Security Policies and Implementation Issues Week 9 Data Classification and Handling Policies and Risk Management Policies © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective Describe the different information security systems (ISS) policies associated with risk management. Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 2 Key Concepts ▪ Business risks related to information systems ▪ Risks associated with the selected business model ▪ Differences between public and private risk management policies ▪ Risk and Control Self-Assessments (RCSA) ▪ Quality Assurance (QA) and Quality Control (QC) Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 3 Purpose of Data Classification Protect information Retain information Recover information Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 4 Legal Classification Scheme Prohibited Information Restricted Information Confidential Information Unrestricted Information Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 5 Military Classification Scheme ▪ The U.S. military classification scheme is defined in National Security Information document Executive Order (EO) 12356 • Top Secret—Data that the unauthorized disclosure would reasonably expect to cause grave damage to the national security • Secret—Data that the unauthorized disclosure would reasonably expect to cause serious damage to the national security • Confidential—Data that the unauthorized disclosure would reasonably expect to cause damage to the national security Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 6 Military Classification Scheme (Continued) ▪ Unclassified data has two classification levels: • Sensitive but unclassified—Confidential data not subject to release under the Freedom of Information Act • Unclassified—Data available to the public Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 7 Declassification of Government Data Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 8 Business Classification Scheme Mission critical data Highly Sensitive Sensitive Data that is important but not vital to the business mission Internal Data not related to the core business such as routine communications within the organization Public Data that has no negative impact on the business when released to the public Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 9 Developing a Customized Classification Scheme Determine number of classification levels Define each classification level Name each classification level Align classification to specific handling requirements Define audit and reporting requirements Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 10 Classifying Data Data ownership Security controls Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 11 Data Handling Policies ▪ Policies, standards, and procedures must be defined regarding data during: • Creation—During creation, data must be classified. That could be simply placing the data within a common storage area. • Access—Access to data is governed by security policies. Special guidance is provided on separation of duties (SoD). • Use—Use of data includes protecting and labeling information properly after its access. • Transmission—Data must be transmitted in accordance with policies and standards. Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 12 Data Handling Policies (Continued) • Storage—Storage devices of data must be approved. This ensures that access to the device is secured and properly controlled • Physical Transport—Transport of data must be approved. This ensures that the data leaves the confines of the private network and is protected and tracked • Destruction—Destruction of data is sometimes called “disposal.” When an asset reaches its end of life, it must be destroyed in a controlled procedure Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 13 Database Encryption Attack Scenarios Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 14 Data Classification of Volume versus Time to Recover Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 15 Risk Management Process Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 16 Risk and Control Self-Assessment (RCSA) What the major known risks are Which of these risks will limit the ability of the organization to complete its mission What plans are in place to deal with these risks Who “owns” the management and monitoring of these risks Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 17 Risk Management Policies ▪ Risk avoidance is primarily a business decision, however differences between public and private are clear: • Public organizations cannot avoid high risk, such as police departments • Private organizations can avoid risk with strategic decisions as to where to place their data centers, out of storm paths Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 18 Risk Management Policies (Continued) ▪ The power to choose what risk to accept is the main difference between public and private organizations Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 19 Risk Management Strategies ▪ Risk avoidance—Not engaging in certain activities that can incur risk ▪ Risk acceptance—Accepting the risk involved in certain activities and addressing any consequences that result ▪ Risk transference—Sharing the risk with an outside party ▪ Risk mitigation—Reducing or eliminating the risk by applying controls Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 20 Quality Assurance vs. Quality Control Quality Assurance: The act of giving confidence, the state of being certain, or the act of making certain Quality Control: An evaluation to indicate needed corrective responses; the act of guiding a process in which variability is attributable to a constant system of chance causes Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 21 Best Practices for Data Classification and Risk Management Policies ▪ Keep the classification simple—no more than three to five data classes. ▪ Ensure that data classes are easily understood by employees. ▪ Data classification must highlight which data is most valuable to the organization. ▪ Classify data in the most effective manner that classifies the highest-risk data first. Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 22 Summary ▪ Data classification based on military scheme ▪ Risk management policies for private and public sector ▪ Roles and responsibilities associated with risk management policies ▪ Data handling policies ▪ Quality Assurance (QA) and Quality Control (QC) ▪ Risk and Control Self Assessments (RCSA) Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 23
Purchase answer to see full attachment