Classify the information? No doubt it is a... sexy step!
For a decade now, we can see that, before implementing an information security policy, some agencies have already established, for several years now, safety –sometimes preventive in nature– detection and/or even corrective measures. On each occasion, these bodies have invested in large projects, infrastructure and, very often, in the procurement of commercial products.
For a decade now, we can see that, before implementing an information security policy, some agencies have already established, for several years now, safety –sometimes preventive in nature– detection and/or even corrective measures. On each occasion, these bodies have invested in large projects, infrastructure and, very often, in the procurement of commercial products.
In fact, Daniel Geer pointed it out in the following statement: '' three quarters of all data losses are discovered by unrelated third parties, from which one can inevitably infer that the victim's network and infrastructure security regimes were neither effective nor relevant.'' (See: http://www.scmagazineus.com/the-enterprise-information-protection-paradigm/article/164341/)(It should also be noted that data is not just digital, demonstrating that information security does not depend only on information technologies.)
If lacking a previous and effective management of the information (information assets under ISO2700x), it is very hard for these bodies, if not impossible, to know what to protect and how. Finally, the implementation of security measures results in users’ complaints, as, not only information security does not generate efficacy if taken in the wrong way, but, on the contrary, it can generate constraints, not to mention the dangerous circumventions of rebels.
If lacking a previous and effective management of the information (information assets under ISO2700x), it is very hard for these bodies, if not impossible, to know what to protect and how. Finally, the implementation of security measures results in users’ complaints, as, not only information security does not generate efficacy if taken in the wrong way, but, on the contrary, it can generate constraints, not to mention the dangerous circumventions of rebels.
Thankfully, to implement such a thing is simple even as, due to the fact of being strongly linked to a cultural change, it is still necessary to go step-by-step, and, as with all great changes, it is recommended to go slowly but surely in order to ensure continuity.
In our experience, several bodies –after having followed our 6 steps– have managed to enforce their own information classification policy with the goal of better applying security measures and managing their risks efficiently:
1) Identifying sensitive and indispensable information for the smooth progress of affairs
This step, based on the agency’s highest priorities and its business lines, helps to swiftly illustrate all sensitive information. Sometimes, the data can also be subject to laws and regulations, thus facilitating the identification task. At the time of the identification, care should be taken to distinguish between primary and support assets –when applying security measures for the latter, we should keep in mind this differentiation and do it accordingly to sensitivity of the primary assets they support.
In our experience, several bodies –after having followed our 6 steps– have managed to enforce their own information classification policy with the goal of better applying security measures and managing their risks efficiently:
1) Identifying sensitive and indispensable information for the smooth progress of affairs
This step, based on the agency’s highest priorities and its business lines, helps to swiftly illustrate all sensitive information. Sometimes, the data can also be subject to laws and regulations, thus facilitating the identification task. At the time of the identification, care should be taken to distinguish between primary and support assets –when applying security measures for the latter, we should keep in mind this differentiation and do it accordingly to sensitivity of the primary assets they support.
(“Find out why identification is the first step towards a more intelligent protection of information and to avoid costly data breaches”: http://www.cerberis.com/actualite-une-protection-des-donnees-plus-intelligente-grace-a-l---identification-133.html)
2) Localizing relevant information
In this step, all relevant information, in any form –digital or not–, is localized physically and logically. Partners and entities with varying degrees of confidence are increasingly sharing data. It is necessary to regain some control or, at least, know where the data is.
3) Defining all participant’s roles and responsibilities
This very important step is to define information owners, officers and holders’ roles and responsibilities. Indeed, without this step, there is no responsibility and, therefore, no accountability. Thanks to it, holders will be able to apply security measures appropriately, according to the sensitivity expressed by information officers and owners.
4) Establishing a grid of sensitivity, basis for the classification of the information
This step aims at defining a classification in terms of criteria such as the indispensable availability, integrity and even confidentiality. With regards to the latter, we can find the following categories: external, internal, confidential and strategic.
Nevertheless, it can be subject to discussions and distortions as universal classifications cannot be ignored and, hence, are widely criticized. It would therefore be appropriate to offer a level of corporate classification and allow an extra and internal sensitivity level to each service or directorate. 5) Marking the information
Finally, this step, crucial to ensure continuity in the classification, involves marking the information with a label (physically) or even in a cartridge (logically). The information management process becomes therefore easy and intuitive, even invisible, as users, step-by-step, will be led to classify the information since the creation of the data.
6) Engaging users
Since the very beginning of your implementation project, it is critical to engage users via a pilot project, showing benefits and managing changes of theirs processes.
Finally, this step, crucial to ensure continuity in the classification, involves marking the information with a label (physically) or even in a cartridge (logically). The information management process becomes therefore easy and intuitive, even invisible, as users, step-by-step, will be led to classify the information since the creation of the data.
6) Engaging users
Since the very beginning of your implementation project, it is critical to engage users via a pilot project, showing benefits and managing changes of theirs processes.
By following these six steps, the cornerstone of your security policy will take shape, whatever the underlying technologies are, in a continuous process of improvement.
However, once your data starts becoming localized; responsible stakeholders, designated; and data, classified according to its sensitivity, you will start coming out of the mist. The application of security measures will become more efficient and logical; supervision, more focused; and justification of organizational measures or technological security solutions expenses, easier.
Your questions, comments or suggestions are most welcomed. Thanks.
Aucun commentaire:
Enregistrer un commentaire