Friday,30 October, 2020

Subscribe to Newsletter

  Knowledge Center
Knowledge Center

The Iso 17799 The Definite Guide For Security Geeks (Part 5)

In the Fifth part of this series we will discuss how the ISO standard look at the company assets, how should companies classify it, manage the inventory and hold people accountable for it.

The clause is called Asset Classification and control; it talks about the need to make all the company assets accountable for and to have a named owner.

The objective is to maintain appropriate protection of the company assets.

The first of the controls is starting your (Inventory of assets – 5.1), the standards classifies the assets into:

- Physical: computer equipments, backup tapes, disks...etc
- Software : software systems ,applications …etc
- Informational: Databases, manuals, documentation...etc
- Services : lighting , air-conditioning systems…etc

Logically, not all the information in a company should be treated with the same precaution level, that is because the value of the information protected is variable.

In control 5.2.1 (classification guidelines) the standard urges the companies to classify the information according to their importance and value and to force the appropriate controls according to this standard; someone might raise the question of (who should classify the company information?) well the answer is simple:

The responsibility of defining the classification of an item of information, e.g. a document, a data record, a data file or a diskette, and of periodically reviewing that classification, should remain with the originator or the nominated owner of the information.

The next control is (5.2.2 Information Labeling and Handling) talks about the need to create companywide procedures on how to label the information (for instance Confidential / Non Confidential) and how to handle each with the designated controls to maintain unauthorized access prohibited.
The above procedures should cover the following phases of information handling:

- copying
- storage
- transmission by post, fax, and e-mail
- transmission by spoken word, including mobile phone, voicemail…etc.
- Destruction of information

Physical labels are generally the most appropriate forms of labeling. However, some information assets, such as documents in electronic form, cannot be physically labeled and electronic means of labeling need to be used.

The above subject should grab our attention to the rarity of encrypted materials in Egyptian companies or even further “the government”. What are the Egyptian government's standards regarding this issue?

The United States have adopted the AES algorithm (Advanced Encryption System) as the official encryption system of the country. Many say that it’s because it’s the algorithm that the National Security Agency (NSA) has access to its public key, thus it can decrypt any encrypted governmental document “if needed”.

Classifying information into dossiers in a rusty paper cabinet should not be the answer any more in this digital world we are living in.

Digital access permissions, digital signatures and appropriate encryption methods should be the right way of handling nowadays information.

"Physical labels are generally the most appropriate forms of labeling"

"Classifying information into dossiers in a rusty paper cabinet should not be the answer any more!"

Rate This:

Posted by ROOT Technologies

What is your favourite search engine?

Most Viewed
  Riverbed Launches Industry’s Most Complete Digital Experience Management Solution

  Credence Security to Address Growing Market for GRC Solutions in Middle East Through Partnership with Rsam

  New Mimecast Archive Cloud Capability Streamlines GDPR Management for Email

  Planning and Scheduling Software–Helping Manufacturers Keep Their Customers Happy

  Farsight Security and Infoblox Provide Zero-Hour Protection Against Cyberattacks Due to New Domains

  Fujitsu Launches High-Security Biometric Authentication Solution for Active Directory IT Environments

  Rackspace Wins 2017 Red Hat Innovator of the Year Award

  ServiceNow Survey Shows 2018 as the Year of Automation for Routine Enterprise Work

  4 Tech Hacks to Faster Customer Onboarding

  New Mimecast Report Detects 400% Increase in Impersonation Attacks