Security Policies and
Implementation Issues
Week 9
Data Classification and Handling Policies
and Risk Management Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Describe the different information security
systems (ISS) policies associated with risk
management.
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
▪ Business risks related to information systems
▪ Risks associated with the selected business
model
▪ Differences between public and private risk
management policies
▪ Risk and Control Self-Assessments (RCSA)
▪ Quality Assurance (QA) and Quality Control (QC)
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
Purpose of Data Classification
Protect information
Retain information
Recover information
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Legal Classification Scheme
Prohibited Information
Restricted Information
Confidential Information
Unrestricted Information
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Military Classification Scheme
▪ The U.S. military classification scheme is
defined in National Security Information
document Executive Order (EO) 12356
• Top Secret—Data that the unauthorized disclosure
would reasonably expect to cause grave damage to the
national security
• Secret—Data that the unauthorized disclosure would
reasonably expect to cause serious damage to the
national security
• Confidential—Data that the unauthorized disclosure
would reasonably expect to cause damage to the
national security
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Military Classification Scheme
(Continued)
▪ Unclassified data has two classification
levels:
• Sensitive but unclassified—Confidential data
not subject to release under the Freedom of
Information Act
• Unclassified—Data available to the public
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Declassification of Government
Data
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Business Classification Scheme
Mission critical data
Highly
Sensitive
Sensitive Data that is important but not vital to the
business mission
Internal
Data not related to the core business such as
routine communications within the organization
Public
Data that has no negative impact on the
business when released to the public
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Developing a Customized
Classification Scheme
Determine number of classification
levels
Define each classification level
Name each classification level
Align classification to specific handling
requirements
Define audit and reporting
requirements
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Classifying Data
Data ownership
Security controls
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Data Handling Policies
▪ Policies, standards, and procedures must be
defined regarding data during:
• Creation—During creation, data must be classified.
That could be simply placing the data within a
common storage area.
• Access—Access to data is governed by security
policies. Special guidance is provided on separation
of duties (SoD).
• Use—Use of data includes protecting and labeling
information properly after its access.
• Transmission—Data must be transmitted in
accordance with policies and standards.
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Data Handling Policies
(Continued)
• Storage—Storage devices of data must be
approved. This ensures that access to the device
is secured and properly controlled
• Physical Transport—Transport of data must be
approved. This ensures that the data leaves the
confines of the private network and is protected
and tracked
• Destruction—Destruction of data is sometimes
called “disposal.” When an asset reaches its end
of life, it must be destroyed in a controlled
procedure
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Database Encryption Attack
Scenarios
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Data Classification of Volume
versus Time to Recover
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Risk Management Process
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Risk and Control Self-Assessment
(RCSA)
What the major
known risks are
Which of these risks
will limit the ability of
the organization to
complete its mission
What plans are in
place to deal with
these risks
Who “owns” the
management and
monitoring of these
risks
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Risk Management Policies
▪ Risk avoidance is primarily a business
decision, however differences between
public and private are clear:
• Public organizations cannot avoid high risk,
such as police departments
• Private organizations can avoid risk with
strategic decisions as to where to place their
data centers, out of storm paths
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Risk Management Policies
(Continued)
▪ The power to choose what risk to accept is
the main difference between public and
private organizations
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Risk Management Strategies
▪ Risk avoidance—Not engaging in certain
activities that can incur risk
▪ Risk acceptance—Accepting the risk involved
in certain activities and addressing any
consequences that result
▪ Risk transference—Sharing the risk with an
outside party
▪ Risk mitigation—Reducing or eliminating the
risk by applying controls
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Quality Assurance vs. Quality
Control
Quality Assurance: The act
of giving confidence, the
state of being certain, or
the act of making certain
Quality Control: An
evaluation to indicate
needed corrective
responses; the act of
guiding a process in which
variability is attributable to
a constant system of
chance causes
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Best Practices for Data Classification
and Risk Management Policies
▪ Keep the classification simple—no more than
three to five data classes.
▪ Ensure that data classes are easily understood
by employees.
▪ Data classification must highlight which data is
most valuable to the organization.
▪ Classify data in the most effective manner that
classifies the highest-risk data first.
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
Summary
▪ Data classification based on military scheme
▪ Risk management policies for private and public
sector
▪ Roles and responsibilities associated with risk
management policies
▪ Data handling policies
▪ Quality Assurance (QA) and Quality Control (QC)
▪ Risk and Control Self Assessments (RCSA)
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
Purchase answer to see full
attachment