Free Essay

Implementation of a Data Classification Policy

In:

Submitted By Ramsay
Words 526
Pages 3
The following is a policy defining how data will be classified and how users will be able to access that data. New user accounts can be setup within Active Directory New Users and Computers (Create a new user account, 2005, January 21). This will allow the Administrator to create a User name and a unique password for that user. Once this is done, the user can then be placed in a group (Create a new group, 2005, January 21). This group will depend on what role the user will be fulfilling; for example if the user will be in the accounting department, they will be placed in the accounting group.
Once the User has been specified into a group, then permissions can be applied for that group. For example, the accounting department may have two different groups – Users and Managers. Any file that has to deal with accounting can then have their permissions modified depending on the role of the user. This will also allow the administrator to setup the data classification of least privilege. To fulfill their job Managers will need to the option to read and write files, and to create new folders. This allows the manager to complete their job without having too much access. The User group will only need access to List Folder/Read data (Stanek, W. n.d.). This allows the user to read the information within the file but does not allow them to change any information within the folder.
Lastly, any changes that are made within the system need to be documented for reference. Documentation of these changes needs to be as followed:
• What is the change?
• Why the change is is being implemented?
• Who requested the change?
• Is this for a new user?
• Is this change regarding an employee who is no longer with the company?
Data Classification is based on national security and goes by three classifications – Confidential, Secret, and Top Secret. Confidential is the lowest and Top secret is the highest form of classification. These three classifications can be attained by using the need to know or least privilege principle. Need to know gives the user the bare minimum resources to work with to complete their job, while least privilege gives the users the minimum amount of access to complete their jobs as seen in the policy above (Unit 3: Data Classification, n.d.). I personally think that in any type of business that deals with personal data, they should have to operate according to the least privilege principle. This will mitigate both inside and outside attacks because it limits what the user can see and interact with on their end.

References
Create a new group. (2005, January 21). Retrieved March 28, 2015, from https://technet.microsoft.com/en-us/library/cc783256(v=ws.10).aspx
Create a new user account. (2005, January 21). Retrieved March 28, 2015.
Stanek, W. (n.d.). File and Folder Permissions. Retrieved March 28, 2015, from https://msdn.microsoft.com/en-us/library/bb727008.aspx
Unit 3: Data Classification. (n.d.). Retrieved March 28, 2015, from http://www.distance-education.itt-tech.edu/online/jsp/common/authorware.jsp?objectId=547086

Similar Documents

Premium Essay

To Study Information Life Cycle Management.

... When data is first created, it often has the highest value and is used frequently. As data ages, it is accessed less frequently and is of less value to the organization. Understanding the information lifecycle helps to deploy appropriate storage infrastructure, according to the changing value of information. For example, in a sales order application, the value of the information changes from the time the order is placed until the time that the warranty becomes void (see Figure 1-7). The value of the information is highest when a company receives a new sales order and processes it to deliver the product. After order fulfillment, the customer or order data need not be available for real-time access. The company can transfer this data to less expensive secondary storage with lower accessibility and availability requirements unless or until a warranty claim or another event triggers its need. After the warranty becomes void, the company can archive or dispose of data to create space for other high-value information. Information Lifecycle Management Today’s business requires data to be protected and available 24 × 7. Data centers can accomplish this with the optimal and appropriate use of storage infrastructure. An effective information management policy is required to support this infrastructure and leverage its benefits. Information lifecycle management (ILM) is a proactive strategy that enables an IT organization to effectively manage the data throughout...

Words: 676 - Pages: 3

Premium Essay

Gathering Information Pertaining to a Glba Compliance

...Lab#5 Define a process for Gathering Information pertaining to a GLBA Compliance 1. GLBA repealed parts of an act. Name the act and explain why it was significant for financial institutions and insurance companies. Parts of the glass Steagall act of 1933 GLBA allows financial institutions such as banks to act as insurance companies. GLBA covers both financial institutions and insurance companies since both can perform financial services for its customers. This reform requires banks and insurance companies to comply with both the privacy and safeguard rules of GLBA. 2. What is another name for obtaining information under false pretenses and what does it have to do with GLBA? What is an example of the safeguard pertinent to this requirement? Pre-texting or social engineering. GLBA specifically mentions this in title 15 US code chapter 94 sub chapter 2, section 6821. GLBA encourages companies to implement safeguards around pre-texting and social engineering. Security awareness training and periodic reminders of awareness to pre-texting and social engineering is a best practice performed within the user domain. 3. How does GLBA impact information system security and the need for information systems security practitioners and professionals? The safeguards rule within GLBA requires financial institutions and insurance companies to develop security plan detailing how they will protect their customers nonpublic personal information. The safeguards rule impacts the security...

