|
|
|
|
|
|
The Iso 17799 The Definite Guide For Security Geeks (Part 5)
|
By: OMAR SHERIN
In the Fifth part of this series we will discuss how the ISO standard look at the company assets, how should companies classify it, manage the inventory and hold people accountable for it.
The clause is called Asset Classification and control; it talks about the need to make all the company assets accountable for and to have a named owner.
The objective is to maintain appropriate protection of the company assets.
The first of the controls is starting your (Inventory of assets – 5.1), the standards classifies the assets into:
- Physical: computer equipments, backup tapes, disks...etc
- Software : software systems ,applications …etc
- Informational: Databases, manuals, documentation...etc
- Services : lighting , air-conditioning systems…etc
Logically, not all the information in a company should be treated with the same precaution level, that is because the value of the information protected is variable.
In control 5.2.1 (classification guidelines) the standard urges the companies to classify the information according to their importance and value and to force the appropriate controls according to this standard; someone might raise the question of (who should classify the company information?) well the answer is simple:
The responsibility of defining the classification of an item of information, e.g. a document, a data record, a data file or a diskette, and of periodically reviewing that classification, should remain with the originator or the nominated owner of the information.
The next control is (5.2.2 Information Labeling and Handling) talks about the need to create companywide procedures on how to label the information (for instance Confidential / Non Confidential) and how to handle each with the designated controls to maintain unauthorized access prohibited.
The above procedures should cover the following phases of information handling:
- copying
- storage
- transmission by post, fax, and e-mail
- transmission by spoken word, including mobile phone, voicemail…etc.
- Destruction of information
Physical labels are generally the most appropriate forms of labeling. However, some information assets, such as documents in electronic form, cannot be physically labeled and electronic means of labeling need to be used.
The above subject should grab our attention to the rarity of encrypted materials in Egyptian companies or even further “the government”. What are the Egyptian government's standards regarding this issue?
The United States have adopted the AES algorithm (Advanced Encryption System) as the official encryption system of the country. Many say that it’s because it’s the algorithm that the National Security Agency (NSA) has access to its public key, thus it can decrypt any encrypted governmental document “if needed”.
Classifying information into dossiers in a rusty paper cabinet should not be the answer any more in this digital world we are living in.
Digital access permissions, digital signatures and appropriate encryption methods should be the right way of handling nowadays information.
"Physical labels are generally the most appropriate forms of labeling"
"Classifying information into dossiers in a rusty paper cabinet should not be the answer any more!"
Posted by ROOT Technologies
|
|
|
