>

Most Viewed Networking Devices:

  1. Small business firewalls
  2. Computer networking hardware
  3. High speed gigabit PCI adapter
  4. USB 3.0 PCI Card for Super Speed Data Transfer Rate
  5. Small Business Computer Network with Apple Mac Mini Server
  6. NSA 240 Sonicwall Small Business Network Security
  7. Cisco WRVS4400N Wireless Security Router
  8. Cisco RV 120W Wireless-N VPN Firewall and VLAN Router
  9. Cisco RV016 Multi WAN Router For Small Business
  10. Cisco RV220W Small Business Router
  11. Cisco RV082 Dual WAN VPN Router
  12. Edimax EnduraLINK ER-1088 Multi WAN Routers
  13. TL-R4299G Dual WAN Router for Internet Café
  14. New WNDR4500 N900 Vs Tew-692GR N900 Routers
  15. Netgear WNDR4000 and WNDR3800 Dual Band Routers
  16. Linksys E2500 Advanced Dual Band Router Vs E2000
  17. Linksys E-4200 Dual Band Gigabit Router

Most viewed Security Management:

  1. Information security management
  2. Firewalls Security Guidelines
  3. Business Continuity and Disaster Recovery Planning
  4. An Example of LAN Network Risk Assessment
  5. Information security policy guidelines
  6. Network Security Best Practices
  7. IT Security Risk Assessment

Most Viewed Networking Concepts:

  1. Local area network topology
  2. LAN Cable - standard deployment
  3. Easy way to calculate subnet mask
  4. VLAN tutorial
  5. WAN technologies
  6. Route summarization
  7. Understanding firewall with DMZ

 
«  
  »

Security Risk Management


Information is one of the corporate most important assets. It needs to be protected, particularly since it is often shared within the organization and with trading partners. Information protection strategies and resources should be used effectively by allocating resources to protecting information that requires protection based upon its sensitivity and criticality to the corporate. It is the Information Owner’s responsibility to classify and protect the information assets that they are accountable for. The process to classify and protect sensitive information is as follows:

  • Identify information assets.
  • Allocate Information Owners
  • Document information assets in an Asset Register.
  • Mark information assets with appropriate classification level.
  • Protect asset accordingly.

These guidelines will take the Information Owner through the process of Security Classification, Marking and Protection. The implementation of these guidelines will ensure:

Information has varying degrees of sensitivity and criticality. A great deal of information may need no, or only very low levels of security. However, other information may be commercially sensitive and will require higher levels of security. Information assets must be classified and managed according to their security requirements and to ensure that security controls are commensurate with the security risks.

check out about wireless security for your wireless environment.

Security Risks

A common approach to information classification and protection across the corporate Group will:

  • Reduce the risk of damage to the corporate reputation, profitability or interests due to sensitive information loss;
  • Reduce the risk of embarrassment or loss of business arising from the loss of another organization’s sensitive information;
  • Increase confidence in trading partnerships and in the outsourcing of sensitive work;
  • Simplify the exchange of sensitive information with third parties, while ensuring risks are managed

Risk Management

Security measures should be justifiable, practical and necessary. They should be balanced against the business risk of disclosure. Business risk is assessed in the following terms:

Impact

What would be the impact on the organization if the information were disclosed? This is the basis of security classification and is used to determine the classification level.

Threat

Which individuals or organizations are likely to want to obtain your information? How effective might they be? What methods might they use and what resources and capabilities do they have?

Vulnerability

Where is your information most vulnerable? How can it be compromised?

Security Risk Management

Security Risk Management

By assessing these three aspects, you’ll get an idea of the threats to your information and the business risk to the corporate

Consequences of a Security Breach

In broad terms, the potential consequences of a security breach involving the corporate information, includes:

  • Loss of life or injury
  • Financial loss
  • Damage to reputation and brand
  • Litigation
  • Failure to meet regulatory and legislative requirements
  • Loss of competitive advantage
  • Loss of shareholder confidence

Security Classification and Marking

Classified information is marked so that people know to apply appropriate security protection. The classification is dependent upon the impact or damage likely to occur if the information is leaked or disclosed to the wrong people.

