Information Classification Scheme 3D Media Comm. Ltd - Case Study Example

INFORMATION CLASSIFICATION SCHEME Name of Student Institution Affiliation Date Table of Contents Executive Summary 3 The Scope of Information Security 3 Asset Register 4 Classification of Information 5 Low Sensitivity 5 Medium Sensitivity 5 High Sensitivity 6 Classification Considerations 6 Information Labelling 8 Handling of assets/Asset Management 8 Risk Assessment 10 Risk Assessment Process 10 Security Controls 12 Levels of Mitigation 13 Minimum Security Measures as Per Classification Levels 13 References 15 Executive Summary The aim of this article is to identify the minimum standards 3D Media Comm. Ltd. must use for the appropriate classification of data, this will protect its sensitive information from access by the third party. Data classification is a very vital part of data management which involves planning and implementing a complete and responsible information security practices. A standard data classification is analyzed that addresses a standard data classification scheme, risk assessment, the required considerations for classification, the data security control requirements and the general data management procedures. These will enable the organization to adequately protect the designed revolutionary method before its official release to small businesses. The Scope of Information Security Information security is a critical first step to creating a secure organization, involves the process of categorizing data according to the extent to which it is sensitive. Information is classified as top secret, restricted, confidential, internal or public in ascending order of sensitivity. In such a scenario only the authorised individuals will gain access to the information respective of the risk of unauthorized disclosure. Different levels are available for data protection; the highly sensitive ones have a relatively greater level of protection than those which are not, that is public data. The high-risk data will most probably determine the classification of the entire collection (Sebastian, 1989). The main reason as to why information may be secured is to prevent personnel not authorized to access the information, hence creating some level of privacy. When this is not done properly to a high data stores such as databases that carry increased risk, data often breach bond to occur. There are different systems for classifying data as categorized above. For 3D Media Comm. To achieve countermeasures to be placed, the company must formulate set of terms and relationships between them, (Nesteruk, 2014). These conditions will undoubtedly help communicate and begin to classify data types; this creates an opportunity to identify the risk by the type of data in question. Data classification is the starting point of treating all information as classified and avoid leaking any form of information unknowingly as this may be so valuable to the other competitors (Hong et al, 2003). Providing security to this revolutionary method will protect it from being accessed by the competitors, allow 3D Media Comm. to make adjustments to it before being released and hence increase its marketability using the revolutionary method (Barki, 1988). Asset Register The essence of creating the asset inventory is to state the type of classified information that needs protection explicitly (Kovacich, 1997.) The organization in possession will own this information, 3D Media Comm. The data owner is the head of the agency and ultimately responsible for formulating the classification, implementing the security measures and establishing proper used of the company’s data. However, some few individual in the organization may be assigned part of this task by the owner. Information Manager: He/she is responsible for developing general procedures and guidelines for the management, access to the data and its security as in general, (Recio, 2017.) Data Steward: Unlike the manager, he has responsibilities to run the daily activities about the revolutionary idea, on behalf of the data owner. Data user: Is any individual who is allowed to get access to the information and use it, (Hong and Chao, 2003) this new product will only be cure when the number of users is limited. The new product of the company can be available to all the concerned teammates in the forms such as electronic documents, databases, emails, and storage media such as flash discs or information that is transmitted verbally. All these try to reduce the access of this information by the unwanted third party. Staffing the information security department: The individuals who are allowed to get access to the classified information must undergo a vetting process before recruitment. Charles C.(Wood’s book, Data Security Roles, and Responsibilities Made Easy), states the standard job descriptions that can increase the degree of professionalism. Classification of Information Classification of information is developed based on what is common in the company. In most instances as elaborated, the asset owner is the one responsible for classifying the information by the outcomes of the risk assessment. When the information is highly sensitive, the level of classification is higher (Lincoln, 2005). One of these three levels of classification can benefit the owner: high sensitivity, medium sensitivity, low sensitivity Low Sensitivity The information thought to be of little sensitivity should be regarded as that of general use and made available for the public to use. The security at this level is very minimal, and its primary objective here is to provide integrity towards the availability of the data. In such a case, information meant for rigorous competition in the market as this of 3D Media Comm. cannot be classified here. The results might be detrimental due to data breach or leakage. Medium Sensitivity Information classified here can handled as internal by all the team members, in the case of any need for sharing, the company’s approval is necessary. When the information gets compromised, it is unlikely to lead to a breach of confidentiality or causing severe loss. Since