ENTREVISTA INSTRUCTOR-TUTOR

International. Used with permission.

Any policy and supporting standards on information classification levels must take into account not only the trade secret and competitive-advantage information, but must also include any personal information about employees, customers, clients, and other third parties.

Earlier in this chapter we examined a number of examples of information classification categories. Now we discuss one other important ele-ment: the role of employees in the information classification process.

8EMPLOYEE RESPONSIBILITIES

When I was doing research for this section of the book, I came across the following policy statement:

The “Information Owner” means the party whoconfidesthe referenced Confidential Information to the other party, theConfidant . Despite the name, the Information Owner benefits from aConfidentiality Engagement with respect toConfidential Informationthat it owns or possesses.

These two sentences have five terms that require the reader to get further definitions. As I attempted to determine exactly what it means to “confide,” I was sent to a hypertext page that explained that it meant to “entrust” the information to a “confidant,” which means the “party receiving the information,” and at that point I started looking elsewhere for examples.

The two lines of policy above provide a good example of what should be avoided when you are writing a policy—or writing anything. The document just referenced came from an organization with strong roots in the legal and government sector. If this is your audience, then this is the language for you. If not, try to think like Henry David Thoreau and simplify.

There are typically three areas of employee responsibility: owner, user, and custodian. We discuss each of these concepts and examine how other organizations have defined these responsibilities.

8.1Owner

The information owner is the entity within the organization that has been assigned the responsibility to exercise the organization’s proprietary rights and grant access privileges to those with a true business need. This role is normally assigned to the senior level manager within the business unit where the information asset was created, or is the primary user of that asset. The manager will have the ultimate responsibility for compliance, but will probably delegate the day-to-day activities to some individual who reports to him or her.

Information owner: the person who creates or initiates the creation or stor-age of the information is the initial owner. In an organization, possibly with divisions, departments, and sections, the owner becomes the unit itself with the person responsible being designated as the “head” of the unit

The Information owner is responsible for ensuring that:

• A classification hierarchy is agreed upon and it is appropriate for the types of information processed for that business unit.

• Classify all information stored into the agreed types and create an inventory (listing) of each type.

• For each document or file within each of the classification categories, append its agreed (confidentiality) classification. Its availability should be determined by the respective classification.

• Ensure that, for each classification type, the appropriate level of information security safeguards is available; for example, the log-on controls and access permissions applied by the Information Custodian provide the required levels of confidentiality. • Periodically check to ensure that information continues to be classified appropriately

and that the safeguards remain valid and operative.

I am not certain what being designated “head” actually means, but I do not believe I would want that title. The term “initial owner” may also lead the reader to believe that someone else may come along and become the “final” or “ultimate” leader.

We now review the owner definition from a global media organization.

Owners are authorized employees to whom responsibility has been delegated for the creation and/or use of specific business data by the business unit that “owns” the data. Owners are responsible for defining requirements for safeguards that assure the confidentiality, availability, and integrity of the information. Owners are also responsible for placing information in the proper classification so that those who need the information to perform their assigned duties can obtain it. The owner provides requirements for security for the information to the custodian. The custodian implements the controls to meet the owner’s requirements.

This is a fairly good definition. The only element that I might add is the requirement that the owner monitor the safeguards to ensure custodian compliance. Let us examine one more example.

A. Owner: the Company management of an organizational unit, department, etc. where the information is created, or that is the primary user of the information. Owners have the responsibility to:

Identify the classification level of all corporate information within their organizational unit

Define and implement appropriate safeguards to ensure the confidentiality, integrity, and availability of the information resource

Monitor safeguards to ensure their compliance and report situations of non-compliance

Authorize access to those who have a business need for the information Remove access from those who no longer have a business need for the information

8.2Custodian

The next responsibility we have to create is that of the information custodian. This entity is responsible for protecting the information asset based on the requirements established by the owner. In an organization that has an information systems organization, the operations group might be considered the custodian of client data and information. They do not have the right to permit anyone access to the information asset, nor can they alter that information in any way without approval from the owner. This would include any programming or system upgrades that would modify the information or the output from applications and transactions.

