Information Security Management Assignment
Get free written samples by our Top-Notch subject experts and Online Assignment Help.
Data classification policy is mainly about the management of different types of information so that the various sensitive data can be handled and protected properly. There are a number of principles of the data classification policy by the application of which different sensitive information can be protected securely. Moreover, GDPR act is also associated with the data classification policy by which transparency of data can be maintained which is also the principle of the data classification policy.
Concept of data classification policy
Data classification policy is mainly about the management of various types of information by its accurate classification by which different sensitive data can be handled and secured accurately. Data classification policy is mainly concerned with information management to confirm that the information is sensitive. The threat associated with the information is also considered. This depends on the process of gathering information and is being structured and used within the organization to allow the authorization for getting the correct data at the proper time. In the opinion of Alshaikh et al. (2018), information is personally authorized and capable of viewing all their data. The actual database contains such information that includes some elements of sensitivity. The level of sensitivity is also has been marked by considering the adverse effect associated with its Security policy, data classification, and risk analysis are particularly related to most organizations' functions to increase their security (Das et al. 2018). Data classification policy is an organization’s personification mark that defines its strategy.
Any security policy has a plan as high level to start in the management that intent as the particular corresponding on how their security is proficient in their organization. The most acceptable actions and the risk magnitude of an organization are personally prepared for accepting that. Moreover, specific data security and their policy could perform an individual risk assessment or might have the data classified by the organization.
Most of the organization and its risk assessment have balance instead of the loss threat. That is a catalyst to improve their countermeasures or safeguard that certainly reduces the risk. As per the view of Banker and Feng, (2019), the risk analysis and the data classification policies are very different concepts, which certainly fall under the specific security policy
The process of data classification policy
The data classification policy is very important and by its proper application, the various data can be secured and handled accurately. After that, it considered each kind of data belonging to the specific organization and classified it as per the permission and storage rights. These data might be categorized as public, sensitive, personal, or confidential. A data classification policy must consider any particular data classification adopted by industry standards and regulations. Bliss, (2021) opined that this particular policy of the data classification had activated the organizations for applying the proper security level to lower the company's overall risk.
Procedure and guidance for data classification and handling
There is a specific procedure for the classification of data as per the principle of data classification policy. Firstly, the risk assessment of the various sensitive data has been done by which how much risks are associated with the sensitive data are being known. After that, the principles of the data classification policy are being developed with the help of the GDPR act as per the identified risk associated with the sensitive data. Next, the categorization of the different types of data is being done based on some criteria and customer and partner data collection by the organization. After that, the specific location of the data is being discovered so that it can be found when needed. Next, the identification and classification of the data have been done based on which data can be secured accurately (Desuky et al 2022). After that, the controlling of the identified and classified data has been enabled by which the classified data can be controlled. Finally, the identified data is being maintained and monitored appropriately by which the overall process of handling and classification of the data is being done (Webert et al. 2022).
The procedure guide for such a university community was created to assist them in effectively managing their data in the daily mission related to all activities. The process should consider the nature of data, its importance, and its sensibility. The procedure for handling the data will be based on that particular quality. According to Da Veiga et al. (2020), the outline of the data classification procedure and lower level of protection are essential while performing some proper activities. This is based on the information classification. However, classification is essential for knowing the security practices, and that also must be used for protecting various kinds of data.
This can be exemplified through an example. Any parts of the data that needs much control are stringent due to the regulatory, statutory, and contractual obligation. Diesch et al. (2018) argued that the highest stringent protection needs a data subset that impacts and governs the overall data set. Though the entire data set and the procedure guide have attempted to build utmost security for the information, representation of these elements is not possible at a single stand.
University employees (staff, faculty, student employees) and others have covered personally (i.e. vendors, affiliates, independent contractors, and many others) in handling the data recording the information. Data handling has been included, but this is not limited to collecting, creating, viewing, accessing, storing, using, mailing, transferring, preserving, managing, or might be destroyed (Gschwandtner et al. 2018).
Data stewards might have a demand to assign a personal classification for collecting data, which is common in a specific function or purpose. In the opinion of Johnston et al. (2019), while classifying a data collection, the most confining classification of any individual data components must be used. For example, any data collection consists of the address, student's name, and social security number. In that case, the particular data collection must be classified as confined by the address, student's name, and public data.
Information classification according to ISO 27001
Information classification is a procedure in which an organization assesses the whole data they certainly hold and the protection level that must be given. According to Jung and Agulto, (2019), organizations generally classify confidential information, e.g., grants access for having control over the data management system. A typical system that would be included will have four levels of confidentiality,
- Restricted (most of the employees have access)
- Confidential (Just senior management have to access)
- Public Information (Each people has access)
- Internal (all workers have access)
A more complex and larger organization would require more security levels. For example, in the hospital, nurses and doctors require access to their patient's individual information, including medical histories that are very sensitive. Nevertheless, most of them should not access such other kinds of sensitive data, like financial information and data.