it’s internal, the company will determine the level of security needed. High Sensitivity The information regarded as having a high sensitivity is considered confidential. It must be protected at all times as it is subject to most restricted distribution, such information should not travel away from the company without the permission from the top leader. A procedure for sharing such information is stipulated because in case it gets compromised, severe damage can occur to the integrity of the company, its staff or maybe its branches. The law requires maximum protection of data in this category; a police report is necessary, especially in case there is any attempt of the breach. The designed revolutionary method of 3D Media Comm. can be categorized here since it is targeting to compete in the market. No access by rivals. Classification Considerations These are measures taken in evaluating data. The company is required to follow all the rules and regulations. Integrity Involves being patriotic as per the information act. Risks that the team whom the data pertains: The security of the personnel is very paramount. This proposal relates to but is not associated to client data, personally identifiable information and the medical information. The risk of confidentiality loss: Has been elaborated as, ensuring that information is accessible to only those authorized to have access to it, a crucial component of information security. It is apparent that the organization evaluates what the risk is for unauthorized access to classified data. Aggregating information: When data is combined, then the level of classification changes to suit the combination. Some information may have low sensitivity, but when coupled with another, it becomes highly sensitive. The combination of several different information of similar level can have the same effect (Van, 1962). 3D Media Comm. Ltd. objectives and goals: When evaluating data classification, the objectives become most imperative and rather taken into consideration, this can be achieved by indirectly seeking the opinion of its targeted customers or not at all. Moreover, it is vital for the company to meet the objectives, formulate adequate control measures in effect to addressing data integrity and security. The organization’s standards: Several measures help the company to classify its data, and in most occasions, it is obligated to comply with certain standards. As in this case, the limited communication company will be obliged to follow the standards of Information Security Standards as per the law, (Black & Irmler, 2012). Analysis of metadata: This is simply data that provides information about other data. Its evaluation is very critical regarding what it holds about the classified information. There are three distinct types, structural, descriptive and administrative metadata. Descriptive metadata describes a resource for purposes such as discovery and identification while structural one describes how objects can get arranged in one place. On the other hand, administrative, metadata provides information to help manage the classified resource, when it became into existence, technical information and who can access it. Metadata must be classified, and its potential sensitivity considered when determining whether or not to protect at the same level as the associated information (Vincent, 1989). Information Labelling Globalization has taken over control in many sectors including information technology; this has made many industries to create measures that help to protect their data, from the threat of covert internet attacks. A competitive company like 3D Media Comm. faces various challenges about vulnerability to network compromise and corruption of data. (Navarro, 2001). Overcoming this vulnerability requires the company to rely on end users, and manual security procures. Information labeling allows the organization to label information with the indication of all the protection requirements that must be applied. Thus, provides support for enforcement by human users as well as by computers and smart phones, as in the case of WhatsApp. Labels should be easy to identify by the authorized people to minimize confusion. Information protection: Allows automatic protection of data as per the applicable protection policies indicated by the designated information labels. The team should get sensitization on the importance of labels for file protection. Modern policy management: Will create room for analysis and tapping of information security requirements from a human-readable form to computer processable forms that can be easily comprehended by the team, (Albrecht, 2015.) Handling of assets/Asset Management Administration of equipment: termed as one of the most crucial parts of the classification process. These assets contain most of the communication’s information. Asset management focusses on the idea that is important to identify, classify, track and assign ownership for the most significant assets (Forcardi, 2000). All this is to ensure they get protection. The data steward should know who is responsible for what about the information. To adequately protect the property, the organization should know what environmental, physical or information assets it holds and be able to protect them. Establish acceptable-use rules for information and goods to secure them depending on the level of confidentiality. For instance, a table structured in which the data manager should determine the rules for each category of privacy for each type of media: - emails, storage media, paper documents, electronic records and information systems. When paper documents are regarded as confidential, they should be locked in a safety cabinet, transferred only in closed envelopes and in the case of emails the report must reach with a return receipt service. (2006). Quantum Information Classification Scheme. The European Physical Journal D, 38(2), 237-237. Information classification procedures as illustrated. Freedom enables him to make processes best adapted to his needs and also secure enough so as to be certain that the data is uncompromised. (Navarro, 