Sunday, October 21, 2007

Managing and Classifying Documents in Information Security

It is often not easy to judge what documents(soft-copies or hard-copies)to safe-guard unless we have a system to determine the classification of documents:

We will first talk about classifying documents into their confidentiality categories then in the next post I shall talk about availability classifications followed by integrity classifications thereafter.So stay tuned and come back for more goodies on how information security can be managed by my system.

I have devised a system in classifying documents into :

1.) Class 0 ( public information)
2.) Class 1 (Internal information)
3.) Class 2 (Confidential information)
4.) Class 3 (Strictly confidential information)

Class 0 - no protection required can be circulated freely.
Class 1 - no protection required but can only be circulated freely in the company but not public. ( Examples: Company news-letter, Posters, marketing materials etc.)

Class 2 - needs to be encrypted if in soft-copies and locked in cupboards for hard copies can only be circulated to name users in the network defined.(Examples: Personal information like salary , bank account. Sales prices , customers information etc.)

Lastly we have Class 3 - needs to be encrypted if in soft-copies and locked in fire-proof safes for hard copies. Can only be circulated to an even smaller network but before circulating the originator of the information will need to grant permission for its circulations. (Examples: Patents , patients' files, bank transactions information, new product launch prices and information etc.)

Not to forget we also need to get rid of class 2 & class 3 information in a secured way video below shows you how :

Click Here for a good encryption software for files and folders !

Sunday, September 16, 2007

IT Security Management -Policies , Procedures , Standards & Guidlines

IT Policies or IT Central Directives

They are high-level statements which state the Management's direction in information
security & privacy.

It will state Organizational setup of IT security structure, workstations or
computers' security.

It will establish the framework and basis of Information security of a organisation

Examples of internationally recognized frameworks include ISO27001, SOX, ITIL,COBIT etc.

In my next post, I will talk about procedures which are detailed instructions on the execution of IT policies

Click on Video below on SOX 404 explanation :

Click Here for more information on writing IT policies!