ÁREA DE EDUCACIÓN RELIGIOSA

We will now discuss Information Classification, which gives organiza- tions a way to address their most significant risks, by affording them the appropriate level of security.

Information Protection Requirements

Classifying corporate information based on business risk, data value, or other criteria (as discussed later in this chapter) makes good business sense. Not all information has the same value or use, or is subject to the same risks. Therefore, protection mechanisms, recovery processes, etc., are — or should be — different, with differing costs associated with them. Data classification is intended to lower the cost of overprotecting all data, and improve the overall quality of corporate decision making by helping to ensure a higher level of trust in critical data upon which the decision mak- ers depend.

The benefits of an enterprisewide data classification program are real- ized at the corporate level, not the individual application or even depart- mental level. Some of the benefits to the organization are:

• Data confidentiality, integrity, and availability are improved because appropriate controls are used for all data across the enterprise. • The organization gets the most for its information protection dollar

because protection mechanisms are designed and implemented where they are needed most, and less costly controls can be put in place for noncritical information.

• The quality of decisions is improved because the data upon which the decisions are made can be trusted.

• The company is provided with a process to review all business functions and informational requirements on a periodic basis to determine appropriate data classifications.

Information Protection Environment

This section discusses the processes and techniques required to estab- lish and maintain a corporate data classification program. There are costs associated with this process; however, most of these costs are front-end start-up costs. Once the program has been successfully implemented, the cost savings derived from the new security schemes, as well as the improved decision making, should more than offset the initial costs over the long haul, and certainly the benefits of the ongoing program outweigh the small administrative costs associated with maintaining the data classi- fication program.

Although many methodologies exist for developing and implementing a data classification program, the one described here is very effective. The following topics will be addressed:

• Getting started: questions to ask • Policy

• Business impact analysis • Establishing classifications • Defining roles and responsibilities • Identifying owners

• Classifying information and applications • Ongoing monitoring

Getting Started: Questions to Ask

Before the actual implementation of the data classification program can begin, the Information Security Officer — who, for the purposes of this dis- cussion, is the assumed project manager — must get the answers to some very important questions.

Is there an executive sponsor for this project? Although not absolutely essential, obtaining an executive sponsor and champion for the project could be a critical success factor. Executive backing by someone well respected in the organization who can articulate the Information Security Officer’s position to other executives and department heads will help remove barriers, and obtain much needed funding and buy-in from others across the corporation. Without an executive sponsor, the Information Security Officer will have a difficult time gaining access to executives or other influential people who can help sell the concept of data ownership and classification.

What are you trying to protect, and from what? The Information Security Officer should develop a threat and risk analysis matrix to determine the threats to corporate information, the relative risks associated with those threats, and what data or information is subject to those threats. This

matrix provides input to the business impact analysis and forms the begin- ning of the plans for determining the actual classifications of data, as will be discussed later in this chapter.

Are there any regulatory requirements to consider? Regulatory require- ments will have an impact on any data classification scheme, if not on the classifications themselves, at least on the controls used to protect or pro- vide access to regulated information. The Information Security Officer should be familiar with these laws and regulations, and use them as input to the business case justification for data classification.

Has the business accepted ownership responsibilities for the data? T h e business, not IT (information technology), owns the data. Decisions regarding who has what access, what classification the data should be assigned, etc., are decisions that rest solely with the business data owner and are based on organization policy. IT provides the technology and pro- cesses to implement the decisions of the data owners, but should not be involved in the decision-making process. The executive sponsor can be a tremendous help in selling this concept to the organization. Too many organizations still rely on IT for these types of decisions. The business manager must realize that the data is his data, not IT’s; IT is merely the cus- todian of the data. Decisions regarding access, classification, ownership, etc., reside in the business units. This concept must be sold first if data classification is to be successful.

Are adequate resources available to do the initial project? Establishing the data classification processes and procedures, performing the business impact analysis, conducting training, etc., require an up-front commitment of a team of people from across the organization if the project is to be suc- cessful. The Information Security Officer cannot and should not do it alone. Again, the executive sponsor can be of tremendous value in obtaining resources, such as people and funding for this project, that the Information Security Officer could not do alone. Establishing the processes, proce- dures, and tools to implement good, well-defined data classification pro- cesses takes time and dedicated people. First you have to create and imple- ment the policy.

