One very important task in defining the needed security for a system of data is first to understand the nature of that data and how it is used in a given system. Within any given organization there is a myriad of data that can all be categorized in a different way. We can use this opportunity to discuss the sensitivity of data within our organization and then break it into appropriate classifications to be used when implementing security measures. Additionally, this process will help the organization to conform to the ISO standards the company may be subjected to, in this case, ISO/IEC code 18028. This also directly relates to certain laws that also pertain to the security of information and finally how the organization will be able to test and measure how well these security practices are implemented and followed. Lastly, we can outline here how controls can be created and implemented to enforce these requirements as well as how auditing can validate the effectiveness of these implemented controls.
As we begin this analysis, we look to classifying the data we possess. We know that data strategies differ from one organization to the next due to the fact that each organization generates its own different types and volumes of data. Most experts advise that companies classify their data in accordance with their confidentiality requirements in an effort to add more security for increasingly confidential data. For instance, salary information within the organization, if leaked, can be externally damaging, but also very internally sensitive. That being said, there are other forms of data within the organization that really have no security concern at all, for instance, the mass memo stating that the north door of the facility will be under repair next Wednesday or the marketing director will be out of town the third week of next month.
This brings us to the concept of tiered data storage. Once data classifications are established it becomes necessary to evaluate that data on a regimented basis and ensure that it is being handled appropriately. One such way is to store that data in equally classified locations with appropriate security considerations. One of the key elements of a data classification system is to have users and management on board. In this instance, again, users will need to be prepared to monitor and maintain this information. Once the scheme is setup and running effectively, the users involvement is imperative. Like any other business solution, there is always room for improvement and reclassification is frequently necessary to maintain data security measures.
As we look at implementation of these tiers and classifications of data within our own organization, we can, at least at the onset, typically categorize the information handled into one of three things. First, general data encompasses information that really isn't relevant to the security of the company's assets whatsoever. This is more informational data or in the case of Sunbelt, perhaps inventory listings that are posted on the company website publically. The next tier for the company would be more sensitive and categorized for internal use only. This information is subject to the first round of restrictions and includes sensitive data that must be protected due to "proprietary, ethical contractual or privacy considerations" (CalState, 2013). This tier would be deemed of moderate risk to the organization should it become compromised. Examples of this second tier of data might include emails, inventory pricing and ownership categorizations, joint venture agreements, customer payment information, employee counseling statements and so on.
Finally, the last classification of data would be the most highly regulated. This is the confidential tier. This classification is reserved for information that is deemed to be of severe risk to the organization if leaked. This includes...