Xem mẫu

5.9.2 Custodian The next responsibility we must create is that of the information custodian. This entity is responsible for protecting the information asset based on the requirements established by the owner. In an organization that has an information systems organization, the operations group might be con-sidered the custodian of client data and information. They neither have the right to permit anyone access to the information asset, nor can they alter the information in any way without approval from the owner. This would include any programming or system upgrades that would modify the information or the output from applications and transactions. An Information Custodian is the person responsible for over-seeing and implementing the necessary safeguards to protect assets, at the level classified by the information owner. This could be the System Administrator, controlling access to a computer network; or a specific application program or even a standard filing cabinet. This example started out well but finished oddly. Giving examples of what might be considered a custodian is good. Trying to liken a filing cabinet to the opening sentence where the policy identifies the custodian as a “person.” When writing, remember to go back and read what you just wrote to make sure the concepts match from beginning to end. Do not try to be cute. Stick to the subject and make sure you say exactly what needs to be said. Custodians are authorized system support persons or organiza-tions (employees, contractors, consultants, vendors, etc.) responsible for maintaining the safeguards established by own-ers. The owner designates the custodian. The custodian is the “steward of the data” for the owner; that is, the Data Center may be the custodian for business application “owned” by a business unit. The use of the term “steward of the data” brings out a point that needs to be made. Some organizations and cultures prefer other terms than the ones discussed here. When I was younger, I played Pony League baseball for a team called the “Custodians.” Our uniforms were the most realistic because we had the name on the front and numbers on the back. The other teams had names such as “Tigers” and “Braves” but had some advertisement about their sponsor on the back. It was not until we played a few games that the other team started calling us the janitors. Custodian to some is a noble name; to others, maybe not so noble. So choose your Copyright 2005 by CRC Press, LLC. All Rights Reserved. terms wisely. “Curator,” “keeper,” and “guardian” are other terms that might work. Recently we were doing work for HIPAA compliance and developing policies for a hospital. When we discussed the definition for “user,” the hospital staff started to chuckle and told us that the term “user” had a totally different meaning there and we needed to find another term. B. Custodian: Employees designated by the owner to be responsible for maintaining the safeguards established by the owner. It is important to remember that when using the term “employee,” we are actually discussing the virtual employee. We can only write policy for employees; for all third parties, a contract must contain compliance language. Thus, it is perfectly acceptable to identify “employees” even if we know that someone other than an employee might actually perform the function. This is true for all employee responsibilities except “owner.” The owner must be an employee; after all, it is the organization’s information. 5.9.3 User The final element is the user. This individual is granted permission by the owner to access the information asset. The user must use the information in the manner agreed upon with the owner. The user has no other rights. When granting access, the owner should use the concept of “least privi-lege.” This means the user is granted only the access he or she specifically needs to perform a business task, and no more. An information user is the person responsible for viewing, amending, or updating the content of the information assets. This can be any user of the information in the inventory created by the information owner. The inventory discussed here is addressed in both the classification policy and the records management policy, including who has been assigned access needs to be tracked. The custodian is generally responsible for providing the tools to monitor the user list. Users are authorized system users (employees, contractors, consultants, vendors, etc.) responsible for using and safeguard-ing information under their control according to the directions of the owner. Users are authorized access to information by the owner. Copyright 2005 by CRC Press, LLC. All Rights Reserved. The final example is similar to the definition used above: C. User: Employees authorized by the owner to access infor-mation and use the safeguards established by the owner. 5.10 Classification Examples This section examines attributes and examples of different classification categories, and presents examples of organization information classifica-tion policies. 5.10.1 Classification: Example 1 Critique of Example 1 (Table 5.6) — This is an actual classification policy (very high level) for the executive branch of a national government. There is little here to help the average user. This is an example of a program or general policy statement; however, a topic-specific policy statement may have been more beneficial. Perhaps the next two examples will provide more information. 5.10.2 Classification: Example 2 Critique of Example 2 (Table 5.7) — The policy seems to stress competitive advantage information in its opening paragraphs. It does not appear to address personal information about employees or customers. It does pro-vide for these topics as categories under “Confidential” but it never really TABLE 5.6 Information Classification Policy: Example 1 Information Classification n Policy: Security classifications should be used to indicate the need and priorities for security protection. Objective: To ensure that information assets receive an appropriate level of protection. Statement: Information has varying degrees of sensitivity and criticality. Some items may require an additional level of security protection or special handling. A security classification system should be used to define an appropriate set of security protection levels, and to communicate the need for special handling measures to users. Copyright 2005 by CRC Press, LLC. All Rights Reserved. TABLE 5.7 Information Classification Policy: Example 2 Classification Requirements Classified data is information developed by the organization with some effort and some expense or investment that provides the organization with a com-petitive advantage in its relevant industry and that the organization wishes to protect from disclosure. While defining information protection is a difficult task, four elements serve as the basis for a classification scheme: 1. The information must be of some value to the organization and its com-petitors so that it provides some demonstrable competitive advantage. 2. The information must be the result of some minimal expense or invest-ment by the organization. 3. The information is somewhat unique in that it is not generally known in the industry or to the public or may not be readily ascertained. 4. The information must be maintained as a relative secret, both within and outside the organization, with reasonable precautions against disclosure of the information. Access to such information could only result from disregarding established standards or from using illegal means. Top Secret (Secret, Highly Confidential) Attributes: n Provides the organization with a very significant competitive edge n Is of such a nature that unauthorized disclosure would cause severe damage to the organization n It shows specific business strategies and major directions n Is essential to the technical or financial success of a product Examples: n Specific operating plans, marketing strategies n Specific descriptions of unique parts or materials, technology intent statements, new technologies and research n Specific business strategies and major directions Confidential (Sensitive, Personal, Privileged) Attributes: n Provides the organization with a significant competitive edge n Is of such a nature that unauthorized disclosure would cause damage to the organization n Shows operational direction over an extended period of time n Is extremely important to the technical or financial success of a product Copyright 2005 by CRC Press, LLC. All Rights Reserved. TABLE 5.7 (continued) Information Classification Policy: Example 2 Examples: n Consolidated revenue, cost, profit, or other financial results n Operating plans, marketing strategies n Descriptions of unique parts or materials, technology intent statements, new technological studies and research n Market requirements, technologies, product plans, and revenues Restricted (Internal Use) Attributes: n All business-related information requiring baseline security protection, but failing to meet the specified criteria for higher classification n Information that is intended for use by employees when conducting company business Examples: n Business information n Organization policies, standards, procedures n Internal organization announcements Public (Unclassified) Attributes: n Information that, due to its content and context, requires no special protection, or n Information that has been made available to the public distribution through authorized company channels Examples: n Online public information, Web site information n Internal correspondence, memoranda, and documentation that do not merit special controls n Public corporate announcements mentions them by name. This appears to be a policy that is somewhat limited in scope. Additionally, it does not establish the scope of the information (is it computer generated only or exactly what information is being addressed?). The employee responsibilities are missing. What is management’s responsibility with respect to information classification, and what is expected of the employees? Finally, what are the consequences of noncompliance? Copyright 2005 by CRC Press, LLC. All Rights Reserved. ... - tailieumienphi.vn
nguon tai.lieu . vn