The document discusses security policy development and data classification methods. It covers developing a security policy that aligns with business objectives, is understandable, uniform, and legally compliant. It also discusses classifying data into public, sensitive, private and confidential categories and having data owners and custodians define appropriate access controls for each classification. The document recommends implementing security awareness training tailored for senior management, staff and technical employees.

1. Information Security 365/765, Fall Semester, 2014
Course Instructor, Nicholas Davis
Lecture 4, Security Policy Development, Data
Classification Methods, Workplace Controls

2. NNeexxtt TTiimmee
Security policies
Information classification
Security awareness training
09/11/14 UNIVERSITY OF WISCONSIN 2

3. SSeeccuurriittyy PPoolliiccyy
An overall general statement, produced
by senior management, which dictates
the role which security management
plays in the organization
Made up of goals and responsibilities
Shows strategic and tactical value of the
policy
Outlines how enforcement should be
carried out
09/11/14 UNIVERSITY OF WISCONSIN 3

4. SSeeccuurriittyy PPoolliiccyy CCoommppoonneennttss
BBuussiinneessss OObbjjeeccttiivveess
Business objectives should drive the
policy’s creation, implementation,
enforcement. The policy should not
dictate business objectives
09/11/14 UNIVERSITY OF WISCONSIN 4

5. SSeeccuurriittyy PPoolliiccyy CCoommppoonneennttss
MMaakkee IItt LLeeggiibbllee
The document should be written in plain
language, which all the employees can
easily understand the portions which
apply to them, without question
09/11/14 UNIVERSITY OF WISCONSIN 5

6. SSeeccuurriittyy PPoolliiccyy CCoommppoonneennttss
UUnniiffoorrmmiittyy
Make certain it fits all business
functions and processes
09/11/14 UNIVERSITY OF WISCONSIN 6

7. SSeeccuurriittyy PPoolliiccyy
LLeeggaall CCoonnffoorrmmiittyy
It should support all legislation and
regulations which apply to the company,
local, national and international
09/11/14 UNIVERSITY OF WISCONSIN 7

8. SSeeccuurriittyy PPoolliiccyy
AA LLiivviinngg DDooccuummeenntt
It should be re-visited on a regular basis
and updated as necessary, as changes
occur within the company.
Make certain that all changes are
documented and changes are recorded
09/11/14 UNIVERSITY OF WISCONSIN 8

9. SSeeccuurriittyy PPoolliiccyy
AAddaappttaabbiilliittyy
It should be written in such a way as to
make it useful for several years at a time,
under normal circumstances, and
flexible enough to deal with minor
changes, as they occur.
09/11/14 UNIVERSITY OF WISCONSIN 9

10. SSeeccuurriittyy PPoolliiccyy
LLaanngguuaaggee
The tone of the policy must be certain
and strong. Avoid using the word
“should”, as it leaves room for
interpretation. Instead, use the words
“shall”, “will” and “must”, throughout
the document
09/11/14 UNIVERSITY OF WISCONSIN 10

11. SSeeccuurriittyy PPoolliiccyy
SSttyyllee
No frills
Professional looking
Consistent presentation
09/11/14 UNIVERSITY OF WISCONSIN 11

12. WWhhyy iiss IITT SSeeccuurriittyy PPoolliiccyy
SSoo IImmppoorrttaanntt??
Helps identify company’s valuable assets
Provides authority to the security team
and their activities
Provides a reference to review when
conflicts pertaining to security arise
States clearly the company’s goals and
objectives in the area of security
Outlines personal responsibility
09/11/14 UNIVERSITY OF WISCONSIN 12

13. WWhhyy iiss IITT SSeeccuurriittyy PPoolliiccyy
SSoo IImmppoorrttaanntt??
Helps prevent unanticipated events
from occurring
Defines the scope and boundaries for the
security team and its functions
Outlines incident response
responsibilities
Outlines the company’s response to legal
and regulatory requirements
09/11/14 UNIVERSITY OF WISCONSIN 13

14. TThhrreeee TTyyppeess ooff
SSeeccuurriittyy PPoolliicciieess EExxiisstt
Regulatory
Advisory
Informative
09/11/14 UNIVERSITY OF WISCONSIN 14

15. SSeeccuurriittyy PPoolliiccyy TTyyppeess
RReegguullaattoorryy
Ensures that the company is following
standards set by specific industry
regulations. It is very detailed and
specific to a type of industry:
Finance
Healthcare
Government
09/11/14 UNIVERSITY OF WISCONSIN 15

