Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Info Classification Project Scoping

from [Tom Petrocelli] Network Security [Permanent Link]
Subject: Re: Info Classification Project Scoping
Date: Thu, 23 Jun 2005 06:34:59 -0400
Is I might suggest, start with value not class. Derive class from value. Value can be defined in terms of monetary importance, regulatory compliance need, and age (as in ILM).

For example, a row in a database that represents an unshipped but paid for order, could be rated very high. The final document of the latest 10-Q filling or the CFO's analyst presentation also high. The row that represents an order filled in 1995 low, and the marketing presentation from last January moderate.

Then, devise data protection and security policies around the classes of information. In this way, the most valuable information is afforded the highest (and most expensive) forms of protection.

Thanks,

Tom Petrocelli
President
Technology Alignment Partners
PH: 716-633-8346
website: www.techalignment.com

On 6/21/2005 11:29 PM, Darren Campbell wrote:
The question asked was "What is the best approach in order to compose a scope for a very large organization information classification project?"

My immediate response was "there is no BEST way because you have to know what works for your organisation."

At least you should set down your goals for the classification project. What are the end-results you expect to achieve? Often, the right approach becomes apparent as we become more clear and specific with our goal setting. You will also need an information taxonomy before you actually start doing the classification.

At somepoint, you will need to identify information assets. Leaving this job to department heads can be unreliable because different people assign different values to different information.

So you will need a mutli-pronged approach to get valid and reliable valuations of information. Of course ask each department head to identify what information, services and functions are vital to their areas but also ask employees what systems they use on a day-to-day basis to get their work done. You will also need to investigate further when departments heads place extrememly high or low values to particular assets (or medium values when the information seems more or less important). Also use a checklist to ensure departments heads consider ALL types of information they may possess (information residing on laptops or PCs at home which may have corporate and personal information on them).


On the topic of classification:
All information in your organisation must be classified because strong security efforts are comprehensive efforts.

The taxonomy you use for classification is a separate issue, but it must be all inclusive.

Very simplified example:
1. Strategy Documents (Top Secret)
2. Invoices and Receipts (High)
3. All information that is neither 1 nor 2. (Low)

This taxonomy has three partitions. However, it is all inclusive.

Each partition must be assigned a "value" (Very High, High, Medium, Low) (Sensitive, Confidential, Top Secret) etc.

The level of protection required for each category of information is yet another separate issue.

Your organisation maybe prepared to spend 1M to protect Top Secret (level 1) information but only $100 to protect level 3 information.

Defining the project scope is about determining what work should be included in the project and what work should NOT be included in the project (what results should be achieved and what results should not be achieved).

As I understand, the information classification will have the least impact on your project scope (should take 1 - 2 days max, if organised properly). What will actually take a lot of work is analysing, designing and implementing risk treatments to protect the information you have classified and subsequently assessed.


Regards,

Darren


From: Renato Ferro [mailto:renato.ferro@gmail.com]
Sent: Monday, June 20, 2005 10:08 PM
To: security-management@securityfocus.com
Subject: Info Classification Project Scoping
Dear Security Managers,
What is the best approach in order to compose a scope for a very large organization information classification project.

Scoping the project by systems and applications, departments, business units, mainframe or distributed systems? etc.

Any opinions would be helpful.

Thanks,



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Info Classification Project Scoping, jose.varghese
Next by Date:  RE: Info Classification Project Scoping, Kuisle, John P.
Previous by Thread:  Info Classification Project Scoping, Darren Campbell
Next by Thread:  RE: Info Classification Project Scoping, Kuisle, John P.
Indexes:  [Date] [Thread] [Top] [All Lists]