The fit of ISO 27001
Organizations that are very serious about data protection must follow all guidelines and the set out of ISO 27001. This describes the standard for the highest data protection. Maintenance of information security management can be done according to the specific guidelines in the organization. Data classification has a significant role in data management. The objectives of A8.2 are to be controlled, which are included within the titled 'Information classification'. This instructs the organizations and confirms that the data has received some proper protection level.Kampová et al. (2020) state that the proper standard has not explained how they did that, but the actual procedure is relatively very simple. It only requires four easy steps.
i) Enter assets in inventory
This is the first step, and it is for collating all their information in much of the inventory. It also should note the person responsible for it and the format of the database, electronic documents, storage media, paper documents, and many others).
After the first step, identifying and classifying the information would be required. The owners of assets are mainly responsible for this, but actually, this is a good idea for their senior management to supply some guidelines on the real outcome of the particular organization and its ISO 27001 risk assessment. As per Li et al. (2021), much information that specifically would be affected through some larger risk that generally must be given in the larger levels confidentially.
Once classified the general information, the proper asset and the owner should create a particular system to label it. They have required various procedures for all of the information, specifically stored physically and digitally, but this must be consistent and clear as soon as possible. For example, they might decide that the specific paper documents would be labelled on such a front page and in the top-right corner of every subsequent page, the folder should contain the particular document.
This is the last step, and here they should establish some rules on how they protect every data on the format and classification. For example, they might say that the inclusive and the internal paper and their documents could be kept in an unlocked cabinet, which most employees could access. However, confined data must be placed in the confidential data store and locked cabinet in a secure location (Sauerwein et al. 2019).
Research of general data protection regulation
General data protection regulation (GDPR) could be considered the strictest pacific data protection rules worldwide. This rule has increased how many people could access their data and the position limit on their organizations that could be done with some individual information. In the opinion of Schuetz et al. (2020), the regulation has existed as such a proper framework for the specific laws across the continent, the last data protection directive of 1995. The final GDPR form has come around more than 4 years of negotiation and discussion. This was particularly adopted through the European council and European parliament in April 2016. The particular underpinning as the directive and regulation was specially published at the very end of April 2016.
GDPR came into force on 25th May of 2018. Many countries in Europe were given such capability to make small changes to suit their particular requirement. In the UK, this specific flexibility has led to the quickness of the data protection act in 2018 that superseded the last data protection act of 1998 (Tsaregorodtsevet al. 2018). The proper strength of the GDPR has specifically been lauded as a very positive approach to how people's data must be compared and handled, and that has been made with such consumer privacy act of California.
Apply of GDPR
General data protection regulation has been initiated for having control of the information. The law describes primary guidelines based on which the companies under the European Union will protect the citizens' information associated with several activities. The act was introduced and exercised in 2018. Each member of the European Union falls under the act (Mondschein and Monda, 2019). Providing data breach notification collection of consent for collecting data is included under the act.
At the GDPR heart is individual data. Vastly, this information particularly permits such a living person as directly or indirectly, recognized from available such information. This could be something certain, like the person's name, clear online username, and location data, or this could be something that might be lower than instantly apparent cookie identities and IP addresses. As per Wang et al. (2019), these as well could be considered individual data. Under the GDPR, there are also some special categories about very sensitive individual data, which are generally given greater protection. This individual data has included ethnic and racial origin, religious beliefs, political opinions, trade union membership, biometric and genetic data.
Proper classification scheme and policy statement
A data classification policy is a comprehensive plan that is specifically used to categorise an institution's information based on its sensitivity level. Confirmation can be achieved through perfect handling and the less organizational risk can be ensured through data classification. A data classification policy can recognise and support to protect confidential or sensitive data with such rules, frameworks, procedures, and processes for every class. They can recognize all kinds of information and data in their organization holds for determining the actual relative value to their self-organization that can assess all threats about their all data. They could be confirmed as confidential or sensitive data that is handled as much care with due respect about all threats that poses in the organization. As cited by Weishäupl et al. (2019), at a similar period, having the policy of data classification would confirm that they are particularly not wasting the resources to protect their data in their organization [Refer to Appendix 1].
A successful data classification policy must contain such following sections,
At a high level, a specific data classification policy has existed for supplying the framework to protect the data they have created, processed, stored, or transmitted in their organization. As contradicted by Yue, (2018), this is the main formulating foundation on particular procedures, policies, and controls essential to protect confidential data.
