CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [158]
Compliance This area evaluates how well the organization complies with regulatory and legal requirements. It also evaluates compliance with internal privacy policies.
When the ISO 17799 standard was introduced in 1995, it didn’t gain initial acceptance; many in the industry didn’t feel that it was thorough enough to be a serious standard. Critics of the standard felt that the certification was oriented more toward giving advice than to providing a comprehensive certification process. This issue has been largely addressed in later revisions of the standard.
Classifying Information
Information classification is a key aspect of a secure network. Again, the process of developing a classification scheme is both a technical and a human issue. The technologies you use must be able to support your organization’s privacy requirements. People and processes must be in place and working effectively to prevent unauthorized disclosure of sensitive information.
If you think about all the information your organization keeps, you’ll probably find that it breaks down into three primary categories: public use, internal use, and restricted use. Figure 6.10 shows the typical ratios of how this information is broken down. Notice that 80 percent of the information in your organization is primarily for internal or private use. This information would include memos, working papers, financial data, and information records, among other things.
FIGURE6.10 Information categories
In the following sections, I’ll discuss the various information classification systems, roles in the security process, and information access controls.
You won’t be tested on the information in the following sections. However, from a practical, real-world perspective, you should be familiar with these areas.
Public Information
Public information is primarily information that is made available either to the larger public or to specific individuals who need it. Financial statements of a privately held organization might be information that is available publicly, but only to individuals or organizations that have a legitimate need for it.
The important thing to keep in mind is that an organization needs to develop policies about what information is available and for what purposes it will be disseminated. It’s also helpful to make sure that members of the organization know who has authorization to make these kinds of disclosures. There are organizations that gather competitive data for a fee; they often use social engineering approaches to gain information about a business. Good policies help prevent accidents from occurring with sensitive information.
The following sections discuss the difference between limited and full distribution.
Limited Distribution
Limited distribution information isn’t intended for release to the public. This category of information isn’t secret, but it’s private. If a company is seeking to obtain a line of credit, the information provided to a bank is of a private nature. This information, if disclosed to competitors, might give them insight into the organization’s plans or financial health. If disclosed to customers, it might scare them and cause them to switch to a competitor.
Some End User License Agreements (EULAs) now limit the information that users can disclose about problems with their software. These new statements have not yet been challenged in court. Try to avoid being the test case for this new and alarming element of some software licenses; read the EULA before you agree to it.
These types of disclosures are usually held in confidence by banks and financial institutions. These institutions will typically have privacy and confidentiality regulations as well as policies that must be followed by all employees of the institution.
Software manufacturers typically release early versions of their products to customers who are willing