Words: 1267 - Pages: 6

Premium Essay

Data Classification Hicca

...[pic] Data Classification Policy Disclaimer of warranty—THE INFORMATION CONTAINED HEREIN IS PROVIDED "AS IS." HAWAII HEALTH INFORMATION CORPORATION (“HHIC”) AND THE WORKGROUP FOR ELECTRONIC DATA INTERCHANGE (“WEDI”) MAKES NO EXPRESS OR IMPLIED WARRANTIES RELATING TO ITS ACCURACY OR COMPLETENESS. WEDI AND HHIC SPECIFICALLY DISCLAIM ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL HHIC OR THE HIPAA READINESS COLLABORATIVE (“HRC”) BE LIABLE FOR DAMAGES, INCLUDING, BUT NOT LIMITED TO, ACTUAL, SPECIAL, INCIDENTAL, DIRECT, INDIRECT, PUNITIVE, EXEMPLARY OR CONSEQUENTIAL, COSTS OR EXPENSES (INCLUDING ATTORNEY'S FEES WHETHER SUIT IS INSTITUTED OR NOT) ARISING OUT OF THE USE OR INTERPRETATION OF HRC POLICIES OR THE INFORMATION OR MATERIALS CONTAINED HEREIN. This document may be freely redistributed in its entirety provided that this notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of HHIC. While all information in this document is believed to be correct at the time of writing, this document is for educational purposes only and does not purport to provide legal advice. If you require legal advice, you should consult with an attorney. The information provided here is for reference use only and does not constitute the rendering of legal, financial, or other professional advice or recommendations...

Words: 1047 - Pages: 5

Free Essay

Literature Review of Xbrl

...developing rapidly in the world. This paper teases out and discusses the literature researches of XBRL from 6 aspects: the production bases of XBRL, the effect of XBRL, the classification criteria formulation of XBRL, the auditing assurance of financial reports based on XBRL, the implementation of XBRL in different countries and some researches about XBRL in China, which reflects the current status of research about XBRL relatively fully. ------------------------------------------------- Keywords: XBRL, Auditing assurance, Classification criteria 1. Introduction XBRL is one variant of XML (eXtensible Markup Language) for business reporting. XBRL defines financial data on the web with explicit semantics in a machine-readable format, making automated data analysis possible. XBRL is a standard XML reporting language to enhance the efficiency, reliability and accuracy of financial reporting. Data in XBRL format does not need to be converted from one application to another because data are independent of applications by using standard tags for data items (Farewell, 2006). The financial information is presented to the public on the Internet usually in a static format such as PDF or HTML, the XBRL technology offers a way to have dynamic financial information. XBRL can support both financial and non-financial data contexts, which distinguishes XBRL from traditional financial documents (Debreceny et al., 2005). The use of standard tags in XBRL documents allows for the specific identification...

Words: 5525 - Pages: 23

Free Essay

Personally Identifiable Information (Pii) and Data Breaches

...(PII) and Data Breaches By Stevie D. Diggs University Maryland University College IFSM201 Section 7974 Semester 1309 Personally Identifiable Information (PII) and Data Breaches Knowing and training on personally identifiable information (PII) is important in today’s society. There has been research on data breaches and identity theft that links them both together. This is to help personnel have a clear understanding on the impact of what is at steak and an explanation of PII. Many businesses and organizations have different definition for PII because of the classification of data for each, and that is why understanding PII is important. Examples of PII include, but are not limited to the following: full name, maiden name, mother‘s maiden name, or alias; personal identification number, social security number (SSN), passport number, driver‘s license number, taxpayer identification number, or financial account or credit card number; address information, street address or email address; personal characteristics, including photographic image, fingerprints, handwriting, or other biometric data. How do you protect PII? Who has access to PII? Who are affected by data breaches and identity theft? How to prevent data breaches and identity theft? The research introduced in this essay is from Verizon along with multiple articles involving military and organizations. PII is defined definitely by military and organizations. Training along with knowing ways to prevent data breaches and...

