+

Managing The ConfidentialityElectronic Data and Records Management

www.greenleafinstitute.com

+Objectives of this Module

With this module, it is expected that the reader will:

Understand the general concept of confidentiality and intangible asset

Appreciate the risks of data leak to individuals and organizations

Acknowledge the need of information classification through contractual elements and self-management

Learn how to conduct the information classification

2

+Outline Confidentiality: what matters for your organization

Intangible assets & liability Organizational reputation Overwhelming data

Confidentiality infringement & risks Cases study Risk management

Information classification Objectives & guidelines Who to play role? Information handling: creation, update, transmission,

publication, deletion Classification scheme & data handling matrix

3

+What Constitutes Confidential Information? Economic value of its existence?

Intangible assetCompetitive advantageStrategic value

Associated risk when leaking it?Business disruptionDiminishing competitivenessDegrading reputation

Something you don’t want to see on the headlines of media?

4

+Overwhelming Information &Data Records

Confidentiliaty & EDRM

5

Health Insurance Record

Product Pricing

Human Capital

Salary Data

Credit History

Management Changes

Costs

ProfitsVendor Information

Shareholders Data

Operating Plans

Customer DataMarketing Plans

Business PlansTrade Secrets

Trademarks

Patent

Copyright

Main concern: to ensure that electronic documentation & records shall only be accessible to those who are authorized, and be restricted from the rest.

Nevertheless, there is necessity to balance it against the enterprise need to use and share the information…

+What causes infringement to confidentiality?

Accident & negligence

Natural causes

Malicious attack: internal & external factors

Awareness problems

6

+Case 1 – US: When disposal is not disposal Secure disposal of computer media is by now a fairly

well known requirement. It is widely, although not universally practiced. An uncontrolled disposal, however, can prove fatal. Stories of competitors, or their agents, retrieving old diskettes/CDs/listings/etc from garbage bins are rife.

A network was uncovered which specialized in the recovery and sale of corporate data. One of their methods was to purchase old tapes and diskettes from large companies and then restore the data using their own recovery software. This was then discretely offered for sale to selected competitors!

The hardware fault was not always terminal for the data stored.

7

+Case 2 – India: Outsourcing breach British undercover reporter revealed that they

managed to obtain a bulk of confidential details of thousand British bank accounts that includes information of addresses, passwords, phone numbers, passport and driving licences details.

This confidential data was purchased for £3 per customer. Financial institutions such as Barclays, Lloyds TSB, the Nationwide and HSBC were affected.

The Sun’s Delhi-based contact boasted that he could sell details of up to 200,000 accounts each month, said the newspaper.

8

+Case 3 – US: Banking critical data loss Three HSBC firms have been fined more than £3 million by the

Financial Services Authority (FSA) for failing to secure customer data.

The FSA claimed the three firms sent large amounts of unencrypted data – often on discs sent via the post – and staff were untrained on the issue of identity theft.

The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders – also in the post.

9

+Risk Management

Contractual risk management

Contracting: employment, outsourcing, S&P, SLA, JV… Non-disclosure agreement (NDA)

EDRM confidentiality policy

Greater information security policy Information classification matrix & guidelines Information labeling and handling measures

10

+Contractual Risk Management

Ensuring confidentiality shall be clearly provided in various contractual establishments by imposing and enforcing non-disclosure agreement (NDA):

Employment contract employees liability

SLA reminding vendors & outsourcing service providers of their confidentiality liability

11

+Information Classification

Objective: To ensure that information assets receive an appropriate level of protection according to level of sensitivity and criticality

Information should be classified to indicate the needs, priorities and degree of protection

Information classification system should be used to define an appropriate set of protection levels and needs for special handling measures

The classification is a shorthand way of determining how information is to be handled and protected

12

+Why Classify Information

13

80%Internal Use Information

100% of all enterprise information

10% Public

Information

10% Confidential Information

Information Classification Lifecycle

14

+Who to Play Role?

15

UserCreator/Developer Owner

+Who to Play Role?

Responsibility of the originator or nominated owner of information:

Defining the classification of an item of information Periodically reviewing that classification Info labeling and handling measures

16

+Information Labeling & Handling Output from system containing sensitive or critical information

should carry an appropriate classification label. This applies for info

output both in physical and electronic forms.

For each classification, handling procedures should be defined to

cover the following types of information processing activity:

Copying

Storage

Transmission by post, fax, email, etc

Transmission by spoken word, including mobile phone, voicemail,

answering machine

Destruction

17

+FOUR Classification Rules1. MYOB – MIND YOUR ORGANIZATION’S BUSINESS. Take into

account of business needs for sharing or restricting information

and the business impact associated with such needs. Outputs of

classified data should be labeled in terms of its value and

sensitivity to the organization

2. FLEXIBILITY. Accept the fact that the classification is not fixed for

all time, thus it may change according to a predetermined policy

3. SIMPLICITY. Consider appropriate and practical numbers of

classification categories. Overly complex scheme may become

cumbersome, uneconomic and impractical. Avoid over-

classification.

4. FAMILIARITY. Make the policy and guidelines known to everybody

involved in the whole information lifecycle – and that includes

outsiders.

18

Information Classification

19

It is advisable to restrict the number of information classification levels in your organization to a manageable number as having too many makes maintenance and compliance difficult.

The following five levels of classification cover most eventualities:

+Information Classification (cont’d)Top Secret:

Highly sensitive internal documents, e.g. impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public.

Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible.

20

+Information Classification (cont’d)Highly Confidential:

Information which is considered critical to the organization’s ongoing operations and could seriously impede them if made public or shared internally. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data.

Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.

21

+Information Classification (cont’d)Proprietary:

Procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates.

Such information is normally for proprietary use by authorized personnel only. Security at this level is high.

22

+Information Classification (cont’d)Internal Use Only:

Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility.

Examples include: internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal.

23

+Information Classification (cont’d)Public Documents:

Information in the public domain: annual reports, press

statements etc. which have been approved for public

use.

Security at this level is minimal.

24

+Designing info classification matrix

A. Classification definitions & examples

B. Types of information (structured & unstructured)

C. Information protection roles (who to do what)

D. Definition of risk zones & their protection measures

E. Handling & labeling procedure

25

+Checklist

General information security policy ______

Information classification matrix ______

Info handling & labeling procedure ______

Confidentiality/NDA provision within Employment contract ________ Outsourcing contract ________ Joint ventures agreement ________ Service level agreement ________ Standard operating procedures ________ E-mail signatures ________ Presentations materials, e-records, etc ________

26

+

THANK YOU.

Copyright:

www.greenleafinstitute.com