Study Security Domain in Data Security Aspect of Enterprise

24 April 2007 at 8:09 am 8 komentar

 

Study Security Domain in Data Security Aspect of Enterprise

Imran1*, Budi Rahardjo1

1Bandung Institute of Technology, Jalan Ganesa 10, Bandung 40132, Indonesia

The growth of information technology (IT) is compare diametrical with the increasing of threat to the confidentiality, integrity, and availability (CIA) of data and information. In managing data which abundance is asset which utilized in routine activity in reaching target, enterprise have to know what data to be protected because each data have a different security level, therefore the data classification have to implemented. Data classification conducted by determining level of data according to value of data, the impact of risk if the data loss and other aspect according as to business process of the enterprise. This research are use seven main process, first process is the preparation process that identify the asset of the enterprise and preparation for data classification, the second process is the risk analysis that using reference from National Institute of Standards and Technology (NIST) special publication 800-30 to classified the data according to the level that define, the third process is classifying the data according their level, the fourth is securing each of level data classification with the Clack Wilson model, the fifth process is analyst with Cost to Benefit Analysis (CBA) method, the sixth process is recommended it to the enterprise and finally monitoring and evaluating each process.

Keywords : data classification, IT, CIA, NIST, CBA.

1. General

In the globalization era, competition between institution profit or non profit it pattern in a straight frame. To keep the exist of the enterprise, data must to get attention because is one of the most valuable asset. An enterprise can realize vision with actualisation mission that support by accurate data, complete and up to date and keep the confidentiality, integrity and availability. Data security must get especial attention in an enterprise, with safety data can support the activity and problem about data can be anticipated.

This research of data security use approach data classification that is grouped data into some level according to value of the data, risk if the data is lose and business process of the enterprise. Some standard that uses in this research are NIST Special publication 800-30 for risk analysis and Clark Wilson Model for security action to each classification level.

2. Data Security

There are three aspect that needed to implemented security program for securing data and information, there are confidentiality, integrity and availability from an enterprise resources(1).

2.1 Confidentiality

Confidentiality have to define with a procedure that through identify and authentication user process. A good Identification from user of the system is ascertaining effectiveness of policy that define access authority to the data item.

2.2 Integrity

Data integrity has to get protection from illegal distorting which intended. The important think of integrity is to process or protect used program of illegal data modification.

2.3 Availability

Availability is the assurance that a computer system is accessible by authorized users whenever needed. Two facets of availability are typically discussed:

1. Denial of service, it is an activity which using computing cervices and load system resources. It is make the user that have an authority can not use the system resources. For example: Internet worm load about 10% from network computer system that make system can not give response other user.

2. Loss of data processing capabilities as a result of natural disasters (e.g., fires, floods, storms, or earthquakes) or human actions (e.g., bombs or strikes).

3. Shifting security perspectives

Management have to shifting security perspectives to reach and support a security level that directly support mission of enterprise. Special approach, reactive, strategic and adaptive are needed to realize it.

Table 1. Shifting security perspectives(2).

tabel

4. Data Classification

Today’s enterprise face a glut of data, ranging from financial reports, personnel files, research results and customer records to engineering and development code. Enterprise data stores ranging in tens to hundreds of terabytes, and filled with millions of different files are constantly growing. With the growth in data ranging in the order of 50% per year, it is increasingly difficult to know what data is available, what data is critical to the business and how best to manage overall information assets. The problem is that most companies do not correlate information with their business process, often resulting in a poor utilization of storage resources.

Benefit of Data Classification

At its core, the data classification process allows companies to organize their information in a way that corresponds to business needs. This ability provides quantifiable benefits that

can be categorized into four main categories:

a. Meeting Requirements of Regulatory Compliance

Data classification is used to obeying the low, like information privacy that needed protection. Many enterprise look to Data Classification as a means of meeting the requirements of compliance audits

b. Enhanced Risk Mitigation and Security

Another benefit of data classification are enhanced risk mitigation and security because it support confidentiality, integrity, and availability that can protecting the data. Implementation of a data classification can be base to securing data that prevent data disclosure.

Companies may wish to mitigate legal risks by ensuring adequate response times in the face of legal discovery challenges. A proper Data Classification implementation can be fundamental in keeping track of data that may be used to avert a potential lawsuit or assist in its defense.

