Presentation is loading. Please wait.

Presentation is loading. Please wait.

Classification - 1 1 September 2003© Peltier and Associates, all rights reserved Creating an Asset Classification Methodology ISIG & ISSA September, 2003.

Similar presentations


Presentation on theme: "Classification - 1 1 September 2003© Peltier and Associates, all rights reserved Creating an Asset Classification Methodology ISIG & ISSA September, 2003."— Presentation transcript:

1 Classification - 1 1 September 2003© Peltier and Associates, all rights reserved Creating an Asset Classification Methodology ISIG & ISSA September, 2003

2 Classification - 2 1 September 2003© Peltier and Associates, all rights reserved Abstract  Information is an asset and the property of the organization.  All employees must protect information from unauthorized access, modification, disclosure and/or destruction. Before employees can be expected to protect information, they must first understand what they have. An information classification policy and methodology will provide them with the help they need.

3 Classification - 3 1 September 2003© Peltier and Associates, all rights reserved Abstract  Information classification fundamentals:  information classification from a legal standpoint,  responsibility for care and control of information,  integrity of the information, and  the availability of the information and systems processing the information.  To assist in the development of an information asset inventory, we will review information classification concepts and work exercises to reinforce those concepts.

4 Classification - 4 1 September 2003© Peltier and Associates, all rights reserved Objectives  At the conclusion of this workshop, participants should be able to:  understand information classification concepts  identify the essential elements of an information classification process  understand the Company Information Classification Policy  understand how to identify information assets  understand how to determine ownership of information assets  understand how to classify information assets  Develop an information asset inventory

5 Classification - 5 1 September 2003© Peltier and Associates, all rights reserved Agenda  Information Classification Concepts  Information Classification Elements  Information Classification Methodology  Company Information Classification Policy  Exercise - Determine the Owner  What is Confidential Information?  Company Information Classification Policy  Exercise - Classify Information Assets  Employee Responsibilities Review

6 Classification - 6 1 September 2003© Peltier and Associates, all rights reserved  Workshop, your participation is important!  Open to questions at ANY TIME and  Anyone can answer  No canned solutions Format

7 Classification - 7 1 September 2003© Peltier and Associates, all rights reserved Information Classification Concepts  Confidentiality  Information should be accessed only by those who are supposed to access it  Information should be protected from unauthorized disclosure  Integrity  Information should be what it is supposed to be  Information should be protected from unauthorized alteration  Availability  Information should be available when it is needed  Information should be protected from unauthorized destruction

8 Classification - 8 1 September 2003© Peltier and Associates, all rights reserved Why Classify Information? Organizations classify information in order to establish the appropriate levels of protection for those resources. Because resources are limited, it is necessary to identify and prioritize what really needs protection. One of the reasons to classify information is to ensure that scarce resources are allocated where they will do the most good. All information may be created equally, but not all information is of equal value. Information Classification Concepts

9 Classification - 9 1 September 2003© Peltier and Associates, all rights reserved 10% Confidential Information 10% Public Information 80% Internal Use Information Information Classification Concepts Why Classify Information?

10 Classification - 10 1 September 2003© Peltier and Associates, all rights reserved Information Classification Concepts Why Classify Information? For years the computer security profession adhered to a standard that everything is closed until it is opened. In recent years companies establishing information classification systems have found that nearly 90% of all enterprise information needs to be accessed by employees or is available through public forums. Because resources are limited, the concept that all information is open unless it requires closing is perhaps a better approach to protect information.

11 Classification - 11 1 September 2003© Peltier and Associates, all rights reserved Information Classification Concepts Why Classify Information?  Information is not all the same value.  An information classification system can be a significant advantage for most organizations.  The information classification system should rely on:  common sense,  knowledge of the corporate culture and  knowledge of market sensitivity  The information classification system leverages employee knowledge and expertise.

12 Classification - 12 1 September 2003© Peltier and Associates, all rights reserved Elements of an Information Classification Process  Begin with a Policy  Provide a Methodology to Support the Policy  Identify Information Assets  Determine Information Asset Owner  Determine Classification Level for Each Asset  Implement Appropriate Controls for Classification Levels  Facilitate Employee Awareness

13 Classification - 13 1 September 2003© Peltier and Associates, all rights reserved An effective information classification process should provide management and employees with a method with which to:  identify information assets and  provide an indication of how the information should be classified Information Classification Methodology

14 Classification - 14 1 September 2003© Peltier and Associates, all rights reserved Information Classification Methodology  Identify Information Assets  Brainstorming Techniques  Keep a log to record assets required to complete daily tasks  Use an “Information Asset Worksheet” to collect information about the assets that are identified Brainstorming, logs and worksheets are a few techniques and tools that can be used to identify information assets. Let’s look at a few examples...

