CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies
by Robert Johnson,
Chuck Easttom
Security Policies and Implementation Issues, 3rd Edition
- Cover
- Title Page
- Copyright Page
- Brief Contents
- Contents
- Dedication
- Preface
- Acknowledgments
- About the Authors
- CHAPTER 1 Information Systems Security Policy Management
- What Is Information Systems Security?
- What Is Information Assurance?
- What Is Governance?
- Why Is Governance Important?
- What Are Information Systems Security Policies?
- Creating Policies
- Where Do Information Systems Security Policies Fit Within an Organization?
- Why Information Systems Security Policies Are Important
- When Do You Need Information Systems Security Policies?
- Why Enforcing and Winning Acceptance for Policies Is Challenging
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 1 ASSESSMENT
- ENDNOTES
- CHAPTER 2 Business Drivers for Information Security Policies
- CHAPTER 3 Compliance Laws and Information Security Policy Requirements
- U.S. Compliance Laws
- Whom Do the Laws Protect?
- Which Laws Require Proper Security Controls to Be Included in Policies?
- Which Laws Require Proper Security Controls for Handling Privacy Data?
- Aligning Security Policies and Controls with Regulations
- Industry Leading Practices and Self-Regulation
- Some Important Industry Standards
- International Laws
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- ENDNOTES
- CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility
- CHAPTER 5 Information Security Policy Implementation Issues
- Human Nature in the Workplace
- Organizational Structures
- The Challenge of User Apathy
- The Importance of Executive Management Support
- The Role of Human Resources Policies
- Policy Roles, Responsibilities, and Accountability
- When Policy Fulfillment Is Not Part of Job Descriptions
- Impact on Entrepreneurial Productivity and Efficiency
- Tying Security Policy to Performance and Accountability
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- ENDNOTES
- CHAPTER 6 IT Security Policy Frameworks
- What Is an IT Policy Framework?
- What Is a Program Framework Policy or Charter?
- Business Considerations for the Framework
- Information Assurance Considerations
- Information Systems Security Considerations
- Best Practices for IT Security Policy Framework Creation
- Case Studies in Policy Framework Development
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 6 ASSESSMENT
- ENDNOTES
- CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies
- Policies and Standards Design Considerations
- Document Organization Considerations
- Considerations for Implementing Policies and Standards
- Maintaining Your Policy and Standards Library
- Best Practices for Policies and Standards Maintenance
- Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- ENDNOTES
- CHAPTER 8 IT Security Policy Framework Approaches
- IT Security Policy Framework Approaches
- Roles, Responsibilities, and Accountability for Personnel
- Separation of Duties
- Governance and Compliance
- Best Practices for IT Security Policy Framework Approaches
- Case Studies and Examples of IT Security Policy Framework Approaches
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- ENDNOTES
- CHAPTER 9 User Domain Policies
- The Weakest Link in the Information Security Chain
- Seven Types of Users
- Why Govern Users with Policies?
- Acceptable Use Policy (AUP)
- The Privileged-Level Access Agreement (PAA)
- Security Awareness Policy (SAP)
- Best Practices for User Domain Policies
- Understanding Least Access Privileges and Best Fit Access Privileges
- Case Studies and Examples of User Domain Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- CHAPTER 10 IT Infrastructure Security Policies
- Anatomy of an Infrastructure Policy
- Workstation Domain Policies
- Mobile Device Domain Policies
- LAN Domain Policies
- LAN-to-WAN Domain Policies
- WAN Domain Policies
- Remote Access Domain Policies
- System/Application Domain Policies
- Telecommunications Policies
- Best Practices for IT Infrastructure Security Policies
- Cloud Security Policies
- Case Studies and Examples of IT Infrastructure Security Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies
- Data Classification Policies
- Data Handling Policies
- Identifying Business Risks Related to Information Systems
- Risk and Control Self-Assessment
- Risk Assessment Policies
- Quality Assurance Versus Quality Control
- Best Practices for Data Classification and Risk Management Policies
- Case Studies and Examples of Data Classification and Risk Management Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- CHAPTER 12 Incident Response Team (IRT) Policies
- Incident Response Policy
- Incident Classification
- The Response Team Charter
- Incident Response Team Members
- Responsibilities During an Incident
- Business Impact Analysis (BIA) Policies
- Procedures for Incident Response
- Discovering an Incident
- Reporting an Incident
- Containing and Minimizing the Damage
- Cleaning Up After the Incident
- Documenting the Incident and Actions
- Analyzing the Incident and Response
- Creating Mitigation to Prevent Future Incidents
- Handling the Media and Deciding What to Disclose
- Business Continuity Planning Policies
- Dealing with Loss of Systems, Applications, or Data Availability
- Response and Recovery Time Objectives Policies Based on the BIA
- Best Practices for Incident Response Policies
- Disaster Recovery Plan Policies
- Case Studies and Examples of Incident Response Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- CHAPTER 13 IT Security Policy Implementations
- Simplified Implementation Process
- Target State
- Executive Buy-in, Cost, and Impact
- Policy Language
- Employee Awareness and Training
- Information Dissemination—How to Educate Employees
- Policy Implementation Issues
- Governance and Monitoring
- Best Practices for IT Security Policy Implementations
- Case Studies and Examples of IT Security Policy Implementations
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- ENDNOTES
- CHAPTER 14 IT Security Policy Enforcement
- Organizational Support for IT Security Policy Enforcement
- An Organization’s Right to Monitor User Actions and Traffic
- Compliance Law: Requirement or Risk Management?
