Industry View
It's the Information, Stupid
Security pros won't succeed unless they broaden their focus from the infrastructure that houses information to the security of the information itself. BT Senior Security Consultant Jason Stradley explains how to get there.
By Jason Stradley, BT Senior Security Consultant
Before an appropriate set of controls can be defined and deployed, we need to understand the value of what needs to be protected and, to the extent that we are able, where it is located. This is similar in nature to how we go about protecting the infrastructure. The information needs to be characterized in terms of its value to the organization and the impact of its disclosure to the public. This disclosure component is of critical importance to achieving compliance with many of the data protection and privacy regulations that currently exist, as well as those yet to come.
This characterization is typically expressed as a data classification policy. A typical data classification policy defines four levels of data within the enterprise: Public, Internal, Confidential, and Restricted. The headings may differ from one organization to another, but for our purposes these headings will suffice:
- Public data is typically defined as data that anyone can access and it may be disclosed to the general public without impact to the organization. Examples of this type of data may include product marketing materials, sales collaterals and for publically held companies the annual report.
- Internal data is typically defined as internal business correspondence, records and data that are created during the normal course of business which is not identified as confidential or restricted. Examples of data classified as Internal include business emails, correspondence with clients.
- Confidential data typically includes any and all of business, financial and technical information including, customer, product, pricing and product development plans, network and system diagrams or other non-Restricted data created in the normal course of business which if made public would cause harm the organization.
- Restricted data includes all information subject to restriction in access, storage or processing by law, or regulation, or by customer contract and any other information owned or under the stewardship of an organization that could cause significant harm if inappropriately disclosed, accessed or modified.
Another important aspect that is relevant to data leakage is to define a data lifecycle to determine when and how to appropriately retire and dispose of data that is no longer needed by the business. This should be addressed in an organization data retention policy. In many cases such a policy does not exist. The data leakage issue may be the key to convince an organization to develop a comprehensive and enforceable data retention policy.
How data leaks occur
Now that we have identified the "what" we can move on the "how." This "how" will be divided into two parts. The first "how" will focus on how information and data leaks from an organization. The second "how" will be concerned with how an organization can guard against this leakage and reduce the risks associated with that leakage.
information security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