15 Classification - 15 1 September 2003© Peltier and Associates, all rights reserved Information Classification Methodology  Brainstorming Techniques  Brainstorm with others to identify assets that fall into broad categories, such as:  Employee Records  Business Process Records  Operations Information  Group Administrative Records  Distribution Records

16 Classification - 16 1 September 2003© Peltier and Associates, all rights reserved Information Classification Methodology  Brainstorming Techniques (continued)  Employee Records  Employee performance review records  Timecards  Employee discipline documents  Pay records  Medical records

17 Classification - 17 1 September 2003© Peltier and Associates, all rights reserved Information Classification Methodology  Brainstorming Techniques (continued)  Business Process Records  Purchasing contracts  Quarterly financial reports  Project management tasks, schedules  Reference manuals  Contract negotiations

18 Classification - 18 1 September 2003© Peltier and Associates, all rights reserved Information Classification Methodology  Brainstorming Techniques (continued)  Operations Information  Business partner information  Asset allocation  Trading activities  Production formulas  Production cost information  Customer lists

19 Classification - 19 1 September 2003© Peltier and Associates, all rights reserved Information Classification Methodology  Brainstorming Techniques (continued)  Group Administrative Records  Monthly status reports  Yearly status reports  Yearly business objectives  Distribution Records  Distribution models  Inventory records  Parts supplies

20 Classification - 20 1 September 2003© Peltier and Associates, all rights reserved Information Classification Methodology n Daily Activity Log A daily activity log can be used to track information assets required to complete tasks over a period of time.

21 Classification - 21 1 September 2003© Peltier and Associates, all rights reserved Information Classification Methodology  Information Asset Worksheet An Information Asset Worksheet can be completed by one or more individuals in a department.

22 Classification - 22 1 September 2003© Peltier and Associates, all rights reserved Policy Statement Information is a company asset and is the property of Company. Information must be protected according to its sensitivity, criticality and value, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed. Company Information Classification Policy

23 Classification - 23 1 September 2003© Peltier and Associates, all rights reserved Responsibilities Employees are responsible for protecting information from unauthorized access, modification, destruction, or disclosure, whether accidental or intentional. To facilitate the protection of Company information, employee responsibilities have been established at three levels: Owner, Custodian and User. Company Information Classification Policy

24 Classification - 24 1 September 2003© Peltier and Associates, all rights reserved Responsibilities (continued) Owner: Company management of a business unit or department where information is created or the primary user of the information. Owners have the responsibility to:  identify the classification level of all Company information in their organization,  define and implement safeguards to ensure the confidentiality, integrity, and availability of the information,  monitor the safeguards to ensure compliance and report situations of non- compliance,  authorize access to those who have a business need for the information, and  remove access from those who no longer have a business need for the information. Company Information Classification Policy

25 Classification - 25 1 September 2003© Peltier and Associates, all rights reserved Responsibilities (continued) Custodian: Employees designated by the Owner to be responsible for maintaining the safeguards established by the Owner.  Custodians are required to maintain the safeguards established by the Owner. User: Employees authorized by the Owner to access information and use the safeguards established by the Owner.  Users are required to use the safeguards established by the owner. Company Information Classification Policy

26 Classification - 26 1 September 2003© Peltier and Associates, all rights reserved Exercise Determine the Owner

27 Classification - 27 1 September 2003© Peltier and Associates, all rights reserved Definitions To ensure the proper protection of corporate information, the Owner shall use a formal review process to classify information into one of the following classifications: Confidential: Information, which if disclosed, could violate the privacy of individuals, reduces the company’s competitive advantage, or causes significant damage to Company. Internal Use: Information, which is intended for use by employees when conducting company business. Public: Information, which has been made available for public distribution through authorized company channels. Company Information Classification Policy

28 Classification - 28 1 September 2003© Peltier and Associates, all rights reserved There are a number of ways to look at information that may be classified as confidential. We will examine two, one a general statement and one geared toward competitive advantage information. For a general definition it may be sufficient to define such information as: “Information which, if disclosed, could violate the privacy of individuals, reduces the company’s competitive advantage, or causes significant damage to the organization.” What is Confidential Information?

29 Classification - 29 1 September 2003© Peltier and Associates, all rights reserved For confidential information, if the organization takes adequate steps (operates in good faith) to keep confidential information secret both internally and externally, then if there is a breach, the organization can seek relief through the courts. For trade secret and competitive advantage information, there may be criminal penalties for individuals as well as organizations as well as civil penalties. What is Confidential Information?

