policy
• Requirement for information classification
• Mandate the use of the classification system
• Highlight RACI for maintain the classification
system
• Security grading documents
• Provide more detailed level of guidance for a
specific area of data
• Classification of existing data
Educate
• Formal training
• Awareness campaigns
• Staff Induction
Maintain
• Not a discrete project
• Cycle of Continuous Improvement
8. CLASSIFICATION: MODEL STRUCTURE
• Content: Type of information, irrespective of format and medium. What the
information applies to. Typical derived from the related Business Subject Area
• Reg Authority: Reference to the regulatory document which specifies storage
and/or disposal requirements.
• Security Requirement
• C: contains sensitive info – handled CONFIDENTLY
• I: INTEGRITY, specifically protected against unintentional or unauthorised changes
• A: Handled especially with regard to high ACCESSIBILITY
9. CLASSIFICATION: MODEL STRUCTURE – CONT’D
• Preservation Period
• LEG – legal value
• ENT – Enterprise critical value
• HIST: Historical value
• Archive Index (File Plan)
10. REFERENCE MATERIAL
• Guidelines for Classification of Information Best Practice Document; Produced by
UNINETT led working group on Information Security
(http://services.geant.net/cbp/Knowledge_Base/Security/Documents/gn3-na3-t4-
ufs136.pdf)
• Tips for creating a data classification policy
(http://searchsecurity.techtarget.com/feature/Tips-for-creating-a-data-classification-
policy)
• Implementing information classification enterprise
(https://www.giac.org/paper/gsec/4198/implementing-information-classification-
enterprise/106714)
• Drafting data classification policies and guidelines
(http://searchfinancialsecurity.techtarget.com/news/1289406/Drafting-data-
classification-policies-and-guidelines)
• Information classification according to ISO 27001
(http://advisera.com/27001academy/blog/2014/05/12/information-classification-
according-to-iso-27001/)
Notes de l'éditeur
We have to protect against the loss and inappropriate exposure to external parties of organizational information assets.
There are myriad reasons for protecting information. Examples include1:
• Intellectual Property. The compromise of this type of information could result in the loss of a competitive advantage and market share. In a recent example, InstallShield accused a rival software manufacturer of using proprietary information to design software to help customers migrate to their competing product2.
• Privacy. Privacy is becoming a significant issue for all companies and increasing legislation in the area requires companies to be aware of their responsibilities for protecting this type of data.
• Legal issues. Non-disclosure contracts, archive acts and requirements of taxation law are all examples of external influences on your data classification requirements. It is important that you are aware of all relevant requirements in this area prior to formulating a classification scheme.
• Sensitivity. While the release of some information may not damage the company or breach privacy legislation, it may still be desirable to protect sensitive data such as the companies payroll details.
Owner
The organizational unit or process which holds ownership of the information
Content
Type of information, irrespective of format and medium. What the information applies to. Typical derived from the related Business Subject Area
Regulatory Authority
Reference to the regulatory document which specifies storage and/or disposal requirements.
Storage Location
The name of the system and/or physical archive in which the information object is located in the storage period
Unrestricted data
Open or Public data (still may include handling requirements
Security Classification
The degree of protection required for the information object. An object may contain more than one level of classification (Email)
Classification Level Definition:
Open
Internal
Sensitive
Highly Sensitive
Security requirement
Special security considerations based on confidentiality, integrity and/or accessibility of information objects:
C – object contains sensitive information and should be handled confidently
I – Integrity of information object shall be specifically protected against unintentional or conscious unauthorised changes
A – object shall be handled especially with regard to high accessibility
Maximum down-time
Maximum acceptable time for which electronically stored information object can be inaccessible. Recommended periods are:
1 Hour
1 Day
1 Week
1 Month
Preservation Period
Preservation period is a criterion which specifies the relative importance the information has for the organization:
LEG – legal value
ENT – Enterprise Critical value
HIST – Historical value
Personal Data
If the information object contains or may contain personal data:
Personal Data (P) – data that can be associated with an individual
Sensitive Personal Data (S) – data relating to racial, ethnic, political, religious
Archive Index
(File Plan)
An archive index is a system for organizing documents based on one or more classification principles. Normally use a sorting principle based on Subject areas. The subject groups, and thereby the folders in the physical archive, are organized per the decimal system.
Examples:
Class 1 is Finance
Main Group 13 is Accounting and Auditing
Group 133 is Completed Accounts
Owner
The organizational unit or process which holds ownership of the information
Content
Type of information, irrespective of format and medium. What the information applies to. Typical derived from the related Business Subject Area
Regulatory Authority
Reference to the regulatory document which specifies storage and/or disposal requirements.
Storage Location
The name of the system and/or physical archive in which the information object is located in the storage period
Unrestricted data
Open or Public data (still may include handling requirements
Security Classification
The degree of protection required for the information object. An object may contain more than one level of classification (Email)
Classification Level Definition:
Open
Internal
Sensitive
Highly Sensitive
Security requirement
Special security considerations based on confidentiality, integrity and/or accessibility of information objects:
C – object contains sensitive information and should be handled confidently
I – Integrity of information object shall be specifically protected against unintentional or conscious unauthorised changes
A – object shall be handled especially with regard to high accessibility
Maximum down-time
Maximum acceptable time for which electronically stored information object can be inaccessible. Recommended periods are:
1 Hour
1 Day
1 Week
1 Month
Preservation Period
Preservation period is a criterion which specifies the relative importance the information has for the organization:
LEG – legal value
ENT – Enterprise Critical value
HIST – Historical value
Personal Data
If the information object contains or may contain personal data:
Personal Data (P) – data that can be associated with an individual
Sensitive Personal Data (S) – data relating to racial, ethnic, political, religious
Archive Index
(File Plan)
An archive index is a system for organizing documents based on one or more classification principles. Normally use a sorting principle based on Subject areas. The subject groups, and thereby the folders in the physical archive, are organized per the decimal system.
Examples:
Class 1 is Finance
Main Group 13 is Accounting and Auditing
Group 133 is Completed Accounts