Electronic data & record management
-
Upload
greenleafinst -
Category
Business
-
view
465 -
download
2
description
Transcript of Electronic data & record management
+
Managing The ConfidentialityElectronic Data and Records Management
www.greenleafinstitute.com
+Objectives of this Module
With this module, it is expected that the reader will:
Understand the general concept of confidentiality and intangible asset
Appreciate the risks of data leak to individuals and organizations
Acknowledge the need of information classification through contractual elements and self-management
Learn how to conduct the information classification
2
+Outline Confidentiality: what matters for your organization
Intangible assets & liability Organizational reputation Overwhelming data
Confidentiality infringement & risks Cases study Risk management
Information classification Objectives & guidelines Who to play role? Information handling: creation, update, transmission,
publication, deletion Classification scheme & data handling matrix
3
+What Constitutes Confidential Information? Economic value of its existence?
Intangible assetCompetitive advantageStrategic value
Associated risk when leaking it?Business disruptionDiminishing competitivenessDegrading reputation
Something you don’t want to see on the headlines of media?
4
+Overwhelming Information &Data Records
Confidentiliaty & EDRM
5
Health Insurance Record
Product Pricing
Human Capital
Salary Data
Credit History
Management Changes
Costs
ProfitsVendor Information
Shareholders Data
Operating Plans
Customer DataMarketing Plans
Business PlansTrade Secrets
Trademarks
Patent
Copyright
Main concern: to ensure that electronic documentation & records shall only be accessible to those who are authorized, and be restricted from the rest.
Nevertheless, there is necessity to balance it against the enterprise need to use and share the information…
+What causes infringement to confidentiality?
Accident & negligence
Natural causes
Malicious attack: internal & external factors
Awareness problems
6
+Case 1 – US: When disposal is not disposal Secure disposal of computer media is by now a fairly
well known requirement. It is widely, although not universally practiced. An uncontrolled disposal, however, can prove fatal. Stories of competitors, or their agents, retrieving old diskettes/CDs/listings/etc from garbage bins are rife.
A network was uncovered which specialized in the recovery and sale of corporate data. One of their methods was to purchase old tapes and diskettes from large companies and then restore the data using their own recovery software. This was then discretely offered for sale to selected competitors!
The hardware fault was not always terminal for the data stored.
7
+Case 2 – India: Outsourcing breach British undercover reporter revealed that they
managed to obtain a bulk of confidential details of thousand British bank accounts that includes information of addresses, passwords, phone numbers, passport and driving licences details.
This confidential data was purchased for £3 per customer. Financial institutions such as Barclays, Lloyds TSB, the Nationwide and HSBC were affected.
The Sun’s Delhi-based contact boasted that he could sell details of up to 200,000 accounts each month, said the newspaper.
8
+Case 3 – US: Banking critical data loss Three HSBC firms have been fined more than £3 million by the
Financial Services Authority (FSA) for failing to secure customer data.
The FSA claimed the three firms sent large amounts of unencrypted data – often on discs sent via the post – and staff were untrained on the issue of identity theft.
The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders – also in the post.
9
+Risk Management
Contractual risk management
Contracting: employment, outsourcing, S&P, SLA, JV… Non-disclosure agreement (NDA)
EDRM confidentiality policy
Greater information security policy Information classification matrix & guidelines Information labeling and handling measures
10
+Contractual Risk Management
Ensuring confidentiality shall be clearly provided in various contractual establishments by imposing and enforcing non-disclosure agreement (NDA):
Employment contract employees liability
SLA reminding vendors & outsourcing service providers of their confidentiality liability
11
+Information Classification
Objective: To ensure that information assets receive an appropriate level of protection according to level of sensitivity and criticality
Information should be classified to indicate the needs, priorities and degree of protection
Information classification system should be used to define an appropriate set of protection levels and needs for special handling measures
The classification is a shorthand way of determining how information is to be handled and protected
12
+Why Classify Information
13
80%Internal Use Information
100% of all enterprise information
10% Public
Information
10% Confidential Information
Information Classification Lifecycle
14
+Who to Play Role?
15
UserCreator/Developer Owner
+Who to Play Role?
Responsibility of the originator or nominated owner of information:
Defining the classification of an item of information Periodically reviewing that classification Info labeling and handling measures
16
+Information Labeling & Handling Output from system containing sensitive or critical information
should carry an appropriate classification label. This applies for info
output both in physical and electronic forms.
For each classification, handling procedures should be defined to
cover the following types of information processing activity:
Copying
Storage
Transmission by post, fax, email, etc
Transmission by spoken word, including mobile phone, voicemail,
answering machine
Destruction
17
+FOUR Classification Rules1. MYOB – MIND YOUR ORGANIZATION’S BUSINESS. Take into
account of business needs for sharing or restricting information
and the business impact associated with such needs. Outputs of
classified data should be labeled in terms of its value and
sensitivity to the organization
2. FLEXIBILITY. Accept the fact that the classification is not fixed for
all time, thus it may change according to a predetermined policy
3. SIMPLICITY. Consider appropriate and practical numbers of
classification categories. Overly complex scheme may become
cumbersome, uneconomic and impractical. Avoid over-
classification.
4. FAMILIARITY. Make the policy and guidelines known to everybody
involved in the whole information lifecycle – and that includes
outsiders.
18
Information Classification
19
It is advisable to restrict the number of information classification levels in your organization to a manageable number as having too many makes maintenance and compliance difficult.
The following five levels of classification cover most eventualities:
+Information Classification (cont’d)Top Secret:
Highly sensitive internal documents, e.g. impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public.
Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible.
20
+Information Classification (cont’d)Highly Confidential:
Information which is considered critical to the organization’s ongoing operations and could seriously impede them if made public or shared internally. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data.
Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.
21
+Information Classification (cont’d)Proprietary:
Procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates.
Such information is normally for proprietary use by authorized personnel only. Security at this level is high.
22
+Information Classification (cont’d)Internal Use Only:
Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility.
Examples include: internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal.
23
+Information Classification (cont’d)Public Documents:
Information in the public domain: annual reports, press
statements etc. which have been approved for public
use.
Security at this level is minimal.
24
+Designing info classification matrix
A. Classification definitions & examples
B. Types of information (structured & unstructured)
C. Information protection roles (who to do what)
D. Definition of risk zones & their protection measures
E. Handling & labeling procedure
25
+Checklist
General information security policy ______
Information classification matrix ______
Info handling & labeling procedure ______
Confidentiality/NDA provision within Employment contract ________ Outsourcing contract ________ Joint ventures agreement ________ Service level agreement ________ Standard operating procedures ________ E-mail signatures ________ Presentations materials, e-records, etc ________
26
+
THANK YOU.
Copyright:
www.greenleafinstitute.com