Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Info Classification Project Scoping

from ["Weigel Muñoz, Margarita"] Network Security [Permanent Link]
Subject: RE: Info Classification Project Scoping
Date: Thu, 30 Jun 2005 11:48:29 -0300 

I agree with this points. Firstly you could  begin with the phase -1
defining the information and sistems or others assets as sensitive or
critical as well lined up the scope of the whole project or process of
information security defined when you made your main risk assesment.

In order to achieve it, we face a project defining roles, profiles, objects
(asigned asses, applications, process, functions, information) designing the
information.owner and the process.owner (it depend on the organization) Then
we define or classify the information in order with the security, the need
to know, the treatment, the lebeling, and the critisism for the business
continuity.

 2 cents only

Best regards
Margarita Weigel Muñoz




-----Mensaje original-----
De: Kuisle, John P. [mailto:JPKuisle@fedins.com]
Enviado el: Jueves, 23 de Junio de 2005 11:06 a.m.
Para: security-management@securityfocus.com
Asunto: RE: Info Classification Project Scoping


Our organization recently went through the exercise of classifying our
information and took an approach very similar to what Jose has outlined and
it was fairly effective.  I might add that Phase 3 also becomes Phase 5,
Phase 6, etc.  In other words, it's a never ending process.   

As far as scoping the project, I would say start with business units that
may have high risk information.  What you'll probably find out very quickly
is that those business units share some of their top secret/confidential
information with other business units, so depending on your approach, you'll
either see scope creep or somewhat of a natural progression in expanding the
program to an organization wide program.  

One thing that we learned was the scope can be dramatically reduced by
choosing the appropriate level of information you are classifying.  If you
are classifying data on a field level (e.g. name, address, account number,
etc.) there is no way you can keep the scope (as far as the amount of work
involved anyway) small.  If you classify on a record level (e.g. marketing
brochures, project documentation, security policy documentation, purchase
orders, invoices, etc.) the work needed to be done is much more manageable.
This approach also helps you coordinate your efforts with a Records
Management program (if you so choose), which can be a very efficient
approach.  It also is much easier for the business units to understand,
since that's generally how they process their work (e.g.. working on one
invoice at a time, rather than trying to remember if name, address and
account number are confidential on each piece of work they handle).  

Hope that helps.

John Kuisle, CISSP
IS Supervisor - Security and Business Recovery
Federated Mutual Insurance


-----Original Message-----
From: jose.varghese [mailto:jose.varghese@paladion.net]
Sent: Wednesday, June 22, 2005 12:37 AM
To: security-management@securityfocus.com
Subject: RE: Info Classification Project Scoping


Hi,

We could attempt this in phases.

Phase -1

Define the information classification policy. This would categorise the
information as Secret, Confidential,Internal,Public etc(number of
classifications and their definitions would vary with organisation). This
classification would primarily be done based on the impact of risks.This
would apply to all information (digital or otherwise).Once developed get the
policy endorsed by management.

Phase-2 

Identify all information assets(and info. owners) that need to classified.
We could also limit the scope of this phase to critical components ( like
Data center assets and all assets at Corporate office). 
Develop detailed checklists and questionnaires which will help info. owners
classify their assets.

Phase 3
Conduct awareness/training sessions to information owners on the proposed
classification levels and checklists.

Phase 4
Consolidate the information from various owners to ensure uniform
interpretation.

Jose Varghese
Paladion Networks
http://palisade.paladion.net







-----Original Message-----
From: Gary Everekyan [mailto:gary_everekyan@hotmail.com] 
Sent: Tuesday, June 21, 2005 8:06 PM
To: 'Renato Ferro'; security-management@securityfocus.com
Subject: RE: Info Classification Project Scoping

my .2 cents...
I'd  get the data owners involved in the overall Information object
classification.
I'll provide guidance that may be in classification categories (public,
restricted etc) and value (none to highly critical).
The largest hurdle is getting time from business units and coordinating the
information gathering.
So the scope would include:
Identification of information owners
Interviews with all the information owners Provide classifications and value
Project management Document that puts it all together.
HTH


Regards,
 
Gary Everekyan
CISSP, CISM, ISSAP,ISSPCS, MCSE, MCT
Information Security and Audit
"High achievement always takes place in the framework of high expectation" -
Jack Kinder

 

-----Original Message-----
From: Renato Ferro [mailto:renato.ferro@gmail.com]
Sent: Monday, June 20, 2005 12:38 PM
To: security-management@securityfocus.com
Subject: Info Classification Project Scoping

Dear Security Managers,
What is the best approach in order to compose a scope for a very large
organization information classification project.

Scoping the project by systems and applications, departments, business
units, mainframe or distributed systems? etc.

Any opinions would be helpful.

Thanks,



This e-mail and its attachments are intended only for the use of the
addressee(s) and may contain privileged, confidential or proprietary
information. If you are not the intended recipient, or the employee or agent
responsible for delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution, displaying, copying,
or use of this information is strictly prohibited. If you have received this
communication in error, please inform the sender immediately and delete and
destroy any record of this message. Thank you.


El contenido de este mail y cualquier archivo adjunto son confidenciales.
Está dirigido solo a los destinatarios. Cualquier divulgación, distribución
o copia de esta comunicación o cualquiera de sus contenidos está prohibida.
Si Ud. ha recibido este mail por error por favor reenvíelo al remitente
inmediatamente, borre el original y cualquier copia que resida en su
computadora.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: Info Classification Project Scoping, "Weigel Muñoz, Margarita" <=
Previous by Date:  Re: Firewall Audit Policies/Procedures, RusCrypto
Next by Date:  Audit for documented procedures for the operation of an IS department, artiman1973
Previous by Thread:  Firewall Audit Policies/Procedures, Joshua Berry
Next by Thread:  Audit for documented procedures for the operation of an IS department, artiman1973
Indexes:  [Date] [Thread] [Top] [All Lists]