2001). These rules are to be followed by every information user. Create a list of all the assets and add a location for each. Creating a comprehensive list of the organization’s assets and their corresponding locations kicks off the inventory. The process is important since it helps additional assets of confidentiality that previously had not been put into consideration (Mellander, 2002). As in this table as a data manager. Confidential Restricted Internal use Paper document Email Documents in electronics Information conveyed verbally Information systems Storage media Risk Assessment Information security risk assessment is a gradual process of innovating, correcting and preventing security problems. A crucial section of risk management process established to provide desired criteria for protection of data systems. The risk assessment will enable the organization to determine the acceptable level of risk and hence the resulting security requirements for each system. Risk Assessment Process System documentation phrase: It provides the general illustration of the system and the data that pertains to it. It also acts as a computing asset used by the company to fulfill its business objectives. The phrase formulates a work structure for the next risk assessment phrases. The system user provides the system identification, in the case of new systems, these are defined at the first time of conception. The system administrator is the key member. System identification: Pin-points system names, other related information and the department responsible, (Binosi, 2006). Achieved by completing and verifying system identification and contacts. It has the system administrator, technical reviewer, system technical owner and the risk assessment manager. System purpose: Involves description of function and purpose of the system, general functional requirements and the general information flow among just but a few. It documents the system’s business function, components, environment, and connections. System security level: The stages of classification and the categories dedicated to different types of information should be in line with the company’s data classification requirements. File the sensitivity of the information that the system handles concerning the overall security needs of the organization. Risk determination stage: The aim of this juncture is to calculate the level of risk for each threat or the vulnerability, based on the chances of a threat exploiting a vulnerability and what impacts would it have on the classified information and the system, (Gorrieri, 2000). The impact might be a highly detrimental inform loss of confidentiality or integrity. The steps in risk determination: 1. Analyze and find out potential dangers to the information. 2. Identify the system bottlenecks that could be exploited 3. List existing measures to decrease the risk of the presumed threat. 4. Determine the possibilities of a threat occurrence based on the vulnerability given the possible controls 5. Ascertain the severity of the impact in case the risk occurs 6. Determine the risk level for a threat Risks and vulnerability identification: There are various sources of danger in an organization, these should be identified for possible environmental, physical, human, natural and technical threats to the information (Sebastian and Simkins, 1989). These considerations will help put in place proper control measures, the dependencies with other assets should be considered, the risk for software malfunctions, the system’s connections should be evaluated, malicious intent, risks from the internet, incorrect file handling, personal changes and risk from maintenance procedures. It is possible for find that one weakness can be associated with one or more threats as such, the input from past risk assessments would help to produce a pair for each potential vulnerability (Mc, 1995). Identify existing controls: These controls are set to decrease the chances of a vulnerability exploiting a system risk or tentatively lessen the severity of the impact of the exploited vulnerability. Existing controls may be operational, management or technical restrictions depending on the threat to the information. Determine risk: Defined as the likelihood of a risk happening multiplied by the extent of the impact. The value of the math left for the organization’s discretion. Access the likelihood of the threat trying to exploit the vulnerability, the damage caused in case the vulnerability exploit was not successful, the adequacy of planned security controls. Recommend Controls: Identify the safeguards to reduce the risk of each threat with moderate or high-risk level as demonstrated in the risk determination stage. These steps are essential to determining a control:- a) The protection region where it belongs, the technical, operational or management. Technical areas are prone to malfunctions. b) The method aims at reducing the chances for the third party to exploit the weakness. A vital step in formulating controls. c) Effectivity in reducing the risk to classified data. d) Conditions necessary for its establishment in the environment. e) The secured data section to which the controls will be implemented. f) Consider if expenditure on the safeguard is worth its decline of risk. Determination of the residual likelihood of occurrence: Assumption is made that the selected guarantee has been achieved. List risk pairs by the probability of occurrence assuming a control measure have been put in place. System administrator oversees these activities. Determination of residual risk levels: This is done once the recommended control measures have been put in place. It is achieved by examining the likelihood of occurrence of the threat exploiting the vulnerability and the impact severity factors in the categories of availability and confidentiality.. Security Controls Risk Assessment will recommend security controls and further describe the expected levels of risk that would be retained if these checks were implemented. Security checks are considered based on the three data classification levels; they are technical or administrative