Page 744 - StudyBook.pdf
P. 744

728    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery

             system of classification must be used. If you have ever seen any military or spy
             movies, you are probably familiar with the concept of “classified documents.”You
             can use such a method to specify that certain documents are “top secret,”“classi-
             fied,” or “for your eyes only,” to control which documents are to be kept private. In
             many cases, however, you will come up with your own system.
                 A system of classification should be explained through a corporate policy,
             which defines the terms used and what they mean.When creating these classifica-
             tions, the following levels should be included:

                  ■   Public or unclassified, meaning that it can be viewed by people outside of
                      the organization.

                  ■   Classified, meaning that it is only for internal use, not for distribution to
                      outside parties.

                  ■   Management only, meaning that only managers and supervisors may view
                      the information.This can be further broken down so that only certain
                      levels of management can view it. For example, certain information may
                      be suitable for top management, but not for supervisors of individual
                      departments.

                  ■   Department specific, so that people outside of a particular department do not
                      view the information.

                  ■   Private or confidential, which denotes that the information is only for the
                      person to whom it was specifically sent.
                  ■   High security levels, such as top secret or other classifications that stress the
                      importance of the information. For example, the secret recipe of a product
                      would fall into this category, as leaking this information could ruin a
                      company.
                  ■   Not to be copied, denoting that hard copies are not photocopied, and data
                      files are not printed or copied to other media (such as floppy disk)

                 By providing a scheme of classification, members of an organization are able to
             understand the importance of information and less likely to leak sensitive informa-
             tion. Incorporating such a scheme will also make other policies more understand-
             able, as they can describe what information is being discussed. For example, a code
             of ethics could state that the private information of employees is classified and not
             to be shared with outside parties.This lessens the risk of sensitive data being shared
             with others, transmitted over insecure technologies, or other security risks.





          www.syngress.com
   739   740   741   742   743   744   745   746   747   748   749