- What Is Law and What Is Policy?
- What Automated Security Controls Can Be Implemented Through Policy?
- Legal Implications of IT Security Policy Enforcement
- Who Is Ultimately Accountable for Risks, Threats, and Vulnerabilities?
- Best Practices for IT Security Policy Enforcement
- Case Studies and Examples of Successful and Unsuccessful IT Security Policy Enforcement
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- CHAPTER 15 IT Policy Compliance and Compliance Technologies
- Creating a Baseline Definition for Information Systems Security
- Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
- Automating IT Security Policy Compliance
- Compliance Technologies and Solutions
- Best Practices for IT Security Policy Compliance Monitoring
- Case Studies and Examples of Successful IT Security Policy Compliance Monitoring
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 15 ASSESSMENT
- APPENDIX A Answer Key
- APPENDIX B Standard Acronyms
- Glossary of Key Terms
- References
- Index
© obpcnh/Shutterstock
Data Classification and Handling Policies and Risk Management Policies |
CHAPTER |
DATA SUSTAINS AN ORGANIZATION’S business processes and enables it to deliver products and services. Stop the flow of data, and for many companies, business comes quickly to a halt. Data drives online ordering, delivery schedules, allocation of resources, production lines, warehouse management, supply chain, and much more. The economy is driven by data. Those who understand its value and have the ability to manage related risks will have a competitive advantage. If the loss of data lasts long enough, the viability of an organization to survive may come into question. Fortunately, most outages and data disruptions are short in duration. But even short outages and data disruptions can be costly. For example, Forbes magazine wrote about a 30-minute outage that Amazon incurred on August 19, 2013. Speculation was that Amazon lost $66,240 per minute during the outage. The problem has not improved even after several years. In September 2019, Yahoo! email was out for many parts of the world for several hours. In July 2019, an article in The Verge, titled “Internet Outages Are Getting More Serious,”1 commented that outages are growing both more widespread and more substantial.
Data classification is a useful way to rank the value and importance of groups of data. The importance of the data and the type of value assigned varies by organization. The value may be monetary, because certain data may be key to driving revenue. The value may be regulatory, because certain data carries legal obligations. The type of data categories (known as classifications) may vary greatly depending on the organization’s need. Data classification creates a standardized way of assigning data (or groups of data) to a classification. These data classifications then drive how data is appropriately handled. These policies and techniques feed into a risk management approach that helps prevent disruption of services.
This chapter discusses data classification techniques used by the government and within the private sector. It discusses ways of classifying data. It also discusses risk management approaches that include quality assurance, quality control, and key measurements.
Chapter 11 Topics
This chapter covers the following topics and concepts:
- What data classification policies are
- What data handling policies are
- Which business risks are related to information systems
- What a risk and control self-assessment (RCSA) is and why it is important
- What risk assessment policies are
- What quality assurance (QA) and quality control (QC) are
- What best practices for risk management policies are
- What some case studies and examples of risk management policies are
Chapter 11 Goals
When you complete this chapter, you will be able to:
- Explain various data classification approaches
- Explain the difference between classified and unclassified data
- Describe common business classification techniques
- Understand the need for policies that govern data in transit and at rest
- Explain common business risks in a disaster
- Describe quality assurance
- Describe quality control
- Explain the difference between QA and QC
- Describe the relationship between QA/QC and risk management
1. https://www.theverge.com/interface/2019/7/4/20681733/facebook-outage-internet-myanmar-consequences
-
No Comment