Security Technology and Tools

Policy

An essential tool in establishing a data classification scheme is to have a corporate policy implemented stating that the data is an asset of the corpo- ration and must be protected. Within that same document, the policy should state that information will be classified based on data value, sensi- tivity, risk of loss or compromise, and legal and retention requirements. This provides the Information Security Officer with the necessary authority

to start the project, seek executive sponsorship, and obtain funding and other support for the effort. If there is an Information Security Policy, these statements should be added if they are not already there. If no Information Security Policy exists, then the Information Security Officer should put the data classification project on hold and develop an Information Security Pol- icy for the organization. Without this policy, the Information Security Officer has no real authority or reason to pursue data classification. Infor- mation must first be recognized and treated as an asset of the company before efforts can be expended protecting it.

Assuming there is an Information Security Policy that mentions or states that data will be classified according to certain criteria, another policy — Data Management Policy — should be developed that establishes data classification as a process to protect information and defines:

• The definitions for each of the classifications

• The security criteria for each classification for both data and software • The roles and responsibilities of each group of individuals charged

with implementing the policy or using the data

Exhibit 1 shows a sample Information Security Policy. Note that the pol- icy is written at a very high level and is intended to describe the “whats” of information security. Procedures, baselines, standards, and guidelines are the “hows” for implementation of the policy. The policy in Exhibit 1 is the minimum requirement to proceed with developing and implementing a data classification program. Additional policies may be required, such as an Information Management Policy, which supports the Information Secu- rity Policy. The Information Security Officer should consider developing this policy, and integrating it with the Information Security Policy. This pol- icy would:

Exhibit 1. Sample Information Security Policy

All information, regardless of the form or format, that is created or used in support of company business activity is corporate information. Corporate sensitive and critical information is a company asset and must be protected from its creation, through its useful life and authorized disposal. It should be maintained in a secure, accurate, and reliable manner and be readily available for authorized use. Information will be classified based on its sensitivity, criticality, legal and retention requirements, and type of access required by employees and other authorized personnel.

Information security is the protection of data against accidental or malicious disclosure, modification, or destruction. Information will be protected based on its value or sensitivity or criticality to the company, and the risk of loss or compromise. At a minimum, information will be update-protected so that only authorized individuals can modify or erase the information.

• Define information as an asset of the business unit

• Declare local business managers as the owners of information • Establish IT as the custodians of corporate information

• Clearly define roles and responsibilities of those involved in the ownership and classification of information

• Define the classifications and criteria that must be met for each • Determine the minimum range of controls to be established for each

classification

By defining these elements in a separate Information Management Pol- icy, the groundwork is established for defining a corporate information architecture, the purpose of which is to build a framework for integrating all the strategic information in the company. This architecture can be used later in the support of larger, more strategic corporate applications. The supporting policies, procedures, and standards required to implement the Information Security and Information Management policies must be defined at an operational level and be as seamless as possible. These are the “mechanical” portions of the policies and represent the day-to-day activities that must take place to implement the policies. These include but are not limited to:

• The procedure for conducting a Business Impact Analysis (BIA) for critical system outages or a Risk Analysis (RA) for sensitive system compromise

• Procedures to classify the information, both initially after the RA/BIA has been completed, and to change the classification later, based on business need

• The process to communicate the classification to IT in a timely manner so the controls can be applied to the data and software for that classification

• The procedure to periodically review:

– Current classifications to determine if they are still valid – Current access rights of individuals and groups who have access

to a particular resource

– Controls in effect for classifications to determine their effectiveness

– Training requirements for new data owners

• The procedure to notify custodians of any change in the classifica- tion of data/software or access privileges of individuals or groups The appropriate policies are required as a first step in the development of a Data Classification program. The policies provide the Information Security Officer with the necessary authority and mandate to develop and implement the program. Without it, the Information Security Officer will have an extremely difficult time obtaining the funding and necessary

support to move forward. In addition to the policies, the Information Secu- rity Officer should solicit the assistance and support of both the Legal Department and Internal Audit. If a particular end-user department has some particularly sensitive data, its support would also provide some credibility to the effort.

Risk Analysis

The next step in this process is to conduct a high-level risk analysis on the major business functions within the company. Eventually, this process should be carried out on all business functions, but initially it must be done on the business functions deemed most important to the organization.

A critical success factor in this effort is to obtain corporate sponsor- ship. An executive who supports the project, and may be willing to be the first whose area is analyzed, could help persuade others to participate, especially if the initial effort is highly successful and there is perceived value in the process.