Combining universal classification with flexible, policy-based data movement offers solutions in many areas:

1. Intelligent policy-driven archiving to meet regulatory, compliance and other corporate governance needs.

2. Flexible, bi-directional data movement between tiers based on age and other important data attributes.

3. Improved backup procedures that match the value of the data to the backup strategy to help eliminate backup-window problems.

c. Better Utilization and Increased Hardware Cost Savings

Data classification offers cost savings by allowing less important data to be migrated from expensive primary storage, to less expensive secondary storage systems. While many enterprises own and operate different tiers of storage, the use of such tiered storage is typically governed by application and physical connectivity, rather than the actual value of the data embodied therein. Proper implementation of a data classification implementation allows efficient use of a tiered storage infrastructure by matching the value of the data to that of the underlying storage infrastructure – allowing less valuable data to reside on less expensive disks.

d. Increased Performance and Efficiency

Studies show that with unstructured data, almost 80% of data retained by an enterprise is never touched. Yet this data may be kept on high performance storage arrays, backed up nightly, and replicated to remote sites.

Low value data often consumes a large part of an enterprise high value storage resources that could be better employed storing mission and performance critical information.

In addition, better data management can improve the overall responsiveness and performance of enterprise applications and storage resources.

Data Classification can increase the effective performance of data security measures, such as encryption. The problem with encryption is that it demands processing overhead, which slows performance for the user. Without data classification, an encryption process would simply encrypt everything, often affecting users far more than necessary. Through a data classification initiative, a company can identify and encrypt only the relevant data saving time and processing power.

The following definitions explaining some level classifications of data at governance area that grouped of lowest level to highest level.

1 Unclassified. Information is assumed not sensitive and not secret so that not necessarily concealed and its spreading not necessarily be limited.

2 Sensitive but unsecured. Information is considered to be small secret, but will not give damage impact if it is overspread.

3 Confidential. Information is assumed to measures up to confidential. Illegal disclosure from this information can result some problems to level of security and safety a state.

4 Secret. Information refers from secret character. Illegal disclosure from this information can cause at serious problem to level of national security and safety a state.

5 Top secret. This is level which is highest from classification of information. Illegal disclosure from top secret information can cause fatal problem to level of state security and safety.

At private sector, generally applies classification terminology following :

1 Public. This information not in secret. Information at this category not necessarily to be overspread, but if having to disclosed shouldn’t give negative or serious impact to company.

2 Sensitive. Information at sensitive level requires one level of higher level protection. This information need to be protected against loss of secrecy and integrity as result of distorting that is illegal.

3 Private. Information of This category measures up to private, what applied just for importance enterprise. Disclosure of the information can have a negative effect to enterprise and also employee. For example, salary level and medical information of patient.

4 Confidential. Information of confidential category is assumed hardly sensitive and addressed to be used for the sake of internal of enterprise. Disclosure that is null and void can affect negative and is serious to enterprise. For example, information about new product development, trading secret and cooperation negotiations assumed confidential.

5. Cycle Scheme Data Security and Data Classification

siklusku

Fig. 1. Cycle scheme data security and data classification.

5.1 Preparation Phase

Enterprise have to create a team or at least choose a person to be information security officer (ISO) that responsible to implementation of process data security and data classification. Before implementation of the program is started, ISO have to ask some important problems and get the answer of it[1].

Before the actual implementation of the data classification program can begin, the Information Security Officer (ISO) — whom for the purposes of this discussion is the assumed project manager — must ask some very important questions, and get the answers.

Is there an executive sponsor for this project?

Although not absolutely essential, obtaining an executive sponsor and champion for the project could be a critical success factor. Executive backing by someone well respected in the organization who can articulate the ISO’s position to other executives and department heads will help remove barriers, and obtain much needed funding and buy-in from others across the corporation. Without an executive sponsor, the ISO will have a difficult time gaining access to executives or other influencers who can help sell the concept of data ownership and classification.

What are you trying to protect, and from what?

The ISO should develop a threat and risk analysis matrix to determine what the threats are to corporate information, the relative risks associated with those threats, and what data or information are subject to those threats. This matrix provides input to the business impact analysis, and forms the beginning of the plans for determining the actual classifications of data.

Are there any regulatory requirements to consider?

Regulatory requirements will have an impact on any data classification scheme, if not on the classifications themselves, at least on the controls used to protect or provide access to regulated information. The ISO should be familiar with these laws and regulations, and use them as input to the business case justification for data classification, as well as input to the business impact analysis and other planning processes.

Has the business accepted ownership responsibilities for the data?

The business, not IT, owns the data. Decisions regarding who has what access, what classification the data should be assigned, etc. are decisions that rest solely with the business data owner. IT provides the technology and processes to implement the decisions of the data owners, but should not be involved in the decision making process. The executive sponsor can be a tremendous help in selling this concept to the organization.

