Each information is a set of new data about a fact or event, hitherto unknown by increasing the knowledge increment. In the field of education and knowledge, information is created, transmitted and received extremely dynamically. The paper describes the procedures for categorizing information sets according to the set security goals represented in the field of education, transferring levels of influence higher or lower than the default based on the magnitude of the damage caused by compromising information. Due to the fact that the level of influence of information is related to the activity of the Commissioner for Information of Public Importance, when analyzing the content, there is a compromise of different types of information.
2. DEFINITION AND CLASSIFICATION OF
INFORMATION
• A set of new data about a fact, an event that increases
The former level of knowledge.
• Area of education is particularly dynamic
In the receipt and exchange of information.
• Setting security objectives.
• The method receives information which unambiguously corresponding
categorical tag represents the degree of sensitivity of information
classification.
• In accordance with a defined level of categories of managed
information.
2
3. CLASSIFICATION OF INFORMATION - TYPES
SECRECY –PRESENT SITUATION
• The level of impact of information is associated with the activities of
the commissioner for information of public importance and personal
data protection
• Area classification is regulated by the law legislation.
• Generally, information according to the type of secrecy are divided into
the following categories:
• ARMY,
• STATE,
• OFFICIAL.
3
4. TYPES AND DEGREE SECRECY OF INFORMATION
Certain types of classification to be added
• Business and
• Professional secret.
The degree of secrecy is generally defined as state, strictly
confidential, confidential and internal without determining the
degree of classification.
Wrong assumption that all other information that does not belong to the
above treated as public information, phone numbers, addresses, ..
(except personal).
4
5. INFORMATIONS - INFORMATION SYSTEMS
Different approach presented in this paper is based primarily on
the integration of informations - information systems (IS) is
based on a holistic approach to classifying information, the
establishment of sustainable processes and operational
implementation of categorization.
5
6. SAFETY CATEGORY
Security categories are based on the potential impact of events on the
institution that endanger information and IS in accomplishing assigned
tasks, asset protection, fulfillment of legal obligations and maintenance
functions and the protection of individuals.
The proposed three levels of influence
• LOW,
• MODERATE AND
• HIGH
6
7. SECURITY OBJECTIVES
Mandatory security objectives are:
• CONFIDENTIALITY,
• INTEGRITY AND
• THE AVAILABILITY OF INFORMATION
Definitions:
CONFIDENTIALITY - Represents preserving authorized restrictions on
information access and disclosure, including means for personal privacy
and information about property ownership.
The loss of confidentiality is the unauthorized disclosure of information.7
8. SECURITY OBJECTIVES
• INTEGRITY - Is protection of the improper information
modification or destruction of information, and includes providing
information of authentication and non-repudiation. Loss of
integrity is the unauthorized modification or destruction of data.
• AVAILABILITY - Is the provision of timely and reliable access to
and use of information.
The loss of availability to interrupt access to or use of data or
availability of an information system.
8
9. LEVEL OF INFLUENCE
• The potential impact is low if the loss of confidentiality,
integrity and availability of such is to be expected limited
negative impact on business operations, assets, or
individuals.
• The potential impact is moderate if the loss of confidentiality,
integrity and availability such that it can be expected to have a
serious negative impact on business operations, assets, or
individuals and can cause significant drop capabilities in
scope and duration that the institutions are able to perform as
its primary function,
9
10. LEVEL OF INFLUENCE
• The potential impact is high if the loss of confidentiality,
integrity and availability such that it can be expected to have a
severe or catastrophic adverse effect on the operations or
individuals.
• Serious or catastrophic adverse effect means that, loss of
confidentiality, integrity and availability may cause a serious
decline or loss of ability in relation to the scope and duration so
that the institution is unable to perform one or more of its basic
functions and result in great damage on resources, large financial
losses or cause a serious or catastrophic harm to individuals
resulting in death or serious life threatening injuries.
10
12. A METHOD OF CATEGORIZING
• The methodology used to identify the type of information is as follows:
• Identifying core business areas and tasks which supports IS considered;
• Identifying the internal and / or external operations for each business area
and the assigned task, area or business flows and description of IS in
functional terms;
• Identifying sub function necessary for the performance of each business areas
or activities;
• Identifying the main types of information with the identified sub-functions
where necessary.
