Information Security Process: Classification
August 1, 2013
Information Security like all relationships takes time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and recovery easier and faster.
I only cover Information Classification in this article; it is the most ethereal of the process. Every other step's effectiveness can be measured quantitatively, but classification is qualitative.
I first identify the pieces of information vital to the company's survival, vital to their growth and then protect against losing any company secrets. This protects the company’s present, their future and their advantages over their competition. I label this information confidential and apply that tag to any device that has control, such as routers, switches, servers, laptops, cell phones, desks, offices, secretaries, conference rooms, and the corporate phone system, for examples. All of these provide a way for this information to be compromised, to fall into the wrong hands, or be lost which could be even worse.
How valuable is something? Information is an abstract concept, but represents tangible assets in my corporate world. I came up with a few rules on how to determine the value of various corporate assets and information. First, how valuable is it to the company? How valuable will it be tomorrow? How valuable will it be 5 years from now? Second, how valuable is it to a department in the company, and how valuable is that department? And finally, how valuable would this be to a competitor?
Creating this inventory of information locations and which pieces of technology they traverse on a given day gives a decent idea of what needs to be secured. For the smaller companies I generally find every piece of technology needs to be secured and maintained, because high value information passed through multiple times a day. For larger companies this list has been more granular.
While coming up with this classification matrix is necessary, generally most servers, routers, switches, laptops have the same or a similar configuration. But this is not the case with every environment, and especially with Bring Your Own Device.
While this view may seem over protective and intrusive, this is just to bring to the company’s attention where their highest level vulnerabilities are,. Securing is a separate issue and can usually does not have to disrupt current business practices.
.wdnii.
© 2013 Norris Proprietaries Inc.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.