A Study Team comprised of individuals from Information Security, Infor- mation Systems (application development and support), Business Conti- nuity Planning, and business unit representatives should be formed to con- duct the initial impact analysis. Others that may want to participate could include Internal Audit and Legal. The Risk Analysis process is used by the team to:

• Identify major functional areas of information (i.e., human resources, financial, engineering, research and development, marketing, etc.). • Analyze the classification requirements associated with each major

functional area. This is simply identifying the risk to data/processes associated with loss of confidentiality, integrity, or availability. • Determine the risk associated with the classification requirement (i.e.,

the classification requirement could be to avoid disclosure of sensitive information, but the risk could be low because of the number of people who have access and the controls that are imposed on the data). • Determine the effect of loss of the information asset on the business

(this could be financial, regulatory impacts, safety, etc.) for specific periods of unavailability — one hour, one day, two days, one week, a month.

• Build a table detailing the impact of loss of the information. • Prepare a list of applications that directly support the business

function (i.e., human resources could have personnel, medical, pay- roll files, skills inventory, employee stock purchase programs, etc.). From the information gathered, the team can determine classification requirements that cut across all business functional boundaries. This

exercise can help place the applications in specific categories or classifica- tions with a common set of controls to mitigate the common risks. The sen- sitivity of the information, ease of recovery, and criticality must be consid- ered when determining the classification of the information.

Establish Classifications

Once all the risk and classification criteria have been gathered and ana- lyzed, the team must determine how many classifications are necessary and create the classification definitions, determine the controls necessary for each classification for the information and software, and begin to develop the roles and responsibilities for those who will be involved in the process. Relevant factors, including regulatory requirements, must be con- sidered when establishing the classifications.

Too many classifications will be impractical to implement and most cer- tainly will be confusing to the data owners and meet with resistance. The team must resist the urge for special cases to have their own data classifi- cations. The danger is that too much granularity will cause the process to collapse under its own weight. It will be difficult to administer and costly to maintain. On the other hand, too few classes could be perceived as not worth the administrative trouble to develop, implement, and maintain. A perception might be created that there is no value in the process, and indeed the critics may be right.

Each classification must have easily identifiable characteristics. There should be little or no overlap between the classes. The classifications should address how information and software are handled from their cre- ation, through authorized disposal. Following is a sample of classification definitions that have been used in many organizations:

• Public: information that, if disclosed outside the company, would not harm the organization, its employees, customers, or business partners.

• Internal Use Only: information that is not sensitive to disclosure within the organization, but could harm the company if disclosed externally.

• Company Confidential: sensitive information that requires “need-to- know” before access is given.

It is important to note that controls must be designed and implemented for both the information and the software. It is not sufficient to classify and control the information alone. The software, and possibly the hardware on which the information or software reside, must also have proportionate controls for each classification the software processes.

Assurance, Trust, and Confidence Mechanisms

The following lists a set of minimum controls for both classified informa- tion and software that should be considered.

Classified Information: Minimum Controls

• Encryption. Data is encrypted with an encryption algorithm so that the data is “unreadable” to those who are unauthorized to view it. When the data is processed or viewed, it must be decrypted with the same key used to encrypt it. The encryption key must be kept secure and known only to those who are authorized to have access to the data. Public/private key algorithms could be considered for maximum security and ease of use.

• Review and approve. A procedural control, the intent of which is to ensure that any change to the data is reviewed by someone techni- cally knowledgeable to perform the task. An authorized individual other than the person who developed the change should do the review and approval.

• Backup and recovery. Depending on the criticality of the data and ease of recovery, plans should be developed and periodically tested to ensure that the data is backed up properly and can be fully recovered.

• Separation of duties. The intent of this control is to help ensure that no single person has total control over the data entry and validation process, which would enable someone to enter or conceal an error that is intended to defraud the organization or commit other harmful acts. An example would be not allowing the same individual to establish vendors to an Authorized Vendor File, and then also be capable of authorizing payments to a vendor.

• Universal access: none. No one has access to the data unless given specific authority to read, update, etc. This type of control is gen- erally provided by access control software.

• Universal access: read. Everyone with access to the system can read data with the control applied; however, update authority must be granted to specific individuals, programs, or transactions. This type of control is provided by access control software.

• Universal access: update. Anyone with access to the system can update the data, but specific authority must be granted to delete the data. This control is provided by access control software. • Universal access: alter — Anyone with access to the system can view,

update, or delete the data. This provides virtually no security. • Security access control software. This software allows the administra-

tor to establish security rules as to who has access rights to pro- tected resources. Resources can include data, programs, transactions, individual computer IDs, and terminal IDs. Access

control software can be set up to allow access by classes of users to classes of resources, or at any level of granularity required by any particular resource or group of resources.