Implementing an Information Classification Scheme - Essay Example

Information Classification Schema Student Name Institution Affiliation Contents Executive Summary 3 Introduction 4 Purpose 5 Scope 5 Assumptions 5 Why is Information Classification Important? 6 Implementing an Information Classification Scheme 7 Step 1: Identification of Information Resources to be Protected 7 Step 2: The Identification of Data Protection Measures that Map to Data Sources 8 Authentication 8 Encryption 8 Role-Based Access 9 Technology Control 9 Administrative Control 9 Assurance 9 Step 3: Identification of Information Classes 9 Step 4: Protection of information classes mapping information 10 Step 5: Information Classification 10 Step 6: Repeat as Required 10 Potential Problems and Solutions 10 Data Privacy 10 Data Masking 11 Intellectual Property Rights 12 Trademark 12 Site Protection 13 Conclusion 13 References 14 Executive Summary The field of information security is a sensitive area considering the growing importance of organizational data throughout the years (Bishop, 2016). Information has become a crucial asset for companies. As such, its protection should be guaranteed as access to unauthorized parties could cripple an organization. Technologies change and information grows which means that companies should conform to these changes. This report discusses the importance of the common sense information classification scheme. It is a six-step process that explains what should be done to a given data set to ascertain its protection when it is relayed. There has been an overgrowing importance on protecting the confidentiality, integrity, and accessibility of information in organizations (Tozer, 1999). As such, the common sense technique is one alternative that will ensure that the process of data protection is actualized. This technique is suitable for 3D Media now that it must guarantee information security for its users. Another critical issue addressed in this reports is the potential problems and solutions for 3D Media. It was identified that intellectual property rights was an important solution for the company to prevent competitors from using its idea. Similarly, the need for site protection was noted as a critical solution. With it, the company's website will remain inaccessible during its construction. In that way, proper testing can be done before the final release of the software program (Tozer, 1999). Also, this report found out the need for creating a company trademark as a unique identifier of its products and services. In that way, 3D Media will not be scared by the idea of competitors using its social marketing plan, but will instead focus on satisfying its clients. In that respect, the common sense data classification scheme and the identified solutions will improve the information security of 3D Media. Information Classification Scheme Introduction Information security is a major factor in the development of companies, and therefore its implementation is imperative (Bishop, 2016). However, information should first of all be classified where data protection measures can be employed. Most of the organizations overlook the task of data classification and instead outsource firms to handle this obligation. Since the business community is acutely aware of the relevance of information, in most instances, inefficient technologies are deployed for data classification through outsourcing (Axelrod, 2004). In that way, businesses are unable to implement plans that are particular to their organizational structures. Furthermore, the complexity of technology and information is growing beyond unimaginable levels (Bishop, 2016). Therefore, the process of identifying the most suitable protection measures remains a difficult task. Similarly, once a particular technology is identified as the best; companies get caught up in the issue of investing in such and maintaining their clients. Most importantly, company management should ensure the protection of both staff and client information. However, the fact remains that the senior management is tasked with the obligation of the implementation of data protection measures (Axelrod, 2004). This role has been simplified over the years through the intervening of information security experts. In that way, company management has had the chance to create clear information protection guidelines. However, the increasing complexity of complementary technologies, external business pressure, and growth of information; the role of data protection has become too great for company managements (Tozer, 1999). Fortunately, the information security field provides enough experts and protection approaches to fill in this gap. On that note, this report will address the implementation of the common sense information classification approach for 3D Media. Purpose One of the ways of preserving information confidentiality, integrity, availability, and consistency for 3D Media is restricting unauthorized access. Most importantly, this requirement is not just a stipulation in the Data Protection Act but is rather a critical organizational asset that could benefit 3D Media. Different data requires varying security measures based on the sensitivity levels of the information. In that case, this report will provide insight on the relevance of an information protection scheme. For instance, its implementation provides guidance on the manner in which information should be categorized. More so, the rules of classifying information. Scope The common sense information classification scheme will be used will be used to categorize information and ensure its consistency between the source and destination. However, in the case of 3D Media scenario, this scheme will only be applied to the information from company employees and the clients. However, in the instance where legal stipulations necessitate that the plan accommodates other data users, then it shall take effect. Assumptions It was assumed that the interventions offered as solutions to the 3D Company issues are practical. Also, the reader can comprehend the information provided on data classification. Why is Information Classification Important? In line with the creation of the new social marketing tool for 3D Media, there is the need for an information classification scheme. Companies should not risk exposing sensitive financial and client information. Various reasons support the need for information security coupled with publications, news and the current turn of events (Axelrod, 2004). For instance, the internet is one of the tools commonly used for business transactions by professional and novice users. As such, without proper protection measures, firms and their clients may be subjects of information theft. In the same way, information technology is used as the best tool for cyber-crimes. As a result, the potential for crippling companies is huge. Also, government regulations, for example, the Gramm Leach Bliley require that organizations are responsible for the storage, access, exchange and the privacy of their information (Zelkowitz, 2004). In some instances, the firms