IMPACT OF A DATA CLASSIFICATION STANDARD
Being a mid-level financial investment and consulting firm, we are governed by laws to protect personal data of our customers. To reduce risks and threats the company needs to develop an IT Security Policy Framework that contains four main components: Policy, Standard, Procedures and Guidelines1. This report focuses on the standard by addressing the three IT infrastructure domains that are affected by the ”Internal Use Only” data classification standard of Richman Investments, where the communication of data does not leave the companies intranet2 and how each of the following IT Infrastructure domains: User, Workstation and LAN are affected by the standard.
User domain is considered the weakest link in an IT infrastructure as employees can be motivated to violate company policies. Areas of concern that can affect keeping data private, is: Lack of user awareness, because some users do not pay attention to what data is considered private and fail to secure data properly; Security policy violations, where some users continue to leave private data in the open where others can see it; Disgruntled employee purposely takes personal data to cause some sort of damage between the company and the customer; and Employee blackmail or extortion by threatening to distribute or sell the personal data in trying to obtain a promotion or monetary gain3. Workstation domain consist of workstations (any electronic device that a user can connect to the companies IT infrastructure) to gain access to personal data using multiple resources4.
The areas affected by workstations, consist of: Unauthorized access because an employee did not lock their workstation, did not log off, or their user ID and password were compromised; A virus, malicious code or malware infected the workstation from a user downloading non-business material from the internet; and a user violated the Acceptable User Policy (AUP) by miss-using their authorized access to obtain personal data5. LAN domain is where any electronic device connects to one another using the company’s intranet (LAN Network), where resources can be shared6. The affects caused by connecting to the LAN, consist of: Unauthorized access to LAN by not securing computer rooms, data centers and wiring closets where someone can obtain access to the company’s core systems and retrieve personal data; Rogue users scanning for WLAN SSID broadcast allowing them to crack logon information to access the company systems; and Transmitting personal data via WLAN connections can be compromised by someone from outside the company intercepting the transmission7.
Governed by laws to protect customer’s personal data, the company must have a strong security standard as part of the IT Security Policy Framework. Focusing on the data classification standard “Internal Use Only”, the company needs to plan for any affects caused in the User, Workstation and LAN domains to prevent personal data loss or corruption. One way is to make sure that employees have signed and are following the companies AUP, along with making sure the companies Intranet is secure from outside attacks. Bibliography
Kim, David and Michael G. Solomon. “Fundamentals of Information Systems Security.”, 15-42. Sunbury, MA: jones and Bartlett Learning, 2012.