Too many organizations still rely on IT for these types of decisions. The business manager must realize that the data is his data, not IT’s; IT is merely the custodian of the data. Decisions regarding access, classification, ownership, etc. resides in the business units. This concept must be sold first, if data classification is to be successful.

Are adequate resources available to do the initial project?

Establishing the data classification processes and procedures, performing the business impact analysis, conducting training, etc. requires an up-front commitment of a team of people from across the organization if the project is to be successful. The ISO cannot and should not do it alone. Again, the executive sponsor can.

5.2 Define policy

One of the important aspect in defining data classification plan is policy of data security. The policy give ISO authority to start the project, find executive sponsorship, obtaining fund and other support.

Policy of enterprise to data security focus on:

· Define information as an asset of the business unit

· Declare local business managers as the owners of information

· Establish Information Systems as the custodians of corporate information

· Clearly define roles and responsibilities of those involved in the ownership and information

· Define the classifications and criteria that must be met for each

· Determine the minimum range of controls to be established for each classification

5.3 Risk Analysis

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Impact refers to the magnitude of harm that could be caused by a threat’s exercise of a vulnerability. The level of impact is governed by the potential mission impacts and in turn produces a relative value for the IT assets and resources affected

There are 9 main steps in conducting risk analysis which can be seen at the following flowchart(5):

penilaian resiko

Fig. 2. Risk assessment activity.

5.3 Define Data to each level

After each data are specified of its risk level, then we :

· makes matrix that showing risk level each data;

· determines level classification each data as according to matrix result of risk assessment;

· gives label each data according to owner and its level.

5.4 Security Action

The most important think in security action is by securing each level according their level. The highest classification is getting high security level. The medium classification is getting medium security level and so on until the lowest level.

5.5 Cost to Benefit Analysis

§ Exposure Factor (EF). It is representing the loss that influenced an even of threat to a specific asset.

§ Single Loss Expectancy (SLE). It is money value that given to a single event. Formula as following :

. aset value x EF = SLE

§ Annualized Rate of Occurrence (ARO). It is a number that represented estimate of frequency threat even.

§ Annualized Loss Expectancy (ALE). It is an estimate of monetary loss of year which resulted by threat. Formula as following :

SLE x ARO =ALE

5.6 Recommended to Enterprise

Documentation of process which has been done, made in the form of draft to be recommended to enterprise which is referable in doing implementation of scheme of data security architecture as according to its level classification.

5.7 Monitoring and evaluation

To control of continuity data classification system, we need to be applied observation of going concern process. Internal department/unit control and organizes this activity to ascertain accomplishment with policy and procedure is specified. Owner of information periodical re-evaluates data to ensure that its classification still according, ascertains access right according to its responsibility and work and security and safety control in each level classification evaluated to ascertain concordance with has been defined.

6 Conclusion

Cycle scheme data security and data classification can be made reference by enterprise in process to securing data at each level with the result that business activity of enterprise can run without barrier because data have been guaranteed it security. This Process have to conducted and evaluated continuity because mission of enterprise and data with managed possibility will experience change according to policy of the enterprise.

The problem in this research is how to get data sample to test and implementation of data security and classification cycle planning, so that conclusion of classification with data at each level has not been done. Alternatively, writer tries to define data as according to scientific order and approach in interpreting a data.

References

[1] Tipton, Harold F. and Krause, Micki (2004), Information Security Management Handbook, CRC Press LLC, Fifth Edition.

[2] Caralli, Richard A.(2004), Managing for Enterprise Security, Networked Systems Survivability Program.

[3] Carlson, Tom (2001), Information Security Management Understanding ISO 17799, CISSP Lucent Technologies Worldwide Services.

[4] Peltier, Thomas R; Peltier, Justin; Blackley John (2005), Information Security Fundamentals, CRC Press LLC.

[5] Stoneburner, Gary; Goguen, Alice and Feringa, Alexis (2002), Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology.

[6] Simpson, Nik (2006), Building a Scalable Enterprise-Class Data Classification System, http://www.scentric.com/pdf/Data_Classification_Systems.pdf.

[7] _________(2005), Information Technology – Security Techniques – Information Security Management System – Requirements, International Standard ISO/IEC 27001, first edition.


* Imran. E-mail : barinox77@yahoo.com

Entry filed under: Iptek.

Ranking Maskapai Penerbangan Perbedaan kegiatan eII 2006 dengan eII 2007

8 Komentar Add your own

  • 1. joniandra  |  28 April 2007 pukul 7:11 am

    I hope your paper, could applicated.

