Our organization recently went through the exercise of classifying our
information and took an approach very similar to what Jose has outlined and it
was fairly effective. I might add that Phase 3 also becomes Phase 5, Phase 6,
etc. In other words, it's a never ending process.
As far as scoping the project, I would say start with business units that may
have high risk information. What you'll probably find out very quickly is that
those business units share some of their top secret/confidential information
with other business units, so depending on your approach, you'll either see
scope creep or somewhat of a natural progression in expanding the program to an
organization wide program.
One thing that we learned was the scope can be dramatically reduced by choosing
the appropriate level of information you are classifying. If you are
classifying data on a field level (e.g. name, address, account number, etc.)
there is no way you can keep the scope (as far as the amount of work involved
anyway) small. If you classify on a record level (e.g. marketing brochures,
project documentation, security policy documentation, purchase orders,
invoices, etc.) the work needed to be done is much more manageable. This
approach also helps you coordinate your efforts with a Records Management
program (if you so choose), which can be a very efficient approach. It also is
much easier for the business units to understand, since that's generally how
they process their work (e.g.. working on one invoice at a time, rather than
trying to remember if name, address and account number are confidential on each
piece of work they handle).
Hope that helps.
John Kuisle, CISSP
IS Supervisor - Security and Business Recovery
Federated Mutual Insurance
-----Original Message-----
From: jose.varghese [mailto:jose.varghese@paladion.net]
Sent: Wednesday, June 22, 2005 12:37 AM
To: security-management@securityfocus.com
Subject: RE: Info Classification Project Scoping
Hi,
We could attempt this in phases.
Phase -1
Define the information classification policy. This would categorise the
information as Secret, Confidential,Internal,Public etc(number of
classifications and their definitions would vary with organisation). This
classification would primarily be done based on the impact of risks.This
would apply to all information (digital or otherwise).Once developed get the
policy endorsed by management.
Phase-2
Identify all information assets(and info. owners) that need to classified.
We could also limit the scope of this phase to critical components ( like
Data center assets and all assets at Corporate office).
Develop detailed checklists and questionnaires which will help info. owners
classify their assets.
Phase 3
Conduct awareness/training sessions to information owners on the proposed
classification levels and checklists.
Phase 4
Consolidate the information from various owners to ensure uniform
interpretation.
Jose Varghese
Paladion Networks
http://palisade.paladion.net
-----Original Message-----
From: Gary Everekyan [mailto:gary_everekyan@hotmail.com]
Sent: Tuesday, June 21, 2005 8:06 PM
To: 'Renato Ferro'; security-management@securityfocus.com
Subject: RE: Info Classification Project Scoping
my .2 cents...
I'd get the data owners involved in the overall Information object
classification.
I'll provide guidance that may be in classification categories (public,
restricted etc) and value (none to highly critical).
The largest hurdle is getting time from business units and coordinating the
information gathering.
So the scope would include:
Identification of information owners
Interviews with all the information owners Provide classifications and value
Project management Document that puts it all together.
HTH
Regards,
Gary Everekyan
CISSP, CISM, ISSAP,ISSPCS, MCSE, MCT
Information Security and Audit
"High achievement always takes place in the framework of high expectation" -
Jack Kinder
-----Original Message-----
From: Renato Ferro [mailto:renato.ferro@gmail.com]
Sent: Monday, June 20, 2005 12:38 PM
To: security-management@securityfocus.com
Subject: Info Classification Project Scoping
Dear Security Managers,
What is the best approach in order to compose a scope for a very large
organization information classification project.
Scoping the project by systems and applications, departments, business
units, mainframe or distributed systems? etc.
Any opinions would be helpful.
Thanks,
This e-mail and its attachments are intended only for the use of the
addressee(s) and may contain privileged, confidential or proprietary
information. If you are not the intended recipient, or the employee or agent
responsible for delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution, displaying, copying, or
use of this information is strictly prohibited. If you have received this
communication in error, please inform the sender immediately and delete and
destroy any record of this message. Thank you.
