The path to growth of cissp (9): reviewing information security management (3)

In the previous article 《 Review information security governance (2)J0ker briefly introduces some key points of risk analysis and evaluation. We all know that if we want to do multiple tasks at the same time, we need to arrange the execution order and investment according to the priorities of the tasks. This is also required when implementing information security projects, deploy different security solutions based on the value of the information assets to be protected and evaluate the cost-effectiveness ratio. In this article, j0ker will introduce information classification (information classification) to you ), this is an important tool to help organizations conduct security projects more effectively.

What is information classification?
Information classification refers to the classification of information based on business risks, values of data, and other standards of information. The Organization can identify the most significant factors that affect the Organization's business through information classification, and implement different protection and Backup Recovery solutions based on information levels. The purpose of information classification is to reduce the cost for organizations to protect all their own information. Meanwhile, the identification of key information by information classification can also enhance the decision-making ability of the organization.

What are the advantages of information classification in organization implementation?
Information classification should be implemented at the organization level. If it is implemented at the department level or lower level, it cannot reflect its advantages. The advantages of information classification in organization implementation are:

1. All data within the Organization is enhanced in confidentiality, integrity, and availability due to the implementation of correct protection measures
2. The Organization can make the most effective use of the information protection budget, because the Organization can design and deploy the most appropriate protection scheme based on the information level.
3. The organizational decision-making capability and accuracy can be enhanced through information classification.

In addition, organizations can reorganize their business processes and information processing needs through information classification processes.

General information classification process
Different organizations have different information classification projects because of their own situations. The cissp official guide provides a more effective and general process. j0ker will list it below, and briefly introduce common questions in the cissp examination and the key points of the study. At the same time, these knowledge points are also the content that cissp should be proficient in.

The process of a standard information classification project is as follows:
1. initial preparationIn the official guide, this stage is summarized as "question to ask" and several questions are provided. The supervisor of the information classification project should ensure that all questions at this stage are answered before continuing the project. These problems are:

Whether the management layer supports this information classification project, whether it is an information classification project or another larger security project, the management layer's support for the project is the primary factor for project success. cissp CBK has always implemented this idea, it is also reflected in the cissp exam;
What are the information objects and risk factors to be protected? This can be answered through the subsequent risk analysis steps;
Whether there are requirements in laws and regulations. The information classification project director should give priority to laws and regulations when implementing the project;
Whether the Organization's information is owned by the entire business process (has the Business Accepted owner shipre sibility for the data), according to the understanding of j0ker, this question should be asked whether the organization has realized that, information comes from and is used in the entire business process of the Organization, not only in various IT facilities.

Have you prepared all the resources required for the project, including the planning and preparation of each step of the project and personnel training?

2. formulate various policies for guiding information classification projects,Including:
Information security policy specifies the Organization's ownership of all its data, data protection requirements, and management layer's support for information security projects. Information security policy is a document that determines the information security requirements of an organization in general, not in detail. All security projects of an organization are centered on it.

The data management policy specifies that information classification is a process for protecting information assets, the definition and security requirements of each information classification and the responsibilities of each role on the classification information are also determined.

As a supplement to information security policies, information management policies define the following:

① Information is the assets of the business unit to which it belongs;
② The manager of the business unit is the owner of the information;
③ IT facilities and departments are information holders;
④ Define the roles and responsibilities used in information classification and ownership;
⑤ Define the information levels and their corresponding standards;
⑥ Defines the minimum security requirements for each information level.
Among them, the first and second points are often observed in the cissp examination. The roles and responsibilities in information classification are also an important part of the cissp content, knowledge Systems in several cbks are directly related to them.

3. Risk Analysis:After formulating various policies and processes required for information classification projects, the project can enter the next stage-risk analysis, risk analysis requires the representatives of various departments of the Organization to form a joint working group for operations. If the resources or other reasons do not agree, the representatives of the most important departments of the Organization should also form a working group. J0ker reminded me again this time that the most important factor for the success of the risk analysis step is still the support from the governance layer, which is also frequently examined in the cissp examination.

4. Classification of implementation information:After the information classification criteria are determined and the risk analysis is completed, the project enters the implementation stage of information classification. From the perspective of cost and control difficulty, it is unwise for an organization to use too many information levels for its information, in addition to increasing deployment, governance costs, and control difficulty, too many levels may lead to unclear personnel responsibilities and low efficiency. Therefore, you can use an appropriate number of information levels and give each level a simple and easy-to-remember name.
The official guide provides information classification examples for reference. In a company, information can be divided into three levels based on business and risk: public, public information;
Internal use only, limited to various information used within the company (but not confidential );
Company Confidential, Company Confidential Document.
In addition, when reviewing the information classification part, you should also focus on the definition of roles and responsibilities. Roles in information classification can be defined based on the specific situation of the Organization, the most common ones are:
(1) Information owner, the manager or administrator of the Information Department in the organization
(2) Information custodian, usually an IT department, responsible for daily maintenance of information
(3) Application owner, the manager or administrator of the Department that owns an application that processes information in the Organization.
(4) User Manager is an example of a department or person who manages users and employees in an organization.
(5) security administrator, who is responsible for managing the system accounts and other usage of personnel in the organization, usually the network administrator in the Organization.
(6) security analyst, responsible for preparing various levels of information security plans and various security documents of the Organization, usually people such as CIOs, ciso, and CSO
(7) Data Analyst, person responsible for designing and maintaining data structures or types based on the organization's business

(8) solution provider and dataanalyst collaborate to provide data processing solutions
(9), end user, end user
For more specific definitions of roles and their responsibilities, see cisspofficialguide. Based on j0ker's review experience, the definition and responsibility of roles 1, 2, 4, and 5 should be carefully reviewed by CBK.