Words: 1541 - Pages: 7

Free Essay

Student

...[pic] [pic] Data Loss and Misuse [pic] [pic] [pic] [pic] [pic] [pic] [pic] [pic] [pic] [pic] Question: The service provider shall provide Client Based Data Leakage Services necessary to provide services and support for Data Loss Protection (DLP) with the following activities: a) Deploy the Clinet endpoint agent (XEA) to all new client machines. b) Deploy the XEA to at least 95% of existing in-scope client machines within 90 days of its initial release. c) Deploy any patches or updates to the XEA out to 95% of existing XEA-equipped machines (both clients and servers) within 45 days of those patches or updates being released from testing with approval to deploy. d) Monitor, investigate and remediate instances where the XEA ceases to function on any machine (client or server) that is still connecting to the XGI. e) Monitor, initiate investigation, and escalate alerts generated by the DLP system indicating mishandling of Clinet classified data. f) Distribute reports and data extracts as required. g) Support Tier I and II help-desk end-users’ and server application support questions arising from the XEA. Can you meet this requirement? Please explain below. ORGANIZATION understanding of Requirements: Clinet is looking for Client Based Data Leakage Services necessary to provide services and support for Data Loss Protection (DLP)...

Words: 1129 - Pages: 5

Premium Essay

Integrated Distribuitors Integrated

...infrastructure. Such plan should describe actions to eliminate or mitigate the risks, and provide a framework within which the improvement, development and delivery of information technology could be increasingly responsive, stable, and secure in the coming years. Some of the upgrades included on that plan are the following: •Network infrastructure should be upgraded to Gigabit Ethernet, considerably increasing network speed •Port speed needs to be increased from 10 Mbps to 100 Mbps •IDI Internet bandwidth should double immediately and significantly increased annually from that point forward •Deteriorating network infrastructure components have to be identified, replaced, and upgraded, and network reliability improved through the implementation of greater redundancy •Digital modems should replace the analog modems, improving reliability and connection speed •Wireless network standards need to be developed and implemented, and wireless access needs to be provided to several other locations •A new central directory needs to be created and developed as the authoritative source for identity information and authentication •A state-of-the-art backup system will be implemented for centralized backup of enterprise systems Upgrading IDI’s software is more than just an economic business decision. It is a matter of security, productivity, lower costs, and employee morale. The decision to upgrade software must be examined like any other decision. The longer a software package has...

Words: 3341 - Pages: 14

Free Essay

Is3230 Unit 7 Assignment 1

...environment. Reducing the cost of deployment on WLAN implementation, you will want to address many areas of concern: individuals accessing your network, risk of deploying new Software/Configuration, compliant with standards and laws, classification, encryption, security, protocols, and the use of mobile devices. The implementation of access controls in your WLAN will assist in making your environment a little more secure than without. Utilization of the Acceptable Use Policy (AUP), will instruct staff members and students on how to utilize WLAN correctly by law, policies, and standards. Any individual that is not compliant will be subject to disciplinary measures by the school district. Staff members will use access control Role Base Access Control (RBAC), using this control will assign user rights based on the user’s job specification within the school. As for the student body, students will be issued temporary usernames and passwords that will be issued quarterly. Students will have minimum accessibility to files, folders, and services. All accounts are subject to being audited at any given moment notice. There will always be risk involved with any network. Deploying WLAN in a school environment will be a concern with security always. The protection of data will be vital to the security of the WLAN structure. The school must adhere to any and all laws (state and federal), regulations and policies to avoid all fines, loss of data and potential of being shut down. The infrastructure...

