Вы находитесь на странице: 1из 22

Data Classification

[Department]
Introductory Presentation

[Date]

OBJECTIVES OF SESSION Answer Five Key Questions Re Data Classification


What is Information Security? Why does security matter to us? Whats Data Classification all about? How does it work? What do we have to do?

What is Information Security?


WoVG Security Standards based around Information Assets Errors Information Security Standards Frau d Thef t Protect the CONFIDENTIALITY, INTEGRITY & AVAILABILITY of Information Plans, budgets, agreements etc. Assets
Patents Software Electronic files / hard copies Financial Information Personal information / health information

Natural disaste rs IP Theft

Hackin g Accidental disclosure

Dama ge

ID Theft

Why does security matter? Business impact


Who feels the impact and who is blamed if sensitive data is leaked or lost? Who will be accountable if critical information is lost/destroyed and not available when required? What would be the impact if key information is incorrect/corrupted. Are you certain that your information, reputation, job are secure? Consider your information & projects

Victorian Auditor Generals Office Findings

The Victorian Auditor Generals Office found that the confidentiality of personal information collected and used by the public sector can be, and has been, easily compromised. It was found that threats to and vulnerabilities of the systems and networks were understood within the information technology section but advice had not made its way to senior management and so were not effectively managed. Risks were not uniformly managed. Compliance by staff with information security requirements was not monitored.

Whats Data Classification all About?


WoVG Information Security Policy, Standards and Guidelines POLICY SEC/POL/01
WoVG Information Security Policy

STANDARDS

SEC/STD/01
(ISMF)

SEC/STD/02
(Data Classification)

SEC/STD/03
(Penetration Testing)

(Use of Portable Storage Devices)

SEC/STD/04

GUIDELINES & TEMPLATES

Data Classification Guidelines

SEC/GUIDE/02

SEC/GUIDE/01
ISMF Guidelines (Available)

Pen Testing Guidelines (Available)

SEC/GUIDE/03

WoVG Information Security Standards


SEC / STD / 01

- ISMF

Information Information Security Security Management Management Framework Framework

Information Security Risk

Information

Assessment Management Report System


Policy

Statement of Security Applicability Management


System

Risk Information Assessment Security Management Report System

Statement of Applicability

Information Security Policy

Highly Protected Protected

Non-national Security Information

SEC / STD / 02

- Data Classification

X in - confidence Unclassified Public Domain

Data Classification Steps


Classify Data

Education and awareness

Identify information assets

Identify the Information owner of the information assets

Undertake an impact assessment on the information assets

Determine security classification of the information asset

Select

Apply controls based on security classification

Document information assets in security classified information register

Maintain Classified Information Register Continuous Review

Data Classification Steps


Education and awareness

Identify information assets

Identify the Information owner of the information assets

Undertake an impact assessment on the information assets

Determine security classification of the information asset

Apply controls based on security classification

Document information assets in security classified information register

Maintain Classified Information Register Continuous Review

Classify Data

Control Selection Steps


Review controls Perform Gap currently in place Analysis
Perform Risk Assessment Control Implemtion Plan

What is it & How does it Work?


PSM Data Classification Scheme
Information that can be accessed by anyone at anytime

Unclassified Information not yet classified


Information that requires an enhanced degree of protection

Public Domain

Information that does not require enhanced protection but can be accessed only if there is Need to Know (so 10 requires base level of protection)

National Security Information


Any official resource (including equipment) that records information about or is associated with Australias
Security in relation to espionage, sabotage, politically motivated violence, promotion of communal violence National interest that relates to economic, scientific or technological matters vital to Australias stability and integrity

Non-national security information


Any official resource (including equipment) that requires increased protection but does not meet the definition of national security information

Public Domain / Unclassified


Public Domain
Information that has been approved for Public consumption and does not require need to know eg: Information on Web site, Budget paper after release

Unclassified
Information that does not require any special protection but person accessing must have need to know

Need to Know
For any classification except Public Domain Need to know principle applies Information cannot be accessed by user unless there is a clear need to know

Data Classification (Non-National)


Classification X-IN-CONFIDENCE
Is used when the compromise of the information could cause limited damage to the Government, commercial entities or members of the public. This protective marking is accompanied by a notification of the subject matter to ensure correct handling and an easy appreciation of the need-to know requirement. Types of X-IN-CONFIDENCE markings include: STAFF-IN-CONFIDENCE, SECURITY-INCONFIDENCE, COMMERCIAL-IN-CONFIDENCE AUDIT-IN-CONFIDENCE. Note: X-IN-CONFIDENCE marker does not include Cabinet-in-Confidence information

Criteria
Where compromise could:
cause substantial distress to individuals or private entities cause financial loss or loss of earning potential to, or facilitate improper gain or advantage for, individuals or private entities prejudice the investigation or facilitate the commission of crime breach proper undertakings to maintain the confidentiality of information provided by third parties Impede the effective development or operation of government policies breach statutory restrictions on the management and disclosure of information disadvantage the Government in commercial or policy negotiations with others, or undermine the proper management of the public sector and its operations.

Data Classification (Non-National)


Classification PROTECTED
Is used when the compromise of the information could cause damage to the (Australian or State) Government, commercial entities or members of the public. [Includes Cabinet-In-Confidence data]

Criteria
Where compromise could: endanger individuals and private entities work substantially against government finances or economic and commercial interests substantially undermine the financial viability of major organisations impede the investigation or facilitate the commission of serious crime, or seriously impede the development or operation of major government policies.
Note: Most non-national security information would be adequately protected by the procedures given to information marked X-IN-CONFIDENCE or PROTECTED

Data Classification (Non-National)


Classification HIGHLY PROTECTED
The HIGHLY PROTECTED marking indicates that the information requires a substantial degree of protection as compromise of the information could cause serious damage to the Australian or State Governments, commercial entities or members of the public.

Criteria
Where compromise could: threaten life directly seriously prejudice public order, or substantially damage government finances or economic and commercial interests. Note: Very little information belongs in the HIGHLY PROTECTED category and the marking should be used sparingly

Data Classification
Beware of Classifying too Highly
Information should only be security classified when the consequences of compromise warrant the expense of increased security protection. It is important that information not requiring protection remains unclassified. Inappropriate over-classification has a number of seriously detrimental effects: Limits public access unnecessarily costly to administer the volume of classified information too large to protect adequately, and classification and security procedures are brought into disrepute So only security classify information when there is a clear and justifiable need to do so.

$ / Effect

Volume

What do we have to do? Data Gathering and Mapping .....


We need to:
Identify business functions performed by each Team Identify Applications used by each business function Identify datasets used/maintained by each application

Division
Name of your Division

Branch
Name of your Branch

Group
Name of your Group (within the Branch)

Busine

List the bu performe

Data Gathering and Mapping .....2


Record details for:
Dept/Branch Business Function Business Owner Application Application Owner Datasets / File Details Storage Details Dataset owner Classification Classifier Impact of Loss/Corruption Infrastructure

What Next?
The project requires active support and assistance to:
provide the right people for workshops to document functions/applications/information assets applicable for each team and complete High Level Data Classification; assist in assigning Ownership of each information Asset; and encourage Information Owners to review and accept or correct Classification levels.

Discussion