The question asked was "What is the best approach in order to compose a
scope for a very large organization information classification project?"
My immediate response was "there is no BEST way because you have to know
what works for your organisation."
At least you should set down your goals for the classification project.
What are the end-results you expect to achieve? Often, the right
approach becomes apparent as we become more clear and specific with our
goal setting. You will also need an information taxonomy before you
actually start doing the classification.
At somepoint, you will need to identify information assets. Leaving this
job to department heads can be unreliable because different people
assign different values to different information.
So you will need a mutli-pronged approach to get valid and reliable
valuations of information. Of course ask each department head to
identify what information, services and functions are vital to their
areas but also ask employees what systems they use on a day-to-day basis
to get their work done. You will also need to investigate further when
departments heads place extrememly high or low values to particular
assets (or medium values when the information seems more or less
important). Also use a checklist to ensure departments heads consider
ALL types of information they may possess (information residing on
laptops or PCs at home which may have corporate and personal information
on them).
On the topic of classification:
All information in your organisation must be classified because strong
security efforts are comprehensive efforts.
The taxonomy you use for classification is a separate issue, but it must
be all inclusive.
Very simplified example:
1. Strategy Documents (Top Secret)
2. Invoices and Receipts (High)
3. All information that is neither 1 nor 2. (Low)
This taxonomy has three partitions. However, it is all inclusive.
Each partition must be assigned a "value" (Very High, High, Medium, Low)
(Sensitive, Confidential, Top Secret) etc.
The level of protection required for each category of information is yet
another separate issue.
Your organisation maybe prepared to spend 1M to protect Top Secret
(level 1) information but only $100 to protect level 3 information.
Defining the project scope is about determining what work should be
included in the project and what work should NOT be included in the
project (what results should be achieved and what results should not be
achieved).
As I understand, the information classification will have the least
impact on your project scope (should take 1 - 2 days max, if organised
properly). What will actually take a lot of work is analysing, designing
and implementing risk treatments to protect the information you have
classified and subsequently assessed.
Regards,
Darren
From: Renato Ferro [mailto:renato.ferro@gmail.com]
Sent: Monday, June 20, 2005 10:08 PM
To: security-management@securityfocus.com
Subject: Info Classification Project Scoping
Dear Security Managers,
What is the best approach in order to compose a scope for a very large
organization information classification project.
Scoping the project by systems and applications, departments, business
units, mainframe or distributed systems? etc.
Any opinions would be helpful.
Thanks,