16. SSeeccuurriittyy PPoolliiccyy TTyyppee
AAddvviissoorryy
Tells employees which types of behaviors
and activities shall and shall not take place
within the organization
How to handle:
Medical information
Financial transactions
Confidential information
Outlines ramifications for non-compliance
09/11/14 UNIVERSITY OF WISCONSIN 16

17. SSeeccuurriittyy PPoolliiccyy TTyyppee
IInnffoorrmmaattiivvee
Informs employees on generalities of
certain topics, but is not enforceable.
It teaches about issues important to the
company, such as how the company
would like employees to interact with
business partners, the company’s goal
and mission, or the corporate reporting
structure
09/11/14 UNIVERSITY OF WISCONSIN 17

18. SSeeccuurriittyy PPoolliiccyy
DDuuee DDiilliiggeennccee FFoorrwwaarrdd
Due Diligence, is the act of investigating
and understanding the risks the
company faces
09/11/14 UNIVERSITY OF WISCONSIN 18

19. SSeeccuurriittyy PPoolliiccyy
DDuuee CCaarree
Is a statement which demonstrates that
the company has accepted and taken
responsibility for activities which take
place in the organization
09/11/14 UNIVERSITY OF WISCONSIN 19

20. HHooww DDuuee DDiilliiggeennccee
DDuuee CCaarree aarree RReellaatteedd
Due diligence is the understanding of
the threats and risks, while due care is
the countermeasures which the
company has put in place to address the
threats and risks
09/11/14 UNIVERSITY OF WISCONSIN 20

21. IInnffoorrmmaattiioonn CCllaassssiiffiiccaattiioonn
In the field of data management, data
classification is defined as a tool for
categorization of data to enable/help
organization to effectively answer following
questions:
What data types are available?
Where are certain data located?
What access levels are implemented?
What protection level is implemented and
does it adhere to compliance regulations?
09/11/14 UNIVERSITY OF WISCONSIN 21

22. DDaattaa CCllaassssiiffiiccaattiioonn
Commercial Enterprise
Military
You are business students, so we will
focus on commercial enterprise data
classification terminology
09/11/14 UNIVERSITY OF WISCONSIN 22

23. DDaattaa CCllaassssiiffiiccaattiioonn
TTyyppeess
Public
Sensitive
Private
Confidential
09/11/14 UNIVERSITY OF WISCONSIN 23

24. DDaattaa CCllaassssiiffiiccaattiioonn
PPuubblliicc
Definition: Disclosure is not welcome,
but it would not cause an adverse impact
or damage to the company or its
employees
Examples:
How many people work at the company
Current job positions posted on the
website
09/11/14 UNIVERSITY OF WISCONSIN 24

25. DDaattaa CCllaassssiiffiiccaattiioonn
SSeennssiittiivvee
Definition: Requires special precautions to
ensure the integrity and confidentiality of
the data, by preventing it from
unauthorized modification or deletion.
Requires higher than normal assurance of
accuracy and completeness
Example:
Financial information
Details of projects
Profit earnings and forecasts
09/11/14 UNIVERSITY OF WISCONSIN 25

26. DDaattaa CCllaassssiiffiiccaattiioonn
PPrriivvaattee
Definition: Personal information, for use
only within the company. Unauthorized
disclosure could adversely affect
employees, the company, its business
partners or customers
Examples:
Work history
HR information
Medical information
09/11/14 UNIVERSITY OF WISCONSIN 26

27. DDaattaa CCllaassssiiffiiccaattiioonn
CCoonnffiiddeennttiiaall
Definition: For use within the company
only. Exempt from disclosure under the
Freedom of Information Act. Unauthorized
disclosure could seriously affect a company
Examples:
Trade secrets
Programming software code
Information that keeps the company
competitive
09/11/14 UNIVERSITY OF WISCONSIN 27

28. DDaattaa CCllaassssiiffiiccaattiioonn
PPrroocceedduurreess
1. Define classification levels
2. Specify the criteria by which data will
be classified
3. Have the data owner indicate the
classification level for their data
4. Identify the data custodian, who will
be responsible for maintaining the
data and its security level
5. Indicate the controls to be applied at
each classification level
09/11/14 UNIVERSITY OF WISCONSIN 28