30 Classification - 30 1 September 2003© Peltier and Associates, all rights reserved Information classification protects the intellectual assets What is Confidential Information? information Insurance Credit History Records Plans revenue Cost Changes Vendor Patents Copyrights Trademarks Business Plans Medical records Customer information Performance ratings Shareholder Operating plans Health Records Billing Marketing Consolidated Profit Management Info. Salary data Product Pricing Trade secrets

31 Classification - 31 1 September 2003© Peltier and Associates, all rights reserved When classifying competitive advantage information, it will be necessary to consider that classified information is that information used by the organization in its business which is the result of some effort and some expense or investment which provides the organization with a competitive advantage in the relevant industry and which the organization wishes to protect from disclosure to third parties. Timing may affect how an information asset is classified. Information may be classified as “Confidential” while it is being developed, then classified as “Internal Use” or “Public” once it is complete. What is Confidential Information?

32 Classification - 32 1 September 2003© Peltier and Associates, all rights reserved Responsibilities To ensure the proper protection of corporate information, the Owner shall use a formal review process to classify information into one of the following classifications: Confidential: Information, which if disclosed, could violate the privacy of individuals, reduces the company’s competitive advantage, or causes significant damage to Company Internal Use: Information, which is intended for use by employees when conducting company business. Public: Information, which has been made available for public distribution through authorized company channels. Company Information Classification Policy

33 Classification - 33 1 September 2003© Peltier and Associates, all rights reserved Responsibilities Declassification – The Owner is to establish a review process for all information classified as Confidential, and reclassify it when it no longer meets the criteria for Confidential. Company Information Classification Policy

34 Classification - 34 1 September 2003© Peltier and Associates, all rights reserved Part of an effective information classification program is to destroy documents when they are no longer required. Placing restrictions on copying classified documents will ensure that the documents and data sets are controlled and logged as to the number of copies created and to whom those copies were assigned. To assist in this process, it may be convenient to create an information handling matrix. Destruction requirements are addressed as part Company’s record retention program. Destruction

35 Classification - 35 1 September 2003© Peltier and Associates, all rights reserved There are three categories of employee responsibilities: Owner, Custodian and User. Depending on the specific information being accessed, an individual may fall into more than one category. For example, an employee with a desktop workstation becomes the Owner, Custodian and User. To reinforce these concepts, the responsibilities for an information asset Owner are reviewed in general terms. Employee Responsibilities Review

36 Classification - 36 1 September 2003© Peltier and Associates, all rights reserved Owners - the information Owner is responsible to: Judge the value of the information resource and assigning the proper classification level. Assess and define appropriate controls to assure that information created is properly safeguarded from unauthorized access, modification, disclosure and/or destruction. Periodically review the classification level to determine if the status should be changed. Employee Responsibilities Review

37 Classification - 37 1 September 2003© Peltier and Associates, all rights reserved Owners - the information Owner is responsible to: Communicate access and safeguard requirements to the information Custodian and Users. Provide access to those individuals with a demonstrated business need for access. Monitor safeguard requirements to ensure that information is being adequately protected. Assure a business continuity plan has been implemented and tested to protect information availability. Employee Responsibilities Review

38 Classification - 38 1 September 2003© Peltier and Associates, all rights reserved Information classification drives the protection control requirements and this allows information to be protected to a level commensurate to its value to the organization. The cost of over protection is eliminated and exceptions are minimized. With a policy and methodology specifications are clear an accountability is established. There are costs associated with implementing a classification system. The most identifiable costs include the labeling of classified information, implementing and monitoring controls and safeguards and proper handling of confidential information Summary

39 Classification - 39 1 September 2003© Peltier and Associates, all rights reserved Information, wherever it is handled or stored needs to be protected from unauthorized access, disclosure, modification and destruction. All information is not created equal. Consequently, segmentation or classification of information into categories is necessary to help provide a framework for evaluating the information’s relative value. By establishing this relative value, it will be possible to establish cost effective controls that will preserve the information asset for the organization. Summary

40 Classification - 40 1 September 2003© Peltier and Associates, all rights reserved  Comments?  Questions?

41 Classification - 41 1 September 2003© Peltier and Associates, all rights reserved Creating an Asset Classification Methodology ISIG & ISSA September, 2003


Download ppt "Classification - 1 1 September 2003© Peltier and Associates, all rights reserved Creating an Asset Classification Methodology ISIG & ISSA September, 2003."

Similar presentations


Ads by Google