
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > Documenting how to handle confidential criteria

Ask The Security Expert: Questions & Answers

EMAIL THIS

Documenting how to handle confidential criteria

EXPERT RESPONSE FROM: Shon Harris, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 22 August 2005
I need to write an internal procedure on how to handle confidential data. Can you offer some suggestions?

The goals of data classification are listed below:

Availability, integrity and confidentiality are provided at the necessary levels for all identified assets
Return on investment by implementing controls where they are needed the most
Map data protection levels with organizational needs
Mitigate threats of unauthorized access and disclosure
Comply with legal and regulation requirements

The steps to develop and roll out a data classification program are:

Compile an inventory of all information assets

Define levels of protection for information assets

Define a classification criteria

Develop information classification policy

Define information handling and labeling procedures

Assign responsibility for classification to the owner of information

Assign a security classification to all information assets

Classify information according to sensitivity and how much protection is required

Apply the classification system to documents, records, data files, and disks.

Develop information handling procedures for each class of information

Develop information labeling procedures for each class of information

Integrate into security awareness and training programs

You should have a data classification policy that covers the following:

Information as assets of individual business units

Declare business unit managers as information owners

Declare IT as data custodians

Classification scheme

Definitions for each classification

Criteria for each classification

Roles and responsibilities of classification

Your written procedures and guidelines should address the following;

How to classify information
How to change classification level if needed
How to communicate classification change to IT
Periodic review of

Current classification levels and mapping to business needs
Current access rights and privileges
Protection levels that current controls are using

The NIST 800-60 document may be too "DoD centric" and an overkill for your needs, but this document has the necessary guidelines to develop and maintain a structured data classification program.

Sun provides a more digestible and understandable approach, which can be found at http://www.sun.com/blueprints/tools/samp_sec_pol.pdf

Lastly, this link provides detailed guidelines for how to treat different types of data.

BROWSE BY TAG

Expert Archive: Security Management, Information Security Policies, Procedures and Guidelines, Information Security Management, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Using a QSA to write up a PCI DSS report on compliance (ROC)
	How can gap analysis be applied to the security SDLC?
	Comparing cheap security products and appliances to costly appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center

Information Security Policies, Procedures and Guidelines

Schneier-Ranum face-off part 6: Audience questions

Editor's Desk: Apathy and the Cybersecurity Coordinator

Writing security policies using a taxonomy-based approach

How to detect and respond to money laundering

Health Net breach failure of security policy, technology

How to protect distributed information flows

Whitelists, SaaS modify traditional security, tackle flaws

Melissa Hathaway urges more cooperation, government attention to cybersecurity

Reuters: Obama ready to select cyber security czar

How a corporate Twitter policy can combat social network threats

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

defense in depth (SearchSecurity.com)

non-disclosure agreement (SearchSecurity.com)

security policy (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2010, TechTarget \| Read our Privacy Policy