This guidance defines four levels of classification:

  1. Highly Confidential (Protected)
  2. Confidential
  3. Internal Use Only
  4. Public

Check out an example of risk assessment here.

Information Owner Responsibilities

The Information Owner is responsible for allocating a suitable classification level for all information within their control based upon a current risk assessment. The Information Owner should ensure that the protection requirements per classification level are applied to all levels of classified information and conduct regular reviews to ensure that the requirements are being met.

Regular reviews will also help ensure that information that has been downgraded is not being protected at the previous classification level, which involves unnecessary and costly protection requirements.

Downgrading

Some information is only sensitive for a specific period of time. In this case, the Information Owner should therefore indicate a date, or event, after which the information can be de-classified. This avoids unnecessary protection of information

Classification Levels – Description

HIGHLY CONFIDENTIAL (Protected)

Unauthorized disclosure or loss or unauthorized changes of information (even within the corporate) would cause serious damage to the interests of the corporate. It would normally inflict harm by virtue of serious financial loss, severe loss of profitability or opportunity, grave embarrassment or loss of reputation.

Information Types

Highly Confidential is the highest level of classification within the corporate. Types of information that should be classified to this level include:

  • Details of major acquisitions, divestments and mergers
  • High-level business and competition strategy
  • Very sensitive competitor, partner or contractor assessments
  • High-level business plans and potential options
  • Patent secrecy information
  • Material protectively-marked HIGHLY CONFIDENTIAL by the corporate.

Marking

All information classified HIGHLY CONFIDENTIAL must be marked with the classification level. This includes; all documents (every folio), files, binders, media and equipment etc.
Minimum Protection Standards

HIGHLY CONFIDENTIAL information should be protected properly. Suggested minimum standards of protection required are documented in the Classification and Protection Matrix.

If your business unit is located in a high-risk region, additional protective measures may be necessary. Contact the Information Security Management Department for further guidance and advice.

CONFIDENTIAL

Unauthorized disclosure or loss or unauthorized changes of information (even within the corporate) would cause significant harm to the interests of the corporate. This would normally inflict harm by virtue of financial loss, loss of profitability or opportunity, embarrassment or loss of reputation.

Information Types

Types of information that should be classified to this level include:

  • Negotiating positions
  • Marketing information
  • Competitor assessments
  • Personnel information
  • Customer information

Material protectively marked CONFIDENTIAL by the corporate.

Marking

All information classified CONFIDENTIAL must be marked clearly with the classification level. This includes all documents, files, binders, media and equipment etc.

Minimum Protection Standards

CONFIDENTIAL information should be protected properly. Suggested minimum standards of protection required are documented in the Classification and Protection Matrix.

If your business unit is located in a high-risk region, additional protective measures may be necessary. Contact the Information Security Management Department for further guidance and advice.

INTERNAL USE ONLY

Unauthorized disclosure or loss or unauthorized changes of information particularly outside the corporate, would be inappropriate and inconvenient. This is routine information, which the corporate simply wishes to keep private.

This classification may not need to be marked on information; it refers to the majority of information and should be the default classification unless otherwise warranted on a per document basis.

This classification level applies to all the corporate business information that does not require a higher classification level.

By default, all information is initially classified “Internal Use Only”. The following statement should appear in the footer of all Internal Use Only business documents.

Copyright Statement
© 2009 The Corporate
Internal Use Only

Minimum Protection Standards

INTERNAL USE ONLY information should be protected properly. Suggested minimum standards of protection required are documented in the Classification and Protection Matrix.

PUBLIC

The Public classification level applies to corporate information that is authorized to be released into the public forum by Public Relations. There is no requirement to mark this information with the classification level.

Implementation

Implementation guidelines have been prepared to help Information Owners and business units implement the classification system. Contact Information Security Management for further guidance, advice and resources.


See also:

Share
April 7th, 2009 | Tags: , , | Category: Information Security

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>