Information Security Policy (IT Security Cookbook)

1.Concepts

  • All major information assets shall have an owner.
  • The owner shall classify the information into one of the sensitivity levels (listed below), depending on legal obligations, costs, corporate policy and business needs. He/she is responsible for protection of this information.
  • The owner shall declare who is allowed access to the data.
  • The owner is responsible for this data and shall secure it or have it secured according to it's sensitivity.

2.Classification of information

A classification system is proposed which classes information into four levels. The lowest 1, is the least sensitive and the highest 4, is for the most important data / processes. Each level is a superset of the previous level. For example, if a system is classified as class 3, then the system must follow the directives of class 1, 2 and 3. If a system contains data or more than one sensitivity class, it must be classified according that needed for the most confidential data on the system.

Class 1: Public / non classified Information

Description: Data on these systems could be made public without any implications for the company (i.e. the data is not confidential). Data integrity is not vital. Loss of service due to malicious attacks is an acceptable danger. Examples: Test services without confidential data, certain public information services.

Guidelines on storage: none.

Guidelines on transmission: none.

Guidelines on destruction: none.

Class 2: Internal Information

Description: External access to this data is to be prevented, but should this data become public, the consequences are not critical (e.g. the company may be publicly embarrassed). Internal access is selective. Data integrity is important but not vital. Examples of this type of data are found in development groups (where no live data is present), certain production public services, certain Customer Data, «normal» working documents and project/meeting protocols and internal telephone books.

Guidelines on storage:

  1. Information shall be labelled. i.e. the classification level should be written on documents, media (tapes, diskettes, disks, CD's etc), electronic messages and files.
  2. IT Systems susceptible to virus attacks should be regularly scanned for viruses. The integrity of systems should be regularly monitored.

Guidelines on transmission:

  1. For projects involving collaboration with external partners, a project policy document shall stipulate what information may be shared with the external partners.
  2. This information shall stay within the company, if it must transit public media (e.g. the Internet), it should be encrypted.
  3. Internal data shall not be transferred outside the company except as in points 1 and 2.

Guidelines on destruction: none.

Class 3: Confidential Information

Description: Data in this class is confidential within the company and protected from external access. If such data were to be accessed by unauthorised persons, it could influence the company's operational effectiveness, cause an important financial loss, provide a significant gain to a competitor or cause a major drop in customer confidence. Data integrity is vital. Examples: Salaries, Personnel data, Accounting data, very confidential customer data, sensitive projects and confidential contracts. Datacenters normally maintain this level of security.

Guideline on storage:

  1. Information shall be labelled. i.e. the classification level should be written on documents, media (tapes, diskettes, disks, CD's etc), electronic messages and files.
  2. IT Systems susceptible to virus attacks should be regularly scanned for viruses. The integrity of systems should be regularly monitored. IT Systems shall be configured to protect against unauthorised modification of data and programs.
  3. Information shall be kept under lock and key (e.g. documents in locked cabinets, computers in locked rooms).

Guidelines on transmission:

  1. Passwords should not be transmitted in clear-text (electronically or on paper).
  2. This information shall stay within the company, if it must transit public media (e.g. the Internet), it should be encrypted. Encryption algorithms used should be strong1).

Guidelines on destruction:

  1. Information shall be securely disposed of when no longer needed (e.g. shredders for documents, destruction of old disks and diskettes etc.).

Class 4: Secret Information

Description: Unauthorised external or internal access to this data could be critical to the company. Data integrity is vital. The number of people with access to this data should be very small. Very strict rules must be adhered to in the usage of this data. Examples: Military data, information about major pending contracts/reorganisation/financial transactions.

Guideline on storage:

  1. Information shall be labelled. i.e. the classification level should be written on documents, media (tapes, diskettes, disks, CD's etc), electronic messages and files.
  2. IT Systems susceptible to virus attacks shall be regularly scanned for viruses. The integrity of systems shall be regularly monitored. IT Systems shall be configured to protect against unauthorised modification of data / programs and shall be audited yearly.
  3. Information shall be kept under lock and key (e.g. documents in locked cabinets, computers in locked rooms).
  4. Information shall be stored in encrypted format or on removable disks which are physically secured.

Guidelines on transmission:

  1. This information shall be encrypted during transmission outside of secure zones. Encryption algorithms used shall be strong2).

Guidelines on destruction:

  1. Information shall be securely disposed of when no longer needed (e.g. shredders for documents, destruction of old disks and diskettes etc.).

Adherence to corporate and legislative requirements

The local, national and international laws (e.g. on data privacy, dissemination of pornography) and must be adhered to.

Internet pornography The Internet is now seen as a major carrier of illicit material, from soft pornography to paedophile information to nazi propaganda.

  • If it is known that such material is passing over company Internet gateways, it should be blocked.
  • Personnel may not use company computers or infrastructure to access such material. Users may be disciplined if this directive is contravened.

Privacy laws Personnel data shall be protected according to the data privacy laws of the country where is stored or processed.

See also

Sources

boran.com

1) , 2) i.e. RCA 1024-bit, IDEA, 3DES etc. not simple mechanisms like XOR. Note that normal DES is no longer considered strong.
Только авторизованные участники могут оставлять комментарии.