The above policy is the minimum requirement to proceed with developing and implementing a data classification program. Additional policies may be required, such as an Information Management Policy which supports the Information Security Policy. The ISO should consider developing this policy, and integrating it with the Information Security Policy. This policy would:

•  Define information as an asset of the business unit,

•  Declare local business managers as the owners of information,

•  Establish Information Systems as the custodians of corporate information,

•  Clearly define roles and responsibilities of those involved in the ownership and classification of information,

•  Define the classifications and criteria that must be met for each,

•  Determine the minimum range of controls to be established for each classification.

By defining these elements in a separate Information Management Policy, the ground-work is established for defining a corporate information architecture, the purpose of which is to build a framework for integrating all the strategic information in the company. This architecture can be used later in the enablement of larger, more strategic corporate applications.

The supporting processes, procedures, and standards required to implement the Information Security and Information Management policies must be defined at an operational level and be as seamless as possible. These are the “mechanical” portions of the policies, and represent the day-to-day activities that must take place to implement the policies. These include but are not limited to:

•  The process to conduct a Business Impact Analysis.

•  Procedures to classify the information, both initially after the BIA has been completed, and to change the classification later, based on business need.

•  The process to communicate the classification to I/S in a timely manner so the controls can be applied to the data and software for that classification.

•  The process to periodically review:

—  Current classification to determine if it is still valid.

—  Current access rights of individuals and/or groups who have access to a particular resource.

—  Controls in effect for a classification to determine their effectiveness.

—  Training requirements for new data owners.

•  The procedures to notify custodians of any change in classification or access privileges of individuals or groups.

The appropriate policies are required as a first step in the development of a Data Classification program. The policies provide the ISO with the necessary authority and mandate to develop and implement the program. Without it, the ISO will have an extremely difficult time obtaining the funding and necessary support to move forward. In addition to the policies, the ISO should solicit the assistance and support of both the Legal Department and Internal Audit. If a particular end-user department has some particularly sensitive data, their support would also provide some credibility to the effort.

BUSINESS IMPACT ANALYSIS

The next step in this process is to conduct a high-level business impact analysis on the major business functions within the company. Eventually this process should be carried out on all business functions, but initially it must be done on the business functions deemed most important to the organization.

A critical success factor in this effort is to obtain corporate sponsorship. An executive who supports the project, and may be willing to be the first whose area is analyzed, could help persuade others to participate, especially if the initial effort is highly successful and there is perceived value in the process.

A Study Team comprised of individuals from Information Security, Information Systems (application development and support), Business Continuity Planning, and business unit representatives should be formed to conduct the initial impact analysis. Others that may want to participate could include Internal Audit and Legal.

The Business Impact Analysis process is used by the team to:

•  Identify major functional areas of information (i.e., human resources, financial, engineering, research and development, marketing, etc.).

•  Analyze the threats associated with each major functional area. This could be as simple as identifying the risks associated with loss of confidentiality, integrity, or availability, or get into more detail with specific threats of computer virus infections, denial of service attacks, etc.

•  Determine the risk associated with the threat (i.e., the threat could be disclosure of sensitive information, but the risk could be low because of the number of people who have access, and the controls that are imposed on the data).

•  Determine the effect of loss of the information asset on the business (this could be financial, regulatory impacts, safety, etc.) for specific periods of unavailability — one hour, one day, two days, one week, a month.

•  Build a table detailing the impact of loss of the information (as shown in Exhibit 2 — Business Impact Analysis)

•  Prepare a list of applications that directly support the business function (i.e., Human Resources could have personnel, medical, payroll files, skills inventory, employee stock purchase programs, etc.) This should be part of Exhibit 2.

Exhibit 2.  Business Impact Analysis

From the information gathered, the team can determine universal threats that cut across all business functional boundaries. This exercise can help place the applications in specific categories or classifications with a common set of controls to mitigate the common risks. In addition to the threats and their associated risks, sensitivity of the information, ease of recovery, and criticality must be considered when determining the classification of the information.