Printer Friendly

Checked your infosec lately?

IN A SURVEY OF BANKING INSTITUTIONS, conducted in April 1989 at the Bank Administration Institute Conference, only half the respondents said they had documented procedures in place and in use for classifying sensitive and critical information. That statistic is complicated by the fact that 94 percent of the organizations said they store critical data off-site. That finding raises two concerns:

* Potentially critical or sensitive data may not have adequate protection.

* The expense of protecting over-classified data is unnecessary.

Classification of information according to its sensitivity or criticality addresses different facets of the information's value to a company. Since the two types of classifications-sensitivity and criticality-require two separate sets of criteria and procedures, this article will address only the sensitivity issue and leave criticality for another discussion.

Sensitive information is a generic term for information a company needs to protect. Such information is sometimes called confidential or proprietary, depending on the organization. It is defined as any information, tangible or intangible, that an organization has created or obtained or that has been placed under an organization's control that might jeopardize an organization's competitive edge or potentially prove embarrassing if released.

Implementing a classification scheme indicates your organization's intention to keep designated information confidential. Expressly marking documents according to a documented classification procedure is the first step toward legal recognition of corporate information protection. Such a program indicates that the information is a corporate asset designated to remain in confidence.

You should consider a wide variety of information for sensitive classification, including data on bids and proposals. Consider not only actual reports but also proposal research, assuming the bids are competitive. Budget forecasts, whether good or bad, could be used to the advantage of a competitor and to the detriment of your organization.

In that light, forecasts of any kind, proposed product announcements, and especially product pricing details are particularly sensitive prior to announcement. Numerous examples of potentially damaging information exist both in general and for issues unique to your organization.

In addition to business data, you have a legal responsibility to protect employee and customer information that is considered personally identifiable. Employee information includes military and handicap classifications. As for customer data, insurance carriers must protect information on the medical histories of their clients.

Considering the variety of information that might be classified, the process is obviously not simple. Why would an organization choose to engage in such a resource-intensive process? The primary reason is the value of its information assets, which are typically ranked second only to employees. Controlling your information resources is prudent management.

Information has varying levels of sensitivity. That is, more people need to have access to certain pieces of information than to others. Therefore, you should not only classify information as sensitive but also define levels of access. The number of levels should be kept to a minimum-two or three levels have proven to be most effective. Typically the number of levels is determined by the groups of people authorized to access the information.

One level might allow information to be freely shared within the company but not made available to nonemployees. A second level could be designated for certain employees only. A third level might be one that is strictly controlled and limited to a designated few, which might cover executive reorganization discussions prior to desired publication.

After classifying information according to its sensitivity, determine controls for various classification levels. Examples of such controls include markings, access, distribution, reproduction, transmission, storage, destruction, and disposal. Document associated rules and apply them consistently within your organization. In putting together a protection program, consider the following controls:

Markings. Designate a standard set of markings for each classification. The most frequent exception is public information, which is unmarked. Markings should always appear in the same location on sensitive documents or computer screens-at the center bottom of the page, for example. That way recognition is immediate.

AT&T, for example, uses the term "proprietary information" to identify three levels of sensitive information. The following markings are used:

* AT&T-Proprietary: Use pursuant to company instructions

* AT&T-Proprietary (Restricted): Solely for authorized persons having a need to know-pursuant to company instructions

n AT&T-Proprietary (Registered): Solely for authorized persons having a need to know and subject to cover sheet instructions

Those markings are placed on all proprietary documents based on their sensitivity, including computer printouts. Sensitive information displayed on a computer screen should also be marked. You might consider using a shortened statement customized to the standard line width of the computer.

Access. You must consider both physical and logical access controls for various levels of sensitive information. AT&T's markings indicate the level of need-to-know criteria established for the classes used in its scheme.

Typical physical access controls range from building perimeter protection to locked desk requirements. Limited access to data center facilities through the use of card key systems and visitor badges with escorts protects information from unauthorized physical access.

In today's environment of on-line networked information systems, logical access controls are critical. Identifications and passwords are your first line of defense.

Distribution and reproduction. The distribution of sensitive information, whether through internal company mail, courier, or US mail, requires specific controls. For example, double sealed envelopes with the inner envelope marked "sensitive" and the outer one bearing only the recipient's mailing information provide an extra layer of protection. Return-receipted mail ensures recognition and control of delivery to the appropriate individual.

Controlling reproduction of sensitive information is most important. You must ensure that only authorized individuals reproduce sensitive information and that workers do not toss poor copies produced at a copying machine in the ordinary trash. Nonsensitive, unmarked documents can be thrown into trash cans or recycle bins. More sensitive information should be shredded.

Transmission. You must control transmission of your organization's sensitive information. For example, dial-up lines with no access protection allow uncontrolled transmission. You should keep the possibility of satellite transmission interception in mind when building a network. When more sensitive data is transmitted over lines not totally controlled by your corporation, you should consider the dial-up versus private line costs and benefits of encryption.

Storage. If your company premises are secured by perimeter controls, such as card key access or guard services, no additional controls may be needed for securing less sensitive information. More sensitive data requires an additional level of security, however, such as a locked desk or file cabinet. If that is the case, be sure to have an administrative procedure in place for key control. Data in the most sensitive classification, if stored in computer memory, may require encryption.

Destruction. The key to destroying sensitive data is ensuring that information is no longer readable by people or machines. You should establish procedures for shredding paper and diskettes. For mechanized data you need utility programs that totally write over all characters. If appropriate, backup copies should also be destroyed.

Disposal. If sensitive information has been properly destroyed, disposal is not a problem. You can hire a bonded contractor with a written nondisclosure agreement to ensure proper disposal.

You must take additional care in selecting and stating requirements when you hire a contractor to both destroy and dispose of sensitive information. Depending on the sensitivity of the data, it may be appropriate to designate a company employee to oversee the process used by the contractor.

Other key issues. You should examine several other key issues when setting up an effective classification program. These include procedures for the official release of sensitive information, use of nondisclosure agreements, handling of sensitive information at internal and external meetings, and exiting employees.

Program implementation. Implementation is critical to the success of a classification program. It deserves a review of its own, but at a minimum you must include upper level management support and employee training and awareness programs.

Implementing an information classification program is the first step in showing that your organization recognizes the value of its information assets. Asset protection programs, regardless of their form, are corporate management's responsibility. Through such programs, you as a manager inform each employee of his or her individual responsibilities for information asset protection. * About the Author . . . Catherine W. Weyhausen is senior consultant with AT&T Data Security Services. over 15 years' experience in data processing, and her expertise covers data security policy development and implementation, compliance analysis, and crisis management with an emphasis on data systems contingency planning. She is a member of ASIS.
COPYRIGHT 1990 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1990 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:information security
Author:Weyhausen, Catherine W.
Publication:Security Management
Date:Jun 1, 1990
Previous Article:The virtues of vocational schools.
Next Article:The intrusion detection misconception.

Related Articles
Putting Info-Sec to the test.
SNMP's real vulnerability: in-band network management, by its very nature, poses business continuity issues that need to be addressed. (The Bottom...
Cisco curriculum meets government security training standards.
Global INFOSEC Partnership Conference (GIPC) (May 4-6, 2004).

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters