The document outlines a 7-step process for organizations to protect confidential information: 1) Assess information loss and compromise risks; 2) Identify and classify confidential information; 3) Develop policies and procedures; 4) Deploy technologies to enable policy compliance; 5) Communicate and educate stakeholders; 6) Integrate practices into business processes; and 7) Audit to ensure accountability. The first step involves determining an information protection strategy through risk assessment surveys and identifying technical risks with software.
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Perform 7 Steps To Information Protection
1. Perform 7 steps to information protection
Document created: 18/03/2010 11:17:14
18/03/2010 11:17:14 Perform 7 steps to information protection 1
2. Table of Contents
1 Perform 7 steps to information protection............................................................................................. 4
1.1 Meet Compliancy regulations....................................................................................................... 5
1.2 Maximize Data security............................................................................................................... 5
1.3 Safeguard Intellectual property.................................................................................................... 5
1.1 Assess information Loss & compromise risks.................................................................................. 5
1.1.1 Determine info protection Strategy approach & priorities..........................................................5
1.1.1.1 Conduct a Risk assessment and survey.......................................................................... 6
1.1.1.1.1 Identify which Info should be protected.................................................................. 7
1.1.1.1.2 Distinguish Types of confidential information........................................................... 7
1.1.1.1.2.1 Apply Classifications..................................................................................... 7
1.1.1.1.3 Determine Perceived risks.................................................................................... 7
1.1.1.1.4 Identify Existing info protection............................................................................. 7
1.1.1.1.4.1 Identify Policies........................................................................................... 8
1.1.1.1.4.2 Identify Procedures...................................................................................... 8
1.1.1.1.4.3 Identify Practices......................................................................................... 8
1.1.1.1.5 Identify high risk Business processes..................................................................... 9
1.1.1.1.6 Determine awareness of Incidents of info vulnerability............................................. 9
1.1.1.1.7 Understand the Organizations risk tolerance........................................................... 9
1.1.1.1.8 Understand companies related Priorities & preferences............................................. 9
1.1.1.1.9 Quantify & qualify the risk of Confidential information loss...................................... 10
1.1.1.2 Implement software to identify Technical risk................................................................ 10
1.1.1.2.1 Locate Confidential data on network..................................................................... 11
1.1.1.2.2 Determine who has Access..................................................................................11
1.1.1.2.3 Demonstrate Internal information flow................................................................. 11
1.1.1.2.4 Collate evidence of Unauthorized info transfer....................................................... 11
1.1.1.2.5 Identify High risk business processes................................................................... 11
1.1.1.2.6 Document At-risk confidential data...................................................................... 12
1.1.1.2.7 Quantify Risk of non-compliance.......................................................................... 12
1.1.1.2.8 Provide a record of Internal / external info flow..................................................... 12
1.2 Identify & classify Confidential information................................................................................... 12
1.2.1 Define Confidential information........................................................................................... 13
1.2.1.1 Use best practices to update Information classifications.................................................. 13
1.2.1.2 Identify Confidential information................................................................................. 13
1.2.1.3 Apply Classifications.................................................................................................. 13
1.2.2 Assign Levels of protection................................................................................................. 14
1.2.2.1 Use Classifications..................................................................................................... 14
1.3 Develop Policies & procedures.................................................................................................... 14
1.3.1 Define Responsibilities for protection................................................................................... 14
1.3.1.1 Compare existing Policies to best practices................................................................... 14
1.3.1.2 Develop Policy updates.............................................................................................. 15
1.3.1.2.1 Base them on Best-in-class models...................................................................... 15
1.4 Deploy technologies that enable Policy compliance & enforcement...................................................15
1.4.1 Review Compliance technology........................................................................................... 15
1.4.1.1 Compare Tecnology solutions...................................................................................... 16
1.4.1.1.1 Assess the Costs............................................................................................... 16
1.4.1.1.2 Assess the Benefits............................................................................................ 16
1.4.2 Adopt & deploy Policy compliance technology....................................................................... 16
1.4.2.1 Choose technology with Automatic enforcement............................................................ 17
1.5 Communicate & educate a Compliance culture.............................................................................. 17
18/03/2010 11:17:14 Perform 7 steps to information protection 2
3. 1.5.1 Inform people of their Information responsibilities................................................................. 17
1.5.1.1 Draft Key messages................................................................................................... 17
1.5.1.2 Develop Training....................................................................................................... 18
1.5.2 Motivate Information protection behaviour........................................................................... 18
1.5.2.1 Establish an ongoing Communication campaign............................................................. 18
1.6 Integrate practices into Business processes.................................................................................. 18
1.6.1 Identify Key Processes where info is at risk.......................................................................... 19
1.6.2 Develop a plan to integrate Info policy into those processes................................................... 19
1.7 Audit to ensure Stakeholder accountability................................................................................... 19
1.7.1 Examine current Practices & remediate deficiencies............................................................... 19
1.7.1.1 Establish Audit parameters & methodology................................................................... 20
1.7.1.2 Conduct Audit........................................................................................................... 20
1.7.1.2.1 Assess Compliance with info policies.....................................................................20
18/03/2010 11:17:14 Perform 7 steps to information protection 3
4. 1 Perform 7 steps to information protection Meet Perform Assess information
Compliancy regulations 7 steps to information Loss & compromise risks
WHY HOW
From: http://eval.symantec.com/mktginfo/enterprise/white_papers/b-
whitepaper_vontu_7_steps_to_information_protection_01-2009.en-us.pdf And And
Maximize Identify & classify
"Vulnerability, risk, and information protection challenges Data security Confidential information
Every organization is at risk of confidential information loss. Billions of dollars worth of
And And
profits, competitive advantage, reputation, and market share are at stake. Today’s
highly competitive business environment intensifies the vulnerability and risk. Global Safeguard Develop
operations, with outsourced and off-shored business functions, spread the vulnerability. Intellectual property Policies & procedures
Tools for accessing and distributing information, such as the Internet and mobile
computing devices, exacerbate the risk. And
Information vulnerability and risk come from both malicious and unintentional Deploy technologies that
enable
disclosures by employees and partners; unintentional disclosures are usually the larger Policy compliance & enforc...