that fail to oblige may be fined. The classification of information satisfies confidentiality as well as integrity issues (Zelkowitz, 2004). It allows for the proper documentation of data sources, and the persons responsible for its protection. Similarly, it provides a framework for determining the individuals involved in the provisioning process. In that way, administrators decide whether the use of an application should be authorized for use and whether it should be granted the access to critical company information (Zelkowitz, 2004). For instance, in the case of 3D Media where there is client access to sensitive information, data classification reduces the cost of administration and allows for employee access. With that, it becomes easy to track information usage since everyone with access to it, is identified by 3D Media. Most importantly, the clients build trust with their company since they are assured that their information is safe. Implementing an Information Classification Scheme Various ways exist on the classification of company information, and the key factor is the implementation of protection measures. The successful implementation of data classification by 3D Media will require its reorganization. On that note, this report will give a stepwise demonstration of the entire classification process. The scheme use is the common sense technique that encompasses a series of iterative steps that support the whole idea of classifying information. The five steps are elaborated as follows; Step 1: Identification of Information Resources to be Protected The common means of collecting data comprise questionnaires, surveys and written surveys. However, there lacks vendor expert systems to use for information classification. In that case, where information has not been classified, the sources should be operating systems, senior managers, developers, business champions and database administrators (Perkins, 2010). The entire information classification process should factor in issues such as the use of mobile and desktop apps and the prevalence of distributed computing (Perkins, 2010). The reason is that these factors affect information independently. However, upon the successful completion of this step, 3D Media will attain a complete description of the company data sources, the storage areas, information owners, data custodians, types of resources and the protection mechanisms. Different information can be classified in one domain when similar protection styles can be used (Perkins, 2010). For instance, data may be categorized according to geography, technology, and organization. Once company data has been identified, the following steps will build on this process Step 2: The Identification of Data Protection Measures that Map to Data Sources Data protection is an important process and may be backed up by reason such as company policies, and existing external and internal processes. Additionally, information custodians, managers and business champions may support the need for information protection (Perkins, 2010). However, there are standard industry-known measures as described below. Most importantly, they are highly applicable to 3D Media now that it has to ensure that its product development information remains within the confines of the company. Authentication With authentication, the confidentiality of both the clients and company staff is guaranteed. More so, it will ensure that a person is the one they claim to be by requiring them to submit their identification in the mobile and desktop apps (Perkins, 2010). In this case, the strength of the authentication process will depend on the validation technology. For instance, simple authentication may require an id then a password. However, for double authentication, the user can be prompted to provide both their password and id as well as their secret word. Encryption Here, encryption formats that are difficult to view and alter should be utilized. For instance, in the login and financial transactions, encryptions should be used (Perkins, 2010). In that way, personal and sensitive information remains private and more so ensure consistent protection. Role-Based Access Another instance of information security is allowing access based on job categories (Perkins, 2010). For example, an administrator may be authorized to validate data based on business need. As such, access control lists that support various levels may be implemented. Technology Control In this case, particular methods, for instance, antivirus protection, network segregation, and application redundancy (Perkins, 2010). Administrative Control The measure is used to ascertain the integrity of data. However, in most case scenarios administrative control measures are rather presumed as opposed to implementation following the high operational overheads (Perkins, 2010). For example cross training, separation of duties and rotation. Assurance When ascertaining the protection of information, validation of the system is a crucial process (Perkins, 2010). For instance, code walkthroughs, transactional monitoring, file access, intrusion detection, and compliance monitoring are important validations procedures to implement. In the case of 3D Media, there will be assurance that information is secure from third party access. Step 3: Identification of Information Classes Information classes are labels that indicate the protection goals of an organization. These labels are sensitive and different where they also have varying meanings to different people. As such, the description of high-level access classes and the protection measures are necessary for the people classifying information (Perkins, 2010). With that, all the data types should be identified randomly since the following classification as well as protection steps will change the initially identified class labels. Step 4: Protection of information classes mapping information Before the classification of data, protection measures should be identified and mapped to the respective information classes (Perkins, 2010). The entire process should be founded on data integrity, confidentiality, assurance, and availability. Step 5: Information Classification In this step, the classification protection measures and labels are applied to the data sources as in the above processes (Perkins, 2010). The goal is to validate the security measures used in the classification process are appropriate for the data sources. This step also challenges the assumptions made in the above processes (Perkins, 2010). However, if the data classes and safeguard measures do not accommodate the classification procedure, then move to the last step. Step 6: Repeat as Required This is the last step of the common sense information classification scheme for 3D Media. It entails the iterative process of adjusting protection levels, adjusting classes and source labels. In so doing, it becomes easy to classify all the information and most importantly ensuring its security (Perkins, 2010). Potential Problems and Solutions Data Privacy Although the common sense information classification scheme is