NAC, ID 2.0 and Other Top Issues
May 14, 2008, Washington, D.C.
Register now at no charge.
MEMBER LOGIN: PASSWORD:
Log-in Questions? Forgot/Change Password
 
 
The CSI View
Conferences & Events
Awareness & Training
Membership
About CSI
 
 

Rapid Roll-Out of an Asset Classification Program

Tom Peltier

All information resources do not require the same level of control. Today's economic climate dictates that security's limited resources be focused on those assets purposefully selected for protection. An effective asset classification program provides a foundation for this resource-leveraged approach to security.

During this workshop, the instructor will lead a number of facilitated exercises during which attendees will:

  1. Draft an initial information classification policy
  2. Create an information handling matrix
  3. Learn a formal process that allows business units to classify their own information

Day 1

GETTING STARTED – An enterprise-wide information classification policy defines how information assets are to be protected, provides guidance to employees on how to classify information assets and encourages the proper handling of sensitive information in whatever form or media it exists.

The seminar will begin with an examination of the National Institute of Standards and Technology's (NIST) recommended structure of a topic-specific policy. We'll flesh out the information classification policy using standards recommended in the Information Security Standard ISO 17799 (Asset Classification 5.1.1) Attendees will then explore and critique some current examples of information classification policies.

POLICY STATEMENT DEVELOPMENT – After critiquing a few existing policies, attendees will break up into groups and develop a draft asset classification policy, which we'll critique and edit together. Attendees will receive a copy of each of the final policies completed by the groups.

EMPLOYEES' RESPONSIBILITIES – Who will be responsible for assigning the classification category to each asset? We'll explore the elements of a policy on employee responsibility, examining different examples, and defining the terms owner, custodian and user.

Day 2

INFORMATION CLASSIFICATION METHODOLOGY – An effective information classification process will provide management and employees with a method for identifying information assets as well as guidance on how the information should be classified. This can be achieved through brainstorming, keeping a daily activity log of information records used during normal business, or completing an information records worksheet. We'll examine the pros and cons of each method, giving attendees examples of each process to use at their workplace.

INFORMATION HANDLING MATRIX – We'll create a set of standards giving employees clear-cut guidance on how to handle information based on its classification level. We'll use existing examples as attendees review the material and identify modifications needed for their organization.

You Will Learn How To:

  1. Identify the four essential elements of information classification
  2. Create an information classification policy
  3. Establish information records to be used in selling the classification program to others
  4. Identify employees' responsibilities
  5. Create an information classification methodology
  6. Conduct a thorough network vulnerability assessment
  7. Combine the output from tools to see a complete picture
  8. Customize a network vulnerability assessment for the current legal and international standards
  9. Perform social engineering tests

You Will Leave With:

  1. Draft information classification policy
  2. Methodology to allow business units to classify information assets on their own
  3. Information handling matrix

 
 
HOME   ABOUT   CONTACT US   Privacy Statement   Copyright © CMP Media LLC