problem. Reducing these risks and vulnerabilities is now both a business imperative and
a legal mandate as recent regulations impose obligations on organizations to protect And
certain types of information. Communicate & educate a
Compliance culture
Global corporations and government organizations require more than network security
and access control to guard their confidential data. They must protect the information And
itself, inform the behavior of those carrying the information, have visibility regarding
where their confidential data resides on their network, have influence over where that Integrate practices into
data is going, and implement a policy for managing it. A strategy that balances the Business processes
organization’s legal and business needs to protect information with the competing
interests to share it is vital. And
Audit to ensure
7 steps to information protection
Stakeholder accountability
Information protection strategy best practices involve a cross-functional team that:
1. Assesses risks
2. Identifies and classifies confidential information
3. Develops information protection policies and procedures
4. Deploys technologies that enable policy compliance and enforcement
5. Communicates and educates stakeholders to create a compliance culture
6. Integrates information protection practices into businesses processes
7. Audits so that stakeholders are held accountable."
18/03/2010 11:17:14 Perform 7 steps to information protection 4
5. 1.1 Meet Compliancy regulations Meet Perform
Compliancy regulations 7 steps to information
HOW
[The author has not attached any text yet.]
1.2 Maximize Data security Maximize Perform
Data security 7 steps to information
HOW
[The author has not attached any text yet.]
1.3 Safeguard Intellectual property Safeguard Perform
Intellectual property 7 steps to information
HOW
[The author has not attached any text yet.]
1.1 Assess information Loss & compromise risks Perform Assess information Determine info protection
Assess information Loss & compromise risks 7 steps to information Loss & compromise risks Strategy approach & priorities
WHY HOW
1.1.1 Determine info protection Strategy approach &
priorities
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 5
6. Assess information Determine info protection Conduct a
Loss & compromise risks Strategy approach & priorities Risk assessment and survey
WHY HOW
And
Implement software to identify
Technical risk
1.1.1.1 Conduct a Risk assessment and survey Determine info protection Conduct a Identify which
Strategy approach & priorities Risk assessment and survey Info should be protected
WHY HOW
[The author has not attached any text yet.]
And
Distinguish
Types of confidential informa...
And
Determine
Perceived risks
And
Identify
Existing info protection
And
Identify high risk
Business processes
And
Determine awareness of
Incidents of info vulnerability
And
Understand the
Organizations risk tolerance
And
Understand companies related
Priorities & preferences
And
Quantify & qualify the risk of
Confidential information loss
18/03/2010 11:17:14 Perform 7 steps to information protection 6
7. 1.1.1.1.1 Identify which Info should be protected Conduct a Identify which
Risk assessment and survey Info should be protected
WHY
[The author has not attached any text yet.]
1.1.1.1.2 Distinguish Types of confidential Conduct a Distinguish Apply
Risk assessment and survey Types of confidential informa... Classifications
information WHY HOW
[The author has not attached any text yet.]
1.1.1.1.2.1 Apply Classifications Distinguish Apply
Types of confidential informa... Classifications
WHY
[The author has not attached any text yet.]
1.1.1.1.3 Determine Perceived risks Conduct a Determine
Risk assessment and survey Perceived risks
WHY
[The author has not attached any text yet.]