safeguards or countermeasures to avoid, minimize loss of data due to threats matching on their matching vulnerabilities. The main aim of InfoSec is preventing unauthorized access, use, disruption, disclosure, modification, inspection, destruction or recording of classified information (Kenyon and Sebastian, 1989). There are three commonly accepted forms of security controls. i. Administrative: These are the regulations that govern the overall requirements and controls for an information security. For the business to comply with this law, it may adopt policies and procedures laying out the internal requirements for protecting this revolutionary data (Gellert, 2016.) ii. Logical: They are the applications, virtual, and technical controls that are the systems and software such as firewall, antivirus software Kaspersky, encryption, and requests for checking daily activities. iii. Physical; Apart from the logical security, a physical key can be used to get access to information in an office. Thus, physical controls such as video surveillance systems, gates need to be established. Levels of Mitigation -Preventive: These are controls that prevent the loss or harm from occurring -Detective: They monitor activities or identify instances where practices or procedures were not accurately followed. -Corrective: These measures restore the system back to the state before s harmful event. Minimum Security Measures as Per Classification Levels Security controls for high sensitive data: Confidential information must be secured using at least one physical control and one IT control measure. Care should be taken when transporting such sensitive information between branches of the business, this includes file encryption, and a log maintained with details of the transfer including the date, the description of the information, the end receiving party, can be an individual or sublets 3D Media Comm. Ltd.. When data is being moved, it has less physical security than it does inside the organization, this creates the need for IT controls and additional physical security controls. Security controls for medium sensitivity data: Such data needs relatively high security, unlike low sensitive data. Data should be classified as secretive when the unauthorized disclosure or alteration of that data could result in a regulated level of risk to the organization. Physical security controls such as surveillance cameras should be fitted in such departments to ensure their safety is maintained. A reasonable degree of protection should be applied to private data. Public data security controls: Data in this category may be regarded as not of high risk, but all the same security checks measures are needed. Controls estimates may be inclusive of security guards, locks, passwords and ID cards to distinguish customers from the staff. Fire detection and response alarms, computer rooms, and wiring closets may also be implemented with consideration of the cost. Conclusion Classification of sensitive data is very important for this organisation since it will give maximum protection to all the files. A third party will not gain access to these classified information when this scheme is fully implemented. A thriving market for this company will be generated creating a fair competition with other media communications. Popularity with small businesses will be gained when full implantation of this scheme is achieved. This will enable the comapny to protect the designed revolutionary method before its official release to small businesses. References Albrecht, J.(2015). No E Data Protection Standard below the Level of 1995. European Data Protection Law Review, 1(1), 34. Back, A. and Irmler, P. (2012). Implementing a Classification Scheme for Enterprise 2.0., Journal of Information Technology, 54(5), 220-227. Barki. H., Rivards, S. And Talbot, J. (1988). An Information System Keyword Classification Scheme. MIS. Quarterly 12.2 299. Web Binosi, D., Calarcot, T., Fazio, R. And Zoller, P. (2006). Quantum Information Qualification Scheme. The European Physical Journal D, 38(2), 237-237. Cohen. F. (1997). Information System Defences: A preliminary Classification Scheme, Computers and Security, 16(2) 94-114. De Smedt, S. Belgium. (2015). – The New Data Protection Hub? European Data Protection Law Review, 1(3), 213-218 Edwards, L. Privacy. (2016). Security and Data Protection in Smart Cities: Security and Data Protection Law Review, 2(1), 28-58 Forcardi, R, and Gorrieri, R. (2000, September). Classification of Security Properties. Information flow Gellert, R. (2016). We Have Always Managed Risks in Data Protection Law: European Data Protection Law Review, 2(4), 481-492 Hong, K. S, Chi, Y. P, Chao L. R, and T, J. H. (2003). An integrated system theory of information security management. Information Management and Computer Security, 11(5), 243-248 Kenyon S. C, Simkins L. J, and Sebastian R. L. (1989). Washington D. C U.S Patent and Trademark Office. Kovacich, G. (1997). Information Warfare and The Information Systems Security Professional, Information-System-Security,6(2),45-55 Lincoln, P.D, Dawson, S.M. Samarati, and Di Vimericati, S.D.C. (2005). U.S Patent number 6,922,696. Washington, DC. Patent and Trademark Office. Mc Chesney, I. (1995).Toward a classification scheme for software process modelling approaches. Information and Software Technology, 37(7), 363-374. Mellander, J. Unix File system Security. (2002). Unix File system Security Technical Report, 7(1), 11-25 Navarro, L. (2001). Information Security Risks and Managed Security Service. Information-Security-Technical-Report,6(3),28-36. Nesteruk P. G. (2014). To organization of intellectual protection of the information SPIIRAS. Proceedings, 0(10), 148. Recio, M. (2017). Practitioner’s Corner Data Protection Officer: The Key Figure to Ensure Data Protection and Accountability European Data Protection Law Review, 3(1), 114-118 Van Oot, J. G. (1962). The Development of an Operating Information System. Journal of Chemical Documentation, 2(4), 229-234, Vincent, James P. (1989). U.S Patent number 4,881,179 Washington D. C, U.S Patent, and Trademark Office. Read More