Words: 499 - Pages: 2

Free Essay

Analysis of Market Competition

...ANALYSIS OF MARKET COMPETITION, SWITCHING COSTS AND ITS CONSEQUENCES IN TELECOMMUNICATIONS IN NEPAL NAME: SAROJ POUDEL DEGREE: MASTER OF INFORMATION SYSTEMS/MASTER OF INFORMATION TECHNOLOGY COURSE: 7112ICT RESEARCH METHODS IN INFORMATION TECHNOLOGY INTRODUCTION The economics of switching costs and network effects have achieved a significant amount of popular, as well as professional attention in the last few decades. It is presently defined as the core factor for new Information Technology economy. Switching costs originates, if a consumer demands a product, or its related accessories(hardware or software), of his own purchases to be compatible with each other this creates economies of scope among his purchases from a single supplier. Whereas network effects arise when a user wants his system to be compatible so that s/he can interact or trade with other users, or switch to the same compatible system, which leads to the creation of economies of scope between different incompatible products. Thus these economies of scope impacts the consumer’s buying and switching behavior between various products. The state of lock-in arises when the switching cost is sufficiently high so that the consumer proceeds using the same product rather than switching to the different product. Lock in is the state where the cost of switching exceeds the benefits of switching. Economics of switching costs is the summation of various types of switching costs including: compatibility...

Words: 3447 - Pages: 14

Premium Essay

Carson Manor Case Study

...objective to outsource a solution provider to conduct a review of their current situation. This report will evaluate three bidders based on total cost of study, potential savings, possible implementation, experience and references. A recommendation is stated at the end of the report, which comprises the possible solutions to the key issues and some actions need to be taken after selecting one of the three bidders. This report would recommend that Clarke-Hamilton Ltd. would be an optimal consultant for Carson Manor given their highest expected savings, suitable implementation of a patient classification system, excessive experience and positive feedbacks from users. Background Description Carson Manor was a not-for-profit institution that provides nursing care services for aged people. It was founded in city of Winston 30 years ago and currently became a medium sized institution with a bed capacity of 470 and a total of 235 employees. Carson Manor administrator is responsible for overseeing day-to-day operations and serving as an information conduit to Mr. Henry Davis, the director of social services. Mr. Davis, his staff in conjunction with Carson Manor administrative staff as well as the Carson Manor Committee of Management (CMCM) was dedicated to make joint effort on developing policy and budget plans. The CMCM was an aldermanic committee consisting of five volunteered or appointed aldermen. There was an upper-level committee, which is called Committee for Community Service...

Words: 2520 - Pages: 11

Premium Essay

Security Management Plan

...IT 454 Security Management Plan Marshall Miller December 20, 2015 Table of Contents Section 1: Information Security Management 4 Intro to Organization 4 People 4 Physical Security 4 Training of Security 4 Information Technology Training 4 Technology 5 Project Manager Roles 5 Section 2: Security Program 6 Data Classification 6 Management Support 7 Hierarchy Reporting Structure 8 8 Section 3: Security Policies 10 Acceptable Use Policy 10 1. Overview 10 2. Purpose 10 3. Scope 11 4. Policy 11 5. Enforcement 13 6. Definitions 13 7. Implementation Date 13 Section 4: Security Policies 14 Risk Assessment 14 Quantitative Risk Analysis 14 Quantitative Risk Analysis 14 Methodologies 15 1. Transfer 15 2. Avoid 15 3. Reduce 15 4. Accept 16 Summary 16 Section 5: Controlling Risk 17 Administrative 17 Human Resources 17 Organizational Structure 17 Security Policies 18 Technical 18 Access Control 18 System Architecture 18 System Configuration 18 Physical 19 Heating and Air Conditioning 19 Fire 19 Flood 19 Summary 19 Bibliography 20 Section 1: Information Security Management Intro to Organization My organization is about a federally recognized business called JPPSO (Joint Personnel Property Shipment Office). JPPSO specializes in the shipping of military personnel goods. JPPSO works hand in hand with the United States Air Force to enforce the safe shipping of military household goods...

Words: 2755 - Pages: 12

Premium Essay

Tech

...Procedure………………………………………………….6 Policy……………….………………………………….….6-9 Policy 1: Information Systems Policy..…..10-13 Policy 2: Security of Laptop…………………..14-16 Policy 3: Clean Desk policy…….……………..17-18 Policy 4: Workstation Policy………………………19 Policy 6: Email Policy………………………..….20-21 Policy 7: Personnel policy………………….…22-23 Policy 9: Data Breach Policy………………...24-27 Policy 10: Software policy………………………29-31 Policy 11: Data and information classification……32 Policy 12: Internal Treats…………………………………….33 Policy 13: Policies and Procedures for Electronic Protected Health Information (ePHI) and Personally Identifiable Information (PII)...34-35 Policy 14: Wireless LAN Security Policy……………………..36 IS security Awareness policy…………………………………..37-38 Conclusion……………………………………………………………………39 References……………………………………………………………………40 Overview: DSA contractors has been awarded a contract with the Department of Defense. Our next task is to revamp the companies’ policy to ensure compliance with DOD policy. All employees have to be retrained on new policy to ensure that DSA medicate violations. The attitudes and atmosphere of change will also be needed to ensure compliance with DOD standards. Training sessions is scheduled for all employees and a policy handbook will be given to the each employee as references at the end of training. The security officer and his staff or human resources can be contacted for further clarification on any policy. Purpose: There are many policies and laws to adhere...

