* Raissa Ataide
How important is adequacy regarding Information Classification?
The Asset Value
Goal
To support the organization in implementing controls and creating a well-established policy and complying with security requirements, ISO / IEC 27002: 2013 assists with best practices for information security management and process definition, ensuring that they are continuously reviewed and appropriate to internal requirements, resulting in more structured methodologies.
The maturity gain is noticeable for the company as sensitive data management is controlled and risks can be remedied. Improvements occur even in synergy between areas and employees, because a good implementation is linked to training and awareness. When everyone follows the same guidelines, they are aware of internal vulnerabilities and means of prevention, resulting in reduced risk, especially in cases of information leakage.
Labeling
Companies themselves may define the labeling criteria for their information, but these labels must be well documented and defined in the internal information classification policy. Clarity and detail influence the knowledge base of everyone handling information and the way they act.
Today most organizations, by default, use the following labels:
• Confidential and / or Restricted: Information that requires the highest level of protection.
• Internal: assets used internally and that may be shared by internal areas of the company.
• Public: Commonly accessible to all, visible to anyone.
It is the responsibility of the company to define which information will fall under these criteria.
Featured Information
Please note:
• Unclassified information may be considered as public and may not match its actual criticality. For this reason, ALL information circulating in the organization should be classified;
• If necessary, establish in domestic policy that information with extremely sensitive data should use encryption features, which help to make improper access to data difficult;
• Worry about the safe disposal of this data, from documentary (paper) information with shredders, to digital media and deleted files on machines, such as using the Eraser tool;
• Ensure that when formatted, no information remains accessible to anyone else on mobile devices;
• Report Information Security Incidents and worry about correcting them effectively, avoiding recurrences;
• Ensure that new employees receive training and awareness work, and for the old, establish a regular recycling grid;
• Review the Classification Policy at least annually or when significant changes in the environment occur that may affect the organization and its process;
• Have mapped which third parties share the information with the company;
• Create an information inventory and distribution list for areas to be aware of;
• Define responsible and if the company does not have, create a security team;
• Draw up a disclaimer and make sure everyone is aware;
• Perform access control and role segregation, especially for employees who have access to information contained in directories, systems, etc.
Regarding the [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!