ESTABLISH CLASSIFICATIONS

Once all the risk assessment and classification criteria has been gathered and analyzed, the team must determine how many classifications are necessary and create the classification definitions, determine the controls necessary for each classification for the information and software, and begin to develop the roles and responsibilities for those who will be involved in the process. Relevant factors, including regulatory requirements, must be considered when establishing the classifications.

Too many classifications will be impractical to implement, most certainly will be confusing to the data owners and meet with resistance. The team must resist the urge for special cases to have their own data classifications. The danger is that too much granularity will cause the process to collapse under its own weight. It will be difficult to administer and costly to maintain.

On the other hand, too few classes could be perceived as not worth the administrative trouble to develop, implement, and maintain. A perception may be created that there is no value in the process, and indeed the critics may be right.

Each classification must have easily identifiable characteristics. There should be little or no overlap between the classes. The classifications should address how information and software are handled from their creation, through authorized disposal. See Exhibit 3, Information/Software Classification Criteria.

Exhibit 3.  Information/Software Classification Criteria

Following is a sample of classification definitions that have been used in many organizations:

•  Public — Information, that if disclosed outside the company, would not harm the organization, its employees, customers, or business partners.

•  Internal Use Only — Information that is not sensitive to disclosure within the organization, but could harm the company if disclosed externally.

•  Company Confidential — Sensitive information that requires “need to know” before access is given.

It is important to note that controls must be designed and implemented for both the information and software. It is not sufficient to classify and control the information alone. The software, and possibly the hardware on which the information and/or software resides, must also have proportionate controls for each classification the software manipulates. Below is a set of minimum controls for both information and software that should be considered.

Information — Minimum Controls

Encryption — Data is encrypted with an encryption key so that the data is “scrambled”. When the data are processed or viewed, the data must be decrypted with the same key used to encrypt the data. The encryption key must be kept secure and known only to those who are authorized to have access to the data. Public/private key algorithms could be considered for maximum security and ease of use.

Review and approve — A procedural control, the intent of which is to ensure that any change to the data is reviewed by someone technically knowledgeable to perform the task. The review and approval should be done by an authorized individual other than the person who developed the change.

Backup and recovery — Depending on the criticality of the data and ease of recovery, plans should be developed and periodically tested to ensure the data are backed up properly, and can be fully recovered.

Separation of duties — The intent of this control is to help ensure that no single person has total control over the data entry and validation process, which would enable someone to enter or conceal an error which is intended to defraud the organization or commit other harmful acts. An example would be not allowing the same individual to establish vendors to an Authorized Vendor File, then also be capable of authorizing payments to a vendor.

Universal access: none — No one has access to the data unless given specific authority to read, update, etc. This type of control is generally provided by security access control software.

Universal access: read — Everyone with access to the system can read data with the control applied; however, update authority must be granted to specific individuals, programs, or transactions. This type of control is provided by access control software.

Universal access: update — Anyone with access to the system can update the data, but specific authority must be granted to delete the data. This control is provided by access control software.

Universal access: alter Anyone with access to the system can view, update, or delete the data. This is virtually no security.

Security access control software — This software allows the administrator to establish security rules as to who has access rights to protected resources. Resources can include data, programs, transactions, individual computer IDs, and terminal IDs. Access control software can be set up to allow access by classes of users to classes of resources, or at any level of granularity required to any particular resource or group of resources.

Software — Minimum Controls

Review and approve — The intent of this control is that any change to the software be reviewed by someone technically knowledgeable to perform this task. The review and approval should be an authorized individual other than the person who developed the change.

Review and approve test plan and results — A test plan would be prepared, approved, documented, and followed.

Backup and recovery — Procedures should be developed and periodically tested to ensure backups of the software are performed in such a manner that the most recent production version is recoverable within a reasonable amount of time.