Words: 9781 - Pages: 40

Free Essay

Unified Accounts Code Structure

...served by the UACS? 4 7. What document provides guidance on the use of the codes? 4 8. What policies and systems will be affected or need to be modified to implement UCAS? 4 9. What are the key elements of the UACS and how many codes are there for each element? 5 10. Do we really need the 54-digit code to implement UACS? 5 11. What are UACS users required to identify in facilitation data integrity of the Funding Source Code? -----------------------------------------------------------------------------------------------------------------------------------------5 12. What is the business rule to facilitate data integrity of the organization? 5 13. Under the UACS Location Code, are the codes the same codes that are being used now? 6 14. In preparing the budget for execution, can we use the current chart of accounts of COA on object coding? 6 15. What are the key business rules for code management to preserve transaction history and to ensure financial and performance data for one year is comparable with data from other years? 6 16. What are the responsibilities of the oversight agencies in the adoption of the UACS? 6 17. Who would address issues arising from the implementation of UACS? 7 1. What is the Unified Accounts Code Structure? The Unified Accounts Code Structure or UACS is a government-wide harmonized budgetary, treasury and accounting code classification framework jointly developed...

Words: 1523 - Pages: 7

Premium Essay

Classify Data for Access Control Requirements

...Classify Data for Access Control Requirements Lab Assessment Questions & Answers 1. What is the Data Classification Method used in the Military and Government Agencies that line up with the corporate data classification method defined earlier in this lab? Explain. Secret- This is the second-highest classification. Information is classified Secret when its release would cause "serious damage" to national security. Most information that is classified is held at the secret sensitivity. 2. Describe one way to help prevent unauthorized users from logging onto another person’s user account and accessing his/her data? By authorization, a person have to identify his/herself, the access control system verifies the person’s identity, the access control system must determine whether the person is authorized with a username and passwords 3. What permissions are necessary to allow an Active Directory Group called AD_Group to read and write files in a Sensitive directory such as C:\ERPdocuments\HRfiles? Read-Write permissions (Author) 4. How would you apply the permissions (ACLs) stated above (M,RX) to the AD_Group on C:\ERPdocuments\HRfiles from the command prompt using built-in Windows tools? You can use the extended change access control List tool (Xcals.exe) to modify and view NTFS permissions for files or folders 5. When adding permissions to a directory in an Active Directory Domain, would you prefer to add Groups or individual...

Words: 1377 - Pages: 6

Premium Essay

It Gamer

...1. Why is it important to perform a risk assessment on the systems, applications, and data prior to designing layered access controls? 2. What purpose does a Data Classification Standard have on designing layered access control systems? 3. You are tasked with creating a Microsoft Windows Enterprise Patch Management solution for an organization, but you have no budget. What options does Microsoft provide? 4. How does network monitoring, performance monitoring, alarming, and incident response help secure the IT infrastructure? 5. Provide an example of multi-factor authentication and identify an application that you think would require multi-factor authentication. 6. In which of the seven domains of a typical IT infrastructure would be policy definitions for implementation of anti-virus application/tool as a security countermeasure? Explain. 7. What is the difference between a Host-based Firewall and a Network-based Firewall? What domains of the typical IT infrastructure would you deploy each of these within? Explain how firewalls help mitigate risk exposure by preventing or blocking unauthorized access. 8. Give at least 3 examples of controls typically implemented in the User Domain. Explain these controls. 9. Provide 3 example of encrypted remote access communications commonly used through the public Internet (i.e., remote access via Internet) 10. Which domain within a typical IT infrastructure is the weakest link? From am access control perspective...

Words: 376 - Pages: 2