1.1.1.1.4 Identify Existing info protection
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 7
8. Conduct a Identify Identify
Risk assessment and survey Existing info protection Policies
WHY HOW
And
Identify
Procedures
And
Identify
Practices
1.1.1.1.4.1 Identify Policies Identify Identify
Existing info protection Policies
WHY
[The author has not attached any text yet.]
1.1.1.1.4.2 Identify Procedures Identify Identify
Existing info protection Procedures
WHY
[The author has not attached any text yet.]
1.1.1.1.4.3 Identify Practices Identify Identify
Existing info protection Practices
WHY
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 8
9. 1.1.1.1.5 Identify high risk Business processes Conduct a Identify high risk
Risk assessment and survey Business processes
WHY
[The author has not attached any text yet.]
1.1.1.1.6 Determine awareness of Incidents of info Conduct a Determine awareness of
Risk assessment and survey Incidents of info vulnerability
vulnerability WHY
[The author has not attached any text yet.]
1.1.1.1.7 Understand the Organizations risk Conduct a Understand the
Risk assessment and survey Organizations risk tolerance
tolerance WHY
[The author has not attached any text yet.]
1.1.1.1.8 Understand companies related Priorities & Conduct a Understand companies related
Risk assessment and survey Priorities & preferences
preferences WHY
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 9
10. 1.1.1.1.9 Quantify & qualify the risk of Confidential Conduct a Quantify & qualify the risk of
Risk assessment and survey Confidential information loss
information loss WHY
[The author has not attached any text yet.]
1.1.1.2 Implement software to identify Technical risk Determine info protection Implement software to identify Locate
Strategy approach & priorities Technical risk Confidential data on network
WHY HOW
[The author has not attached any text yet.]
And
Determine who has
Access
And
Demonstrate
Internal information flow
And
Collate evidence of
Unauthorized info transfer
And
Identify
High risk business processes
And
Document
At-risk confidential data
And
Quantify
Risk of non-compliance
And
Provide a record of
Internal / external info flow
18/03/2010 11:17:14 Perform 7 steps to information protection 10
11. 1.1.1.2.1 Locate Confidential data on network Implement software to identify Locate
Technical risk Confidential data on network
WHY
[The author has not attached any text yet.]
1.1.1.2.2 Determine who has Access Implement software to identify Determine who has
Technical risk Access
WHY
[The author has not attached any text yet.]
1.1.1.2.3 Demonstrate Internal information flow Implement software to identify Demonstrate
Technical risk Internal information flow
WHY
[The author has not attached any text yet.]
1.1.1.2.4 Collate evidence of Unauthorized info Implement software to identify Collate evidence of
Technical risk Unauthorized info transfer
transfer WHY
[The author has not attached any text yet.]
1.1.1.2.5 Identify High risk business processes
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 11
12. Implement software to identify Identify
Technical risk High risk business processes
WHY
1.1.1.2.6 Document At-risk confidential data Implement software to identify Document
Technical risk At-risk confidential data
WHY
[The author has not attached any text yet.]
1.1.1.2.7 Quantify Risk of non-compliance Implement software to identify Quantify
Technical risk Risk of non-compliance
WHY
[The author has not attached any text yet.]
1.1.1.2.8 Provide a record of Internal / external info Implement software to identify Provide a record of
Technical risk Internal / external info flow
flow WHY
[The author has not attached any text yet.]
1.2 Identify & classify Confidential information Perform Identify & classify Define
7 steps to information Confidential information Confidential information
WHY HOW
[The author has not attached any text yet.]
And
Assign
Levels of protection
18/03/2010 11:17:14 Perform 7 steps to information protection 12
13. 1.2.1 Define Confidential information Identify & classify Define Use best practices to update
Confidential information Confidential information Information classifications
WHY HOW
[The author has not attached any text yet.]
And
Identify
Confidential information
And
Apply
Classifications
1.2.1.1 Use best practices to update Information Define Use best practices to update
Confidential information Information classifications
classifications WHY
[The author has not attached any text yet.]
1.2.1.2 Identify Confidential information Define Identify
Confidential information Confidential information
WHY
[The author has not attached any text yet.]
1.2.1.3 Apply Classifications Define Apply
Confidential information Classifications
WHY
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 13
14. 1.2.2 Assign Levels of protection Identify & classify Assign Use
Confidential information Levels of protection Classifications
WHY HOW
[The author has not attached any text yet.]
1.2.2.1 Use Classifications Assign Use
Levels of protection Classifications
WHY
[The author has not attached any text yet.]
1.3 Develop Policies & procedures Perform Develop Define
7 steps to information Policies & procedures Responsibilities for protection
WHY HOW
[The author has not attached any text yet.]
1.3.1 Define Responsibilities for protection Develop Define Compare existing
Policies & procedures Responsibilities for protection Policies to best practices
WHY HOW
[The author has not attached any text yet.]
