CLASSIFY INFORMATION and APPLICATIONS

The information owners, after completing their training, should begin collecting the meta data about their business functions and applications. A formal data collection process should be used to ensure a consistency in the methods and types of information gathered. This information should be stored in a central repository for future reference and analysis. Once the information has been collected, the information owners should review the definitions for the information classifications, and classify their data according to that criteria. The owners can use the following information in determining the appropriate controls for the classification:

•  Audit information maintained; how much and where it is, and what controls are imposed on the audit data.

•  Separation of duties required, yes or no. If yes, how is it performed.

•  Encryption requirements.

•  Data protection mechanisms; and access controls defined based on classification, sensitivity, etc.

•  Universal access control assigned.

•  Backup and recovery processes documented.

•  Change control and review processes documented.

•  Confidence level in data accuracy.

•  Data retention requirements defined.

•  Location of documentation.

The following application controls are required to complement the data controls, but care should be taken to ensure all controls (both data and software) are commensurate with the information classification and value of the information:

•  Audit controls in place.

•  Develop and approve test plans.

•  Separation of duties practiced.

•  Change management processes in place.

•  Code tested, verified for accuracy.

•  Access control for code in place.

•  Version controls for code implemented.

•  Backup and recovery processes in place.

ONGOING MONITORING

Once the information processes have been implemented and data classified, the ongoing monitoring processes should be implemented. The internal audit department should lead this effort to ensure compliance with policy and established procedures. Information Security, working with selected information owners, Legal, and other interested parties, should periodically review the information classifications themselves to ensure they still meet business requirements.

The information owners should periodically review the data to ensure they are still appropriately classified. Also, access rights of individuals should be periodically reviewed to ensure these rights are still appropriate for the job requirements. The controls associated with each classification should also be reviewed to ensure they are still appropriate for the classification they define.

SUMMARY

Information and software classification is necessary to better manage information. If implemented correctly, classification can reduce the cost of protecting information because in today’s environment, the “one size fits all” will no longer work within the complexity of most corporation’s heterogeneous platforms that make up the I/T infrastructure. Information classification enhances the probability that controls will be placed on the data where they are needed the most, and not applied where they are not needed.

Classification security schemes enhance the usability of data by ensuring the confidentiality, integrity, and availability of information. By implementing a corporate-wide information classification program, good business practices are enhanced by providing a secure, cost-effective data platform which supports the company’s business objectives. The key to the successful implementation of the information classification process is senior management support. The corporate information security policy should lay the groundwork for the classification process, and be the first step in obtaining management support and buy-in.