Which is easier to protect: (1) the entire United States of America or (2) Fort Knox?
I am sure you all answered Fort Knox. Fort Knox was built to protect the stocks of gold held by the United States government. Its security is focused on and all about how to protect the gold in its vaults. Nothing more, nothing less, it is all about the gold.
But, if you answered Fort Knox, then why are you treating information security as an effort to protect the entire United States? Take a look at your information security program and how it has been implemented.
Most of you are protecting everything with equal rigor. Yet, does everything need to be protected with the same thoroughness? Probably not and that is what makes information security such a difficult occupation. We neglect to delineate what needs the most protection and what does not need as much or any protection.
From an information perspective, have you ever asked yourself what is your organization’s “gold?” I have met very, very few information security professionals that can answer that seemingly very simple question. Why? Because for some strange reason, information security professionals never seem to analyze just what it is that they need to protect.
Yes, I see a lot of risk analyses, but that just identifies the risks to the entire organization, not the information that is at risk.
Analysis of an organization’s information and what is important seems to be driven these days by the regulation “du jour” be that PCI, HIPAA, GLBA or ISO. A complete, regulatory independent analysis of what information is important and needs protection just never seems to be performed. Since an analysis is not performed, organizations end up protecting the United States, not Fort Knox and the task becomes a nightmare.
So what should you be doing? First, you need to develop an information classification standard to define your analysis. This does not need to be some sort of NSA or CIA type of standard with many different levels.
Typically, three or four levels are all this standard needs. Examples of information classification levels include:
- Unrestricted information is defined as information that is public knowledge or readily available to the public. Unrestricted information may be disclosed in the normal course of conversation or other methods of communication without regard to whom the communication occurs. Information that is considered unrestricted includes, but is not limited to, publicly available sales and marketing materials and other information regarding products and services offered, facilities open to the general public, general electronic mail addresses and general telephone numbers for voice or facsimile communication. Internet Web sites available to all Internet users should contain only unrestricted information.
- Business need to know information is defined as information that is not readily available to the public, but can be disclosed in the normal course of conducting business once personnel have qualified that such information needs to be disclosed in order to continue transacting business. Before releasing such information, personnel should ask themselves if the request is reasonable based on the business be conducted. Examples of information that is considered business need to know includes, but is not limited to, employee names and direct telephone numbers, direct facsimile telephone numbers, employee electronic mail addresses, operational (i.e., non-public) facility addresses and telephone numbers, and other general or generic operational information about the organization. Internet Web sites that require users or customers to logon can contain business need to know information.
- Confidential information is information that cannot be disclosed outside of the organization without prior written approval of management. Confidential information includes, but is not limited to, processing volumes, service pricing, equipment configurations, vendor information (names, addresses and telephone numbers), application software used, and types and numbers of computer equipment, and other similar business and technical information. Confidential information is never published on any Internet Web site unless written approval is obtained from Senior Management authorizing such publication. Confidential information shall only be transmitted electronically outside of the organization if it is encrypted according to the encryption standard. Access to confidential information requires authentication to the systems that store the confidential information whether internally or remotely. Confidential information that is to be released to a third party requires a Non-Disclosure Agreement (NDA) being executed between the parties.
- Restricted information is information that cannot be disclosed outside of a department or work group without prior written senior management approval. Restricted information includes, but is not limited to, customer information (names, contacts, addresses, telephone numbers, electronic mail addresses, credit card numbers, etc.), employee information (name, home address, telephone number, years of service, etc.), proprietary information (Board of Director meeting minutes, executive correspondence, financial statements, payroll information, internal cost structures, etc.) and customer proprietary information (accounts and balances, financial statements, partnership agreements, contracts, etc.). Restricted information can never be posted on any Internet Web site. Access to restricted information requires authentication to the systems that store restricted information and two-factor authentication if the information is available remotely. Restricted information shall only be transmitted electronically outside of the organization if it is encrypted according to the encryption standard. Restricted information that is to be released to a third party requires a Non-Disclosure Agreement (NDA) being executed between the parties.
Once you define what it is that you are protecting and classify it, it becomes a lot easier to develop ways of protecting it. But the key thing to remember is that you may have more than just one Fort Knox in your environment. You may have a PCI Fort Knox, a SOX Fort Knox and a HIPAA Fort Knox. You may be lucky enough to leverage infrastructure and combine PCI with HIPAA, but there are no guarantees.
The one wrench in the works is that a lot of organizations use packaged solutions that make segregating the information they contain difficult, if not impossible. So, getting your various classifications into your Fort Knox may be tricky or may require that you treat the whole system under the highest level classification.
Vendors are getting more sensitive to this situation and recent versions of their software can sometimes allow for higher security and segregation for certain data elements or whole applications.
However, until you get out and create classifications and do your analysis, you are just blindly protecting assets and probably doing a lot of work for no reason.
Cross-posted from PCI Guru