29. DDaattaa CCllaassssiiffiiccaattiioonn
PPrroocceedduurreess
6. Document any exceptions in detail
7. Indicate the methods which are used
to transfer data custody to a different
owner
8. Create a procedure to periodically
review the data’s classification and
ownership
9. Indicate declassification procedures
10. Integrate this knowledge into a
security awareness program
09/11/14 UNIVERSITY OF WISCONSIN 29

30. IIff YYoouu CChhoooossee ttoo CCrreeaattee
YYoouu OOwwnn DDaattaa CCllaassssiiffiiccaattiioonn SSyysstteemm
Too many levels will make classification
complex and confusing
Too few levels will encourage sloppy
data classification
There should be no overlap between
classification levels
Classification levels should be developed
for both data and the systems housing
the data, and they should match
09/11/14 UNIVERSITY OF WISCONSIN 30

31. HHiirriinngg PPrraaccttiicceess
Job skill screening
Reference check
Non-disclosure agreement (NDA) signed
Education verification
Criminal background check
Credit report check
Sex offender check
Drug screening
Professional license check
Immigration status check
Social Security Number trace to ensure validity
09/11/14 UNIVERSITY OF WISCONSIN 31

32. EEmmppllooyyeeee CCoonnttrroollss
RRoottaattiioonn ooff DDuuttiieess
No one person should stay in one
position for an uninterrupted period of
time, as this may enable them to have
too much control over a segment of
business
Mandatory vacation policy
09/11/14 UNIVERSITY OF WISCONSIN 32

33. EEmmppllooyyeeee CCoonnttrroollss
SSeeppaarraattiioonn ooff DDuuttiieess
Split knowledge system: No single
employee has the knowledge to do a task
by themselves
Example
Dual control: No single employee has
the physical ability to do a task by
themselves
Example
09/11/14 UNIVERSITY OF WISCONSIN 33

34. TTeerrmmiinnaattiioonn PPrraaccttiicceess
Each company needs a set of pre-defined
termination procedures
Example:
Once terminated, the employee must be
escorted out of the facility by their manager
Employee must immediately surrender keys,
employee badge, etc.
Employee must be asked to complete an exit
interview and return company property
The terminated employee’s online accounts
must be disabled immediately upon
termination
09/11/14 UNIVERSITY OF WISCONSIN 34

35. BBeewwaarree ooff DDiissggrruunnttlleedd
FFoorrmmeerr EEmmppllooyyeeeess
09/11/14 UNIVERSITY OF WISCONSIN 35

36. SSeeccuurriittyy AAwwaarreenneessss
TTrraaiinniinngg PPrrooggrraamm
One for senior management
One for staff
One for technical employees
Responsibilities
Liabilities
Expectations
09/11/14 UNIVERSITY OF WISCONSIN 36

37. SSeeccuurriittyy AAwwaarreenneessss
SSeenniioorr MMaannaaggeemmeenntt
Focus on: corporate assets, financial
gains and losses which can occur due to
information security incidents. They are
the leaders, they must demonstrate the
proper mindset to the rest of the
company
09/11/14 UNIVERSITY OF WISCONSIN 37

38. SSeeccuurriittyy AAwwaarreenneessss
MMiidd--MMaannaaggeemmeenntt
Focus on: policies, standards and
guidelines and how they map to
individual departments, responsibility
for ensuring their employees adherence
to the security policies, and how the
managers will be held accountable for
enforcement
09/11/14 UNIVERSITY OF WISCONSIN 38

39. SSeeccuurriittyy AAwwaarreenneessss
EEmmppllooyyeeeess
Focus: on the operational aspects of
information security, proper system
usage, how to recognize a security issue
and how to properly handle and report a
suspected information security incident
09/11/14 UNIVERSITY OF WISCONSIN 39

40. NNeexxtt CCllaassss
AAcccceessss CCoonnttrrooll
09/11/14 UNIVERSITY OF WISCONSIN 40

41. 09/11/14 UNIVERSITY OF WISCONSIN 41

42. 09/11/14 UNIVERSITY OF WISCONSIN 42

43. 09/11/14 UNIVERSITY OF WISCONSIN 43

44. 09/11/14 UNIVERSITY OF WISCONSIN 44

45. 09/11/14 UNIVERSITY OF WISCONSIN 45

46. 09/11/14 UNIVERSITY OF WISCONSIN 46

47. 09/11/14 UNIVERSITY OF WISCONSIN 47

48. 09/11/14 UNIVERSITY OF WISCONSIN 48

49. 09/11/14 UNIVERSITY OF WISCONSIN 49

50. 09/11/14 UNIVERSITY OF WISCONSIN 50