A general classification framework is to be established with regard to placement of data in information classes (i.e., security categories) as well as allocation of ownership. The access rules for the classes will be appropriately defined. Treadstone 71 can help you establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, proprietary, confidential, restricted confidential) of enterprise data. This scheme includes details about data ownership, definition of appropriate security levels and protection controls, and a brief description of data retention and destruction requirements, criticality and sensitivity. It is used as the basis for applying controls such as access controls, archiving or encryption.

Treadstone 71 works with you to establish a team that is charged with defining, implementing and maintaining security levels for each of the data classifications identified above the level of “no protection required.” These security levels represent the appropriate (minimum) set of security and control measures for each of the classifications and are to be re-evaluated periodically and modified accordingly. Criteria for supporting different levels of security in the extended enterprise is also to be established to address the needs of evolving e-commerce, mobile computing and offshore environments, non-inclusively.

Treadstone 71 helps you understand what is realistically achievable. Not organizations are ready to accept the disciplines required for a complete data classification scheme. Therefore, a realistic assessment is needed concerning the readiness of your company. Let this understanding guide our development of the data classification scheme. Most company's are ready to undertake a data classification program.  In order to do so, there are several areas to consider.  Treadstone 71 takes you through this difficult maze.

Regardless of the approach chosen, it is important that key stakeholders be part of the data classification strategy and design. Individuals that feel they are part of the strategy are more likely to support it during implementation. 

All Business groups

Legal

Risk

Systems

Internal Audit

Compliance

Privacy

Companies must garner C-level executive management and risk management support for the information classification process because it requires a detailed understanding of the entire company's business processes. Ultimately, it is executive management's responsibility to approve the data classification scheme and agree to the classification assignments of business information by data owners. Treadstone 71 is your key to building this bridge.

Copyright 2002 Treadstone 71 info@treadstone71.com  1-888-687-8450 Office - 508.519.0363 Fax

ISO17799, OCTAVE, CISSP, CISM, Sarbanes Oxley, SOX, CobiT, 27001, ISMS, ISO-27001, ISO 27001, ISO27001, 27005, 27002, GRC, prevention, 17799, proactive, FISMA, defense in depth, arabic, jihadi, cyber jihad, cyber terrorism, holistic security, 201 CMR 17, governance, risk, compliance, Jeff Bardin, Wireless Security, CMM, ITIL, ITSM, Sarbanes Oxley, security awareness, risk, threat, threat matrix, security metrics, ISO1779 training, 21 CFR 11, NSA IAM, BITS, risk management, security in the sdlc, secsdlc, security program, security strategy, business impact analysis, Treadstone 71, bourne, CISM, penetration testing, risk, GRC, detective controls, preventative controls, HIPAA, GLBA, Graham-Leach-Bliley, SAS 70, intrusion detection, interim CISO, interim CIRO, CIRO, CISO, chief security, FFIEC, financial services, trust, continuity, risk assessment, maturity, vulnerability scans, data classification, assessments, disaster recovery, homeland security, security metrics, rosi, roi, training, security posture, threat vulnerability pairs, vulnerability management, security services, information security, risk management, business risk, controls, holistic security, defense in depth, Governance, Risk and Compliance, information risk management