Step 1: Determine and evaluate IT assets
Three types of assets must be identified.
Physical
- Computer hardware and software resources
- Building facilities
- Resources used to house sensitive assets or process sensitive information
Information
The information category includes sensitive data pertaining to the company's operations, plans, and strategies. Examples are marketing and sales plans, detailed financial data, trade secrets, personnel information, IT infrastructure data, user profiles and passwords, sensitive office correspondence, and minutes of meetings. Recently, concern has also risen about protecting company logos and materials posted on the public Internet.
People
The people category includes vital individuals holding key roles, whose incapacity or absence will affect the business.
After you identify company assets, the next step is to determine their security level. Depending on the company's requirements, assets may be classified into two or more levels of security. I recommend two levels for organizations with minimal security threats: public and confidential. A three-level security classification scheme can be implemented if security needs are greater: public, confidential, and restricted.
Be wary of having too many security levels; this tends to dilute their importance in the eyes of the user. A large multinational IT vendor used to have five levels of security: public, internal use only, confidential, confidential restricted, and registered confidential. Today, it has cut down to three: public, internal use only, and confidential. Employees were confused about the differences among the secured levels and the procedures associated with each one. Having too many security levels proved expensive in terms of employee education, security facilities, and office practices—the costs were often greater than the potential losses from a security violation.
Back To Implement Security Management With These Six Steps
No comments:
Post a Comment