An Information Custodian is the person responsible for overseeing and implementing the necessary safeguards to protect assets, at the level classified by the Information Owner.

This could be the System Administrator, controlling access to a computer network; or a specific application program or even a standard filing cabinet.

This example started out well but finished oddly. Giving examples of what might be considered a custodian is good. Trying to liken a filing cabinet to the opening sentence where the policy identifies the custodian as a “person” is not. Remember that when you are writing, go back and read what you just wrote to make sure the concepts match from beginning to end. Do not try to be cute. Stick to what the subject is, and make sure you say exactly what needs to be said.

Custodians are authorized system support persons or organizations (employees, contractors, consultants, vendors, etc.) responsible for maintaining the safeguards established by owners. The owner designates the custodian. The Custodian is the “steward of the data” for the owner; that is, the Data Center may be the Custodian for business applications “owned” by a Business Unit.

The use of the term “steward of the data” brings out a point that needs to be made. Some organizations and cultures prefer other terms than the ones discussed here. When I was younger, I played Pony League baseball for a team called the “Custodians.” Our uniforms were the most realistic because we had the name on the front and number on the back. The other teams had names like “Tigers” and “Braves” but had some advertisement about their sponsor on the back. It was not until we played a few games that the other team started calling us the janitors. Custodian to some is a noble name; to others, maybe not so noble. So choose your terms wisely. Curator, Keeper, and Guardian are other terms that might work.

Recently we were doing work for HIPAA compliance. While developing policies for a hospital, we discussed the definition for “user.” The hospital staff started to chuckle and told us that the term “user” had a totally different meaning there and we needed to find another term.

B. Custodian: employees designated by the Owner to be responsible for maintaining the safeguards established by the Owner.

It is important to remember that when we use the term “employee,” we are actually discussing the virtual employee. We can only write policy for employees; for all third parties, a contract must contain compliance language. So it is perfectly acceptable to identify “employees” even if we know that someone other than an employee may actually perform the function. This is true for all employee responsibilities except “owner.” The owner must be an employee; after all, it is the organization’s information.

8.3User

The final element is the user. The owner grants permission to access the information asset to this individual. The user must use the information in the manner agreed upon with the owner. The user has no other rights. When granting access, the owner should use the concept of “least privilege.” This means that users are granted only the access they specifically need to perform their business task, and no more.

An Information User is the person responsible for viewing, amending, or updating the content of the information assets. This can be any user of the information in the inventory created by the Information Owner.

The inventory discussed here will be addressed in both the classification policy and the records management policy. Including who has been assigned access needs to be tracked. The Custodian is generally responsible for providing the tools to monitor the user list.

Users are authorized system users (employees, contractors, consultants, vendors, etc.) responsible for using and safeguarding information under their control according to the directions of the Owner. Users are authorized access to information by the Owner.

The final example is similar to the definition used above.

C. User: employees authorized by the Owner to access information and use the safeguards established by the Owner.

9CLASSIFICATION EXAMPLES

In this section we examine attributes and examples of different classification categories. We also present examples of organization information classification policies.

9.1Example 1

Critique of Example 1 (Table 6): This is an actual classification policy (very high level)

for the executive branch of a national government. There is little here to help the average user. This is an example of a Program or General Policy Statement; however, a Topic- Specific Policy Statement might have been more beneficial. Perhaps the next two examples will provide more information.

9.2Example 2

Critique of Example 2 ( Table 7 ): The policy seems to stress competitive advantage

information in its opening paragraphs. It does not appear to address personal information about employees or customers. It does provide for these topics as categories under Confidential but it never really mentions them by name. This appears to be a policy that is somewhat limited in scope. Additionally, it does not establish the scope of the information (is it computer generated only, or exactly what information is being addressed). The employee responsibilities are missing. What is management’s responsibility with respect to information classification, and what is expected of the employees? Finally, what are the consequences of noncompliance?

Table 6.Information Classification Policy