Regulations and Information Classification
One very important task in defining the needed security for a system of data is first to understand the nature of that data and how it is used in a given system. Within any given organization there is a myriad of data that can all be categorized in a different way. We can use this opportunity to discuss the sensitivity of data within our organization and then break it into appropriate classifications to be used when implementing security measures. Additionally, this process will help the organization to conform to the ISO standards the company may be subjected to, in this case, ISO/IEC code 18028. This also directly relates to certain laws that also pertain to the security of information and finally how the organization will be able to test and measure how well these security practices are implemented and followed. Lastly, we can outline here how controls can be created and implemented to enforce these requirements as well as how auditing can validate the effectiveness of these implemented controls.
As we begin this analysis, we look to classifying the data we possess. We know that data strategies differ from one organization to the next due to the fact that each organization generates its own different types and volumes of data. Most experts advise that companies classify their data in accordance with their confidentiality requirements in an effort to add more security for increasingly confidential data. For instance, salary information within the organization, if leaked, can be externally damaging, but also very internally sensitive. That being said, there are other forms of data within the organization that really have no security concern at all, for instance, the mass memo stating that the north door of the facility will be under repair next Wednesday or the marketing director will be out of town the third week of next month.
This brings us to the concept of tiered data storage. Once data...
Please join StudyMode to read the full document