Domain 4
Policy, Standards, and Organization

As technologies evolve, the protection of resources becomes increasingly more complex. Nevertheless, information security is predominantly an organizational issue, and as such, establishing and enforcing policies and standards is critical to the successful administration of the Information Security Program.

Chapter 4-1-1 defines a comprehensive methodology for the protection of data through an information classification program. This chapter is a natural follow-on to the previous chapters on risk management, since information classification is based on business risk and data valuation. The author defines a step-by-step process which begins with establishing a policy and conducting a business impact analysis in order to identify major functional areas of information and to analyze the threats associated with each area. In addition, the chapter includes a method for establishing the multiple categories of classification and for defining the respective, required controls for each level. Further, the author encourages participation by data owners or sponsors, and on-going monitoring by the organization’s Internal Audit function.

Practitioners must be consistently aware of the threats to information security, and Chapter 4-2-1 introduces us to the insidious risks introduced by global competition and information warfare. In today’s downsizing and rightsizing environment, each individual corporation strives to stay one step ahead of the competition. The urgency created by this frenzied contention is a breeding ground for industrial and economic espionage.

The author describes the technological and human issues that organizations must deal with today, and using actual case studies, emphasizes the seriousness of the situation. Importantly, the final section of the chapter addresses how an organization can defend itself again information warfare attacks, using foundation principles of information security, i.e., individual accountability, access control and audit trails.

Chapters 4-3-1 and 4-3-2 address organizational and architectural structure, with an eye toward laying a foundation for the future of information security in order to accommodate the changing countenance of business technologies. In chapter 4-3-1, the author proposes a radical departure from the traditional mainframe-oriented security organization to one that relies heavily on support and cooperation from nonsecurity resources and contingent labor.

Chapter 4-3-2 describes the design and development of a comprehensive, enterprise-wide security architecture. The burden of ensuring that internal controls are inherent in all new systems and applications, and supporting the security administration of said systems and applications, is an overwhelming responsibility. Lacking a security blueprint which overlays the technology infrastructure, the ability to instill security at all appropriate points is a hit and miss proposition. This chapter provides an enterprise-wide design, respective tools, and a coherent management system encompassing a structured, consistent security architecture.

Finally, Chapter 4-4-1 offers an extensive recounting of the essentials of information security management, well-written, effectively communicated, information security policies and procedures.

Section 4-1
Information Classification

Chapter 4-1-1
Information Classification: A Corporate Implementation Guide

Jim Appleyard

INTRODUCTION

Classifying corporate information based on business risk, data value, or other criteria (as discussed later in this chapter), makes good business sense. Not all information has the same value or use, or is subject to the same risks. Therefore, protection mechanisms, recovery processes, etc. are — or should be — different, with differing costs associated with them. Data classification is intended to lower the cost of protecting data, and improve the overall quality of corporate decision making by helping ensure a higher quality of data upon which the decision makers depend.

The benefits of an enterprise-wide data classification program are realized at the corporate level, not the individual application or even departmental level. Some of the benefits to the organization are

•  Data confidentiality, integrity, and availability are improved because appropriate controls are used for all data across the enterprise.

•  The organization gets the most for its information protection dollar because protection mechanisms are designed and implemented where they are needed most, and less costly controls can be put in place for noncritical information.

•  The quality of decisions is improved because the quality of the data upon which the decisions are made has been improved.

•  The company is provided with a process to review all business functions and informational requirements on a periodic basis to determine priorities and values of critical business functions and data.

•  The implementation of an information security architecture is supported, which better positions the company for future acquisitions and/or mergers.

This chapter will discuss the processes and techniques required to establish and maintain a corporate data classification program. There are costs associated with this process; however, most of these costs are front-end start-up costs. Once the program has been successfully implemented, the cost savings derived from the new security schemes, as well as the improved decision making, should more than offset the initial costs over the long haul, and certainly the benefits of the ongoing program outweigh the small, administrative costs associated with maintaining the data classification program.

Although not the only methodology that could be employed to develop and implement a data classification program, the one described here has been used and proved to work.

The following topics will be addressed:

•  Getting started: questions to ask

•  Policy

•  Business Impact Analysis

•  Establishing classifications

•  Defining roles and responsibilities

•  Identifying owners

•  Classifying information and applications

•  Ongoing monitoring