PROJECT ( due 3/09/2019, 3pm, PST )

profileanve5h.5p10
Chapter11.pptx

Security Policies and Implementation Issues

Chapter 11

Data Classification and Handling Policies and Risk Management Policies

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objective

Describe the different information security systems (ISS) policies associated with risk management.

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

2

Key Concepts

Business risks related to information systems

Risks associated with the selected business model

Differences between public and private risk management policies

Risk and Control Self-Assessments (RCSA)

Quality Assurance (QA) and Quality Control (QC)

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

3

Purpose of Data Classification

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Protect information

Retain information

Recover information

Legal Classification Scheme

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Prohibited Information

Confidential Information

Unrestricted Information

Restricted Information

Military Classification Scheme

The U.S. military classification scheme is defined in National Security Information document Executive Order (EO) 12356

Top Secret—Data that the unauthorized disclosure would reasonably expect to cause grave damage to the national security

Secret—Data that the unauthorized disclosure would reasonably expect to cause serious damage to the national security

Confidential—Data that the unauthorized disclosure would reasonably expect to cause damage to the national security

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Military Classification Scheme (Continued)

Unclassified data has two classification levels:

Sensitive but unclassified—Confidential data not subject to release under the Freedom of Information Act

Unclassified—Data available to the public

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Declassification of Government Data

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Business Classification Scheme

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Highly Sensitive

Data that has no negative impact on the business when released to the public

Sensitive

Internal

Public

Mission critical data

Data that is important but not vital to the business mission

Data not related to the core business such as routine communications within the organization

Developing a Customized Classification Scheme

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

10

Determine number of classification levels

Define each classification level

Name each classification level

Align classification to specific handling requirements

Define audit and reporting requirements

Classifying Data

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

You need to consider two primary issues when classifying data:

-Data ownership

-Security controls

These two issues help you drive maximum value from the data classification effort.

7/17/2014

11

Data ownership

Security controls

Data Handling Policies

Policies, standards, and procedures must be defined regarding data during:

Creation—During creation, data must be classified. That could be simply placing the data within a common storage area.

Access—Access to data is governed by security policies. Special guidance is provided on separation of duties (SoD).

Use—Use of data includes protecting and labeling information properly after its access.

Transmission—Data must be transmitted in accordance with policies and standards.

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Data Handling Policies (Continued)

Storage—Storage devices of data must be approved. This ensures that access to the device is secured and properly controlled

Physical Transport—Transport of data must be approved. This ensures that the data leaves the confines of the private network and is protected and tracked

Destruction—Destruction of data is sometimes called “disposal.” When an asset reaches its end of life, it must be destroyed in a controlled procedure

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Database Encryption Attack Scenarios

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Data Classification of Volume versus Time to Recover

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Risk Management Process

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Risk and Control Self-Assessment (RCSA)

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

What the major known risks are

Which of these risks will limit the ability of the organization to complete its mission

What plans are in place to deal with these risks

Who “owns” the management and monitoring of these risks

Risk Management Policies

Risk avoidance is primarily a business decision, however differences between public and private are clear:

Public organizations cannot avoid high risk, such as police departments

Private organizations can avoid risk with strategic decisions as to where to place their data centers, out of storm paths

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Risk Management Policies (Continued)

The power to choose what risk to accept is the main difference between public and private organizations

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Risk Management Strategies

Risk avoidance—Not engaging in certain activities that can incur risk

Risk acceptance—Accepting the risk involved in certain activities and addressing any consequences that result

Risk transference—Sharing the risk with an outside party

Risk mitigation—Reducing or eliminating the risk by applying controls

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

20

Quality Assurance vs. Quality Control

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Quality Assurance: The act of giving confidence, the state of being certain, or the act of making certain

Quality Control: An evaluation to indicate needed corrective responses; the act of guiding a process in which variability is attributable to a constant system of chance causes

Best Practices for Data Classification and Risk Management Policies

Keep the classification simple—no more than three to five data classes.

Ensure that data classes are easily understood by employees.

Data classification must highlight which data is most valuable to the organization.

Classify data in the most effective manner that classifies the highest-risk data first.

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

22

Summary

Data classification based on military scheme

Risk management policies for private and public sector

Roles and responsibilities associated with risk management policies

Data handling policies

Quality Assurance (QA) and Quality Control (QC)

Risk and Control Self Assessments (RCSA)

Page ‹#›

Security Policies and Implementation Issues

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7/17/2014

23