According to Alshaikh et al. (2018), the scope has discussed whether this specific policy has applied to all of the data and the system in the organization or whether there would be such expectations.
The major people in their organization who particularly would be involved to create the particular policy and stakeholders on the security for best practices, that can recognise the risks to data for improving controls, and keeping up-to-date of the controls and this also can confirm their all compliance with such proper data policy of classification.
In the overall study, it is concluded that the GDPR in the UK is a data privacy law, which governs the procedure of such individual data from the personal inside. The data classification policy has specifically mapped out various elements in an organization. ISO 27001 is a management security system that holds and classifies the organization's data. The GDPR act which is associated with the data classification policy and its procedure has also been discussed in this study by which the data can be secured accurately.
Alshaikh, M., Maynard, S.B., Ahmad, A. and Chang, S., 2018. An exploratory study of current information security training and awareness practices in organizations.
Banker, R.D. and Feng, C., 2019. The impact of information security breach incidents on CIO turnover. Journal of information systems, 33(3), pp.309-329.
Bliss, J.R., 2021. Fondren Library Assignment on Privacy, Censorship & Government Legislation.
Da Veiga, A., Astakhova, L.V., Botha, A. and Herselman, M., 2020. Defining organizational information security culture—Perspectives from academia and industry. Computers & Security, 92, p.101713.
Das, S., Datta, S. and Chaudhuri, B.B., 2018. Handling data irregularities in classification: Foundations, trends, and future challenges. Pattern Recognition, 81, pp.674-693.
Desuky, A.S., Elbarawy, Y.M., Kausar, S., Omar, A.H. and Hussain, S., 2022. Single-Point Crossover and Jellyfish Optimization for Handling Imbalanced Data Classification Problem. IEEE Access, 10, pp.11730-11749.
Diesch, R., Pfaff, M. and Krcmar, H., 2018. Prerequisite to measure information security. Information Management and Computer Security, 99(7), p.7.
Gschwandtner, M., Demetz, L., Gander, M. and Maier, R., 2018, August. Integrating threat intelligence to enhance an organization's information security management. In Proceedings of the 13th International Conference on Availability, Reliability and Security (pp. 1-8).
Johnston, A.C., Warkentin, M., Dennis, A.R. and Siponen, M., 2019. Speak their language: Designing effective messages to improve employees’ information security decision making. Decision Sciences, 50(2), pp.245-284.
Jung, Y. and Agulto, R., 2019. Integrated Management of Network Address Translation, Mobility and Security on the Blockchain Control Plane. Sensors, 20(1), p.69.
Kampová, K., Mäkká, K. and Zvaríková, K., 2020. Cost-benefit analysis within organization security management. In SHS Web of Conferences (Vol. 74, p. 01010). EDP Sciences.
Li, Y., Liu, R., Liu, X., Li, H. and Sun, Q., 2021, July. Research on information security risk analysis and prevention technology of network communication based on cloud computing algorithm. In Journal of Physics: Conference Series (Vol. 1982, No. 1, p. 012129). IOP Publishing.
Mondschein, C.F. and Monda, C., 2019. The EU’s General Data Protection Regulation (GDPR) in a research context. Fundamentals of clinical data science, pp.55-71.
Sauerwein, C., Pekaric, I., Felderer, M. and Breu, R., 2019. An analysis and classification of public information security data sources used in research and practice. Computers & Security, 82, pp.140-155.
Schuetz, S.W., Benjamin Lowry, P., Pienta, D.A. and Bennett Thatcher, J., 2020. The effectiveness of abstract versus concrete fear appeals in information security. Journal of Management Information Systems, 37(3), pp.723-757.
Tsaregorodtsev, A.V., Kravets, O.J., Choporov, O.N. and Zelenina, A.N., 2018. INFORMATION SECURITY RISK ESTIMATION FOR CLOUD INFRASTRUCTURE. International Journal on Information Technologies & Security, 10(4).
Wang, Z., Yao, Y., Tong, X., Luo, Q. and Chen, X., 2019. Dynamically reconfigurable encryption and decryption system design for the internet of things information security. Sensors, 19(1), p.143.
Webert, H., Döß, T., Kaupp, L. and Simons, S., 2022. Fault Handling in Industry 4.0: Definition, Process and Applications. Sensors, 22(6), p.2205.
Weishäupl, E., Yasasin, E. and Schryen, G., 2018. Information security investments: An exploratory multiple case study on decision-making, evaluation and learning. Computers & Security, 77, pp.807-823.
Yue, C., 2018. Minimizing Privilege Assignment Errors in Cloud Services.