practical for 3D Media, some issues requires attention. Over the years, data privacy has ensured that unauthorized people are restricted from accessing sensitive information. Therefore, in 3D Media's case, it means that the company should make sure that no bit of information leaks. The reason that in today's word, information is an asset for businesses (Svenonius, 2000). As such, it if ends up in the wrong hands, then the victim organization will suffer the consequences. With that in mind, data privacy can be achieved through the following methods; Compiling a list of employees and client contact information Having a list of the current and prospectus customer details A scheme of consumer behavior, geographic trends and sale forecasts Identifying the company’s directions and product plans Data Masking While 3D Media is yet to launch it mobile and desktop applications, little information is known about how the company data will change once in the real world. In that case, data masking refers to the process that analyses how information is stripped when it leaves its source to the destination (Zelkowitz, 2004). The following are various reason as to why data masking would be a good idea for 3D Media; a. Authorization – only the authorized personnel will be allowed the access to define the nature of data transformation. As such, all the information extracted from a live system will be required to pass through the right changes (Svenonius, 2000). b. Consistency – data masking is critical as it ensures that the process of data transformation does not change. In that way, if given manager changes a client's name, then the alteration should be noted in the entire system. Therefore, data masking is an important part of software testing as it affirms the stakeholders that their information would not change without reason. c. Referential Integrity – at some point during software use, some assigned values will require being changed but in a consistent manner. For instance, customer numbers, product, and account numbers (Svenonius, 2000). Similarly, all the values used as foreign and primary keys should be transformed appropriately. Therefore, with data masking, 3D Media will be in a position to test the integrity of its application data. d. Uniqueness constraints – when data is masked, it supports unique constraints. For instance, when an employee id is used as a unique identifier, then it should reflect its uniqueness on other primary keys (Zelkowitz, 2004). Intellectual Property Rights Now that the social media and other competing businesses are eagerly waiting for the launch of 3D Media marketing tool, it is imperative to consider its intellectual property rights. The use of copyright is to allow 3D Media to benefit from its creation and investment. As such, it will be in a capacity to expand since its social marketing idea will be patented, and no other businesses would use it to their gain. Similarly, the legal protection associated with intellectual rights property will facilitate the commitment of resources to develop the tool (Bosworth, 2014) further. The reason is that this company will not be haunted by the thought of dealing with copycat organizations. Also, the implementation of intellectual property rights will be an economic booster (Bosworth, 2014). People will get jobs from 3D Media and in turn, the quality of life will improve. Trademark While 3D Media may have the fear of what might happen in case its competitors know about its new software, it should be concerned with creating its brand. A trademark is valuable as it identifies particular services and products with a given organization (Bosworth, 2014). With that, when the new marketing tool is branded with 3D Media’s trademark, then other companies would have to develop their systems as opposed to borrowing from this firm. More so, the customers will associate this system with 3D Media’s services. As a result, there would be more sales through social networking. Most importantly, with a trademark, the shareholders of 3D Company would not feel intimidated once their system is officially released to the internet. On the contrary, they will feel like they have exclusive rights. More so, they will be shielded from copycats who capitalize on other people's creativity. Site Protection While 3D Media is still on the final stages of finalizing the release details of its new software, the company should consider site protection. It refers to the use of password to restrict the access of a website that is hosted on an internet server but is yet to be officially released for use (Tiffany & Nelson, 1998). In that way, malicious parties such as cyber-criminals cannot alter codes or implant bugs to cripple the program. Content Management Programs such as WordPress have a functionality that allows for site protection before the set launch date. More so, as an intervention, the competitors of 3D Media cannot have an idea of what is going on until the official launch date. In that way, all the aspects of the software program will be tested to ensure that it is scalable and efficient. The result is that the company clients and employees will be provided with a system that provides more than convenience (Tiffany & Nelson, 1998). It is also during the actualization of site protection that other implementations can be employed such as intellectual property rights. Conclusion The point is clear; information security should be given top priority in an organization. Over the years, information has become a crucial resource for companies. Therefore, malicious parties would go to all extents to find what benefits them. The entire process begins with the identification of a suitable information classification scheme. In this case, the common sense method was chosen which involves six important steps. However, a classification method is not enough; other factors come to play. For instance, the issue of creating a trademark, signing for intellectual property rights and site protection are detrimental for the entire information security process. However, the process of data protection is continuous. The idea is to ensure that strong policies are in place to guarantee the protection of crucial information for companies and their clients. References Axelrod, C. W. (2004). Outsourcing information security. Boston: Artech House. Bishop, M. (2016). Information security. Place of publication not identified: Springer International Pu. Bosworth, D. L. (2014). Intellectual Property Rights. Elsevier Science. Perkins, J. (2010) Standard Information Security - Information Classification Svenonius, E. (2000). The intellectual foundation of information organization. Cambridge, Mass: MIT Press. Tiffany, M. E., & Nelson, M. L. (1998). Creating a canonical scientific and technical information classification system for NCSTRL+. Hampton, Va: National Aeronautics and Space Administration, Langley Research Center. Tozer, G. V. (1999). Metadata management for information control and business success. Boston: Artech House. Zelkowitz, M. V. (2004). Information security. Amsterdam: Elsevier Academic Press. Read More