12
13. 13
1
2
3
5
IDENTIFY THE TYPE
OF INFORMATION
CHOOSE THE
TEMPORARY LEVE
IMPACT INFORMATION
CRITICAL EVELUATION
ALLOCATED TO LEVEL OF
INFLUENCE INFORMATION
HARMONIZE LEVEL
IMPACT OF
INFORMATION
ASSIGN SECURITY
CATEGORY OF
INFORMATION
RECOMMENDATION
FOR LEVEL IMPACT
OF THE
INFORMATION
SYSTEM
4
RECOMENDATION FOR
LEVEL IMPACT
COMMON TYPE OF
INFORMATION
RECOMENDATION FOR
LEVEL ON INFLUENCE
OF SPECIFIC TYPE OF
INFORMATION
ASSIGN SAFETY LEVEL
INFORMATION SYSTEM
14. IMPLEMENTATION OF CLASSIFICATION
• For the classification of confidential information in each
educational institution it is necessary to establish a special expert
working group to identify confidential information, ways of storing,
transmitting, copying and destroying them.
14
16. Management Information and technology management
Information resource management Development system
Human Resource Management Life Cycle / Change Management
Human Resource Management IT security
Manage earnings / expense reimbursements Information management information
Training and development resources Financial management
Manage confidentiality checks Accounting
Employment Finances
Administration Management Collections and receivables
Facility Management / Time / Equipment Asset and Liability Management
Ancillary services of the institution Reporting and information
Security Supply Chain Management
Management Procurement of goods
Workplace Management and Development Policy Inventory control
Maintenance system Procurement service
Logistics management
16
THE BUSINESS MODEL OF EDUCATIONAL INSTITUTIONS
17. OTHER FACTORS
When the educational institution determines the level of influence
and categorize safety by applying the above criteria, considering
the effects on safety for each type of information, analyzing the
aforementioned conditions in the table below:
• Factors confidentiality common information
• Factors integrity common information:
• Factors availability of common information
17
18. CATEGORIZATION OF INFORMATION IN EDUCATION FIELD.
SECURITY OBJECTIVES LOW MODERATE HIGH
Confidentiality
Keeping the authorized limit
access to information and
discovery, including the means
for personal privacy and
ownership information.
Unauthorized disclosure of
information may have limited
negative impact on business
operations, assets, or
individuals.
Unauthorized disclosure of
information may have a serious
negative impact on business
operations, assets, or
individuals.
Unauthorized disclosure could
have serious or catastrophic
bad impact on business
operations, assets, or
individuals.
Integrity
Storing information from
unauthorized modification or
destruction, and includes
ensuring non-repudiation and
authenticity of information.
Unauthorized modification or
destruction of information can
have a limited negative impact
on business operations, assets,
or individuals.
Unauthorized modification or
destruction of information can
have a serious negative impact
on business operations, assets,
or individuals.
Unauthorized modification or
destruction of information can
have a severe or catastrophic
adverse effect on business
operations, assets, or
individuals.
Availability
The provision of timely and
reliable access to and use of
information.
Obstruction of access to
information system or the use
of data or may have a limited
negative impact on business
operations, assets, or
individuals.
Obstruction of access to
information system or use of
data can have a serious
negative impact on business
operations, assets, or
individuals.
Obstruction of access to
information system or use of
data can have serious negative
or disastrous bad impact on
business operations, assets, or
individuals.
18
19. RECOMMENDED SECURITY LEVEL INFORMATION
Security categorization support the transfer of inf. Confidentiality Integrity Availability
Public affairs
Relations with local government / Ministry Moderate Moderate Low
Jobs educational institutions
Execution of the function of education Low Low Low
Human Resources Management
Strategy and Human resource management Low Low Low
Internal risk management services
Recovery costs of information system Moderate Low Low
Information and management system
System development Low Moderate Low
IT System maintenance Moderate Moderate Niska
Maintenance of infrastructure IS Niska Moderate Moderate
19
20. WHICH WAY TO GO
• Creating a catalog of information
• Determining the degree of granulation information
20
21. BUSINESS AREAS
MINISTRY OF EDUCATUON REPUBLIC OF SERBIA
• Information in the primary, secondary and vocational education,
• Information in higher education
• Other types of information in education,
• Information regarding counseling and types of consulting information,
• Information related to permits and licenses,
• Information related to the implementation and respect of legislation
regarding inspection and audit,
• Information about the security of certain kinds of information,
• Information related to the information system and monitoring networks
• Information exchange type of information,
• Information of general-purpose and statistical information
21
22. CONCLUSION
• Disorganized system of protection of information is reflected in security.
• The awareness of employees about the importance of compliance with
data protection regulations still not at a satisfactory level.
• Adopting regulations, directives and other regulations governing
protection of information and practical application in dealing with
classified information and continuous training of employees in the areas
of information security.
• Join the categorization of information by defining security objectives.
• Access and categorization of is that create, preserve, process and
transmit such information.
• Security categorization does not require the investment 22