• Choose a category
• All
• Classic-Fiction

Consult job title/workgroup/responsibilities lists. A company can provide ready access to authorization information by publishing lists of which employees are entitled to what information. These lists may be organized in terms of employee job title, employee departments and workgroups, employee responsibilities, or by some combination of these. Such lists would need to be maintained on line to be kept current and provide quick access to authorization information. Ordinarily, Information Owners would be responsible for overseeing the creation and maintenance of the lists for access to information under the Owner’s control.

note

It is important to note that maintaining such lists is an invitation to the social engineer. Consider: If an attacker targeting a company becomes aware that the company maintains such lists, there is a strong motivation to obtain one. Once in hand, such a list opens many doors to the attacker and puts the company at serious risk.

Obtain Authority from a Manager. An employee contacts his or her own manager, or the manager of the requester, for authority to comply with the request.

Obtain Authority from the Information Owner or a Designee. The information Owner is the ultimate judge of whether a particular person should be granted access. The process for computer-based access control is for the employee to contact his or her immediate manager to approve a request for access to information based on existing job profiles. If such a profile does not exist, it is the manager’s responsibility to contact the relevant data Owner for permission. This chain of command should be followed so that Information Owners are not barraged with requests when there is a frequent need to know.

Obtain Authority by Means of a Proprietary Software Package. For a large company in a highly competitive industry, it may be practical to develop a proprietary software package that provides need-to-know authorization. Such a database stores employee names and access privileges to classified information. Users would not be able to look up each individual’s access rights, but instead would enter the requester’s name, and the identifier associated with the information being sought. The software then provides a response indicating whether or not the employee is authorized to access such information. This alternative avoids the danger of creating a list of personnel with respective access rights to valuable, critical, or sensitive information that could be stolen.

MANAGEMENT POLICIES

The following policies pertain to management-level employees. These are divided into the areas of Data Classification, Information Disclosure, Phone Administration, and Miscellaneous Policies. Note that each category of policies uses a unique numbering structure for easy identification of individual policies.

Data Classification Policies

Data Classification refers to how your company classifies the sensitivity of information and who should have access to that information.

1-1 Assign data classification

Policy: All valuable, sensitive, or critical business information must be assigned to a classification category by the designated Information Owner or delegate.

Explanation/Notes: The designated Owner or delegate will assign the appropriate data classification to any information routinely used to accomplish business goals. The Owner also controls who can access such information and what use can be made of it. The Owner of the information may reassign the classification and may designate a time period for automatic declassification.

Any item not otherwise marked should be classified as Sensitive.

1-2 Publish classified handling procedures

Policy: The company must establish procedures governing the release of information in each category.

Explanation/Notes: Once classifications are established, procedures for release of information to employees and to outsiders must be set up, as detailed in the Verification and Authorization Procedures outlined earlier in this chapter.

1-3 Label all items

Policy: Clearly