PROJECT ( due 3/09/2019, 3pm, PST )
Security Policies and Implementation Issues
Chapter 11
Data Classification and Handling Policies and Risk Management Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Describe the different information security systems (ISS) policies associated with risk management.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
2
Key Concepts
Business risks related to information systems
Risks associated with the selected business model
Differences between public and private risk management policies
Risk and Control Self-Assessments (RCSA)
Quality Assurance (QA) and Quality Control (QC)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
3
Purpose of Data Classification
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Protect information
Retain information
Recover information
Legal Classification Scheme
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Prohibited Information
Confidential Information
Unrestricted Information
Restricted Information
Military Classification Scheme
The U.S. military classification scheme is defined in National Security Information document Executive Order (EO) 12356
Top Secret—Data that the unauthorized disclosure would reasonably expect to cause grave damage to the national security
Secret—Data that the unauthorized disclosure would reasonably expect to cause serious damage to the national security
Confidential—Data that the unauthorized disclosure would reasonably expect to cause damage to the national security
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Military Classification Scheme (Continued)
Unclassified data has two classification levels:
Sensitive but unclassified—Confidential data not subject to release under the Freedom of Information Act
Unclassified—Data available to the public
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Declassification of Government Data
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Business Classification Scheme
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Highly Sensitive
Data that has no negative impact on the business when released to the public
Sensitive
Internal
Public
Mission critical data
Data that is important but not vital to the business mission
Data not related to the core business such as routine communications within the organization
Developing a Customized Classification Scheme
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
10
Determine number of classification levels
Define each classification level
Name each classification level
Align classification to specific handling requirements
Define audit and reporting requirements
Classifying Data
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
You need to consider two primary issues when classifying data:
-Data ownership
-Security controls
These two issues help you drive maximum value from the data classification effort.
7/17/2014
11
Data ownership
Security controls
Data Handling Policies
Policies, standards, and procedures must be defined regarding data during:
Creation—During creation, data must be classified. That could be simply placing the data within a common storage area.
Access—Access to data is governed by security policies. Special guidance is provided on separation of duties (SoD).
Use—Use of data includes protecting and labeling information properly after its access.
Transmission—Data must be transmitted in accordance with policies and standards.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data Handling Policies (Continued)
Storage—Storage devices of data must be approved. This ensures that access to the device is secured and properly controlled
Physical Transport—Transport of data must be approved. This ensures that the data leaves the confines of the private network and is protected and tracked
Destruction—Destruction of data is sometimes called “disposal.” When an asset reaches its end of life, it must be destroyed in a controlled procedure
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Database Encryption Attack Scenarios
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data Classification of Volume versus Time to Recover
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Management Process
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk and Control Self-Assessment (RCSA)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What the major known risks are
Which of these risks will limit the ability of the organization to complete its mission
What plans are in place to deal with these risks
Who “owns” the management and monitoring of these risks
Risk Management Policies
Risk avoidance is primarily a business decision, however differences between public and private are clear:
Public organizations cannot avoid high risk, such as police departments
Private organizations can avoid risk with strategic decisions as to where to place their data centers, out of storm paths
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Management Policies (Continued)
The power to choose what risk to accept is the main difference between public and private organizations
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Management Strategies
Risk avoidance—Not engaging in certain activities that can incur risk
Risk acceptance—Accepting the risk involved in certain activities and addressing any consequences that result
Risk transference—Sharing the risk with an outside party
Risk mitigation—Reducing or eliminating the risk by applying controls
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
20
Quality Assurance vs. Quality Control
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Quality Assurance: The act of giving confidence, the state of being certain, or the act of making certain
Quality Control: An evaluation to indicate needed corrective responses; the act of guiding a process in which variability is attributable to a constant system of chance causes
Best Practices for Data Classification and Risk Management Policies
Keep the classification simple—no more than three to five data classes.
Ensure that data classes are easily understood by employees.
Data classification must highlight which data is most valuable to the organization.
Classify data in the most effective manner that classifies the highest-risk data first.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
22
Summary
Data classification based on military scheme
Risk management policies for private and public sector
Roles and responsibilities associated with risk management policies
Data handling policies
Quality Assurance (QA) and Quality Control (QC)
Risk and Control Self Assessments (RCSA)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7/17/2014
23