And
Develop
Policy updates
1.3.1.1 Compare existing Policies to best practices
18/03/2010 11:17:14 Perform 7 steps to information protection 14
15. [The author has not attached any text yet.] Define Compare existing
Responsibilities for protection Policies to best practices
WHY
1.3.1.2 Develop Policy updates Define Develop Base them on
Responsibilities for protection Policy updates Best-in-class models
WHY HOW
[The author has not attached any text yet.]
1.3.1.2.1 Base them on Best-in-class models Develop Base them on
Policy updates Best-in-class models
WHY
[The author has not attached any text yet.]
1.4 Deploy technologies that enable Policy Perform Deploy technologies that Review
7 steps to information enable Compliance technology
compliance & enforcement WHY Policy compliance & enforc... HOW
And
[The author has not attached any text yet.]
Adopt & deploy
Policy compliance technology
1.4.1 Review Compliance technology Deploy technologies that Review Compare
enable Compliance technology Tecnology solutions
Policy compliance & enforc... WHY HOW
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 15
16. 1.4.1.1 Compare Tecnology solutions Review Compare Assess the
Compliance technology Tecnology solutions Costs
WHY HOW
[The author has not attached any text yet.]
And
Assess the
Benefits
1.4.1.1.1 Assess the Costs Compare Assess the
Tecnology solutions Costs
WHY
[The author has not attached any text yet.]
1.4.1.1.2 Assess the Benefits Compare Assess the
Tecnology solutions Benefits
WHY
[The author has not attached any text yet.]
1.4.2 Adopt & deploy Policy compliance technology Deploy technologies that Adopt & deploy Choose technology with
enable Policy compliance technology Automatic enforcement
Policy compliance & enforc... WHY HOW
[The author has not attached any text yet.]
1.4.2.1 Choose technology with Automatic
enforcement
18/03/2010 11:17:14 Perform 7 steps to information protection 16
17. Adopt & deploy Choose technology with
[The author has not attached any text yet.] Policy compliance technology Automatic enforcement
WHY
1.5 Communicate & educate a Compliance culture Perform Communicate & educate a Inform people of their
7 steps to information Compliance culture Information responsibilities
WHY HOW
[The author has not attached any text yet.]
And
Motivate
Information protection behav...
1.5.1 Inform people of their Information Communicate & educate a Inform people of their Draft
Compliance culture Information responsibilities Key messages
responsibilities WHY HOW
And
[The author has not attached any text yet.]
Develop
Training
1.5.1.1 Draft Key messages Inform people of their Draft
Information responsibilities Key messages
WHY
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 17
18. 1.5.1.2 Develop Training Inform people of their Develop
Information responsibilities Training
WHY
[The author has not attached any text yet.]
1.5.2 Motivate Information protection behaviour Communicate & educate a Motivate Establish an ongoing
Compliance culture Information protection behav... Communication campaign
WHY HOW
[The author has not attached any text yet.]
1.5.2.1 Establish an ongoing Communication Motivate Establish an ongoing
Information protection behav... Communication campaign
campaign WHY
[The author has not attached any text yet.]
1.6 Integrate practices into Business processes Perform Integrate practices into Identify Key
7 steps to information Business processes Processes where info is at risk
WHY HOW
[The author has not attached any text yet.]
And
Develop a plan to integrate
Info policy into those processes
18/03/2010 11:17:14 Perform 7 steps to information protection 18
19. 1.6.1 Identify Key Processes where info is at risk Integrate practices into Identify Key
Business processes Processes where info is at risk
WHY
[The author has not attached any text yet.]
1.6.2 Develop a plan to integrate Info policy into Integrate practices into Develop a plan to integrate
Business processes Info policy into those processes
those processes WHY
[The author has not attached any text yet.]
1.7 Audit to ensure Stakeholder accountability Perform Audit to ensure Examine current
7 steps to information Stakeholder accountability Practices & remediate defici...
WHY HOW
[The author has not attached any text yet.]
1.7.1 Examine current Practices & remediate Audit to ensure Examine current Establish
Stakeholder accountability Practices & remediate defici... Audit parameters & methodo...
deficiencies WHY HOW
And
[The author has not attached any text yet.]
Conduct
Audit
18/03/2010 11:17:14 Perform 7 steps to information protection 19
20. 1.7.1.1 Establish Audit parameters & methodology Examine current Establish
Practices & remediate defici... Audit parameters & methodo...
WHY
[The author has not attached any text yet.]
1.7.1.2 Conduct Audit Examine current Conduct Assess
Practices & remediate defici... Audit Compliance with info policies
WHY HOW
[The author has not attached any text yet.]
1.7.1.2.1 Assess Compliance with info policies Conduct Assess
Audit Compliance with info policies
WHY
[The author has not attached any text yet.]
18/03/2010 11:17:14 Perform 7 steps to information protection 20