    Balas
  • 2. lem_tiui  |  5 April 2009 pukul 10:38 pm

    Fyi..

    One-day Seminar Event
    Roadmap to ISO 27001 Certification and Comply with Peraturan Bank Indonesia No.9/15/PBI/2007, “Penerapan Manajemen Risiko dalam Penggunaan Teknologi Informasi pada Bank Umum”.

    Hari,Tgl : 16 April 2009
    Tempat : Ritz Carlton Hotel, Pacific Place – Sudirman
    Waktu : 08.30 – 16.30
    Contact Person: Mia (0856 – 855 9590) / Anggi (0813 – 10193025)
    or 021 – 9130 7746 / 021 – 9760 5726 / 021 – 78888805 ext.119

    Speakers:
    – Deputi Direktur Direktorat Teknologi Informasi Bank Indonesia (Diah PBA. Lubis, CISM.CISA)
    – Tim Perumus Peraturan Bank Indonesia (Dwi Kurniawan, CISM.CISA)
    – Lead Auditor Bureau Veritas Taiwan, Lembaga Audit ISO Internasional (Joe Huang, CISSP.CISA
    – Ketua Departemen Teknik Industri Universitas Indonesia (Dr. Ir. T. Yuri M. Zagloel, MEng.Sc)
    – Praktisi ISO 27001 yang telah berpengalaman dalam implementasi ISO 27001 (Ir. Boy Moch Nurtjahyo, MSIE)
    – Implementor ISO – Veda Praxis (Novaldy Antonio, B.Bis)

    Materi:
    • Overview tata kelola pengamanan informasi pada perusahaan
    • Roadmap implementasi ISMS dan sertifikasi ISO 27001
    • Peran Peraturan Bank Indonesia (PBI) No. 9/15/PBI/2007 dalam peningkatan pengamanan informasi di dunia perbankan
    • Keterkaitan implementasi standar keamanan informasi terhadap kepatuhan pada Peraturan Bank Indonesia (PBI) No. 9/15/PBI/2007
    • Perspektif Badan Sertifikasi terhadap audit ISO 27001 di Indonesia

    Investment:
    – IDR 1.800.000,- / person
    – Early Bird (Before 31st March 2009) IDR 1.500.000,- / person
    – Special Discount for more than 3 participants registered

    For more information, please visit us on: http://www.lemtiui.com
    or please contact us: 021-91307746 / 021-97605726 / 021-78888805 ext.119

    Fasilitas Bagi Peserta:
    – Free ToolIS27, software Implementation ISO 27001(Quick Assessment, Database Asset & Monitoring)
    – Gameboard Roadmap menuju sertifikasi ISO 27001
    – Buku saku Roadmap (tips ‘n tricks) menuju sertifikasi ISO 27001
    – Lunch, coffee break, sertifikat peserta
    – Seminar Kit
    – Materi Seminar

    Terimakasih atas perhatian dan kerjasamanya.

    Regards,
    LEMTIUI
    Gd. Dept. Teknik Industri
    Fakultas Teknik Universitas Indonesia Lt. 2
    Kampus Baru UI Depok 16424
    Phone: 021-9130 7746 / 021-9760 5726 Fax: 021 7888 5656

    Balas
  • 3. CJ Jacinto  |  16 Januari 2012 pukul 10:10 am

    A purchase specialized features a choice of finding a CPM as well as qualified getting boss or even should they be more involved with present sequence they are able to have a … (CPSM…cpsm

    Balas
  • 4. skin lightening  |  29 Desember 2012 pukul 2:31 am

    What’s up, yeah this piece of writing is really nice and I have learned lot of things from it concerning blogging. thanks.

    Balas
  • 5. http://google.com  |  13 Februari 2013 pukul 8:42 pm

    I was searching for plans for my very own blog and encountered ur post, “Study Security Domain in Data Security Aspect of
    Enterprise Melukis visi Dengan Realitas”, do you really mind in the event I actually make use of a bit of of ur points?

    I am grateful ,Rex

    Balas
  • 6. Nong trai vui ve  |  10 April 2013 pukul 11:48 am

    Calming? Lots of games can is a Disney classic that everyone loves.

    Ultimately it’s very intuitive here Dress Up Naruto Game Online.

    Balas
  • 7. stealth attraction pua training  |  25 Juli 2013 pukul 1:31 pm

    Thanks for sharing your thoughts about women pua. Regards

    Balas
  • 8. obat maag  |  28 Mei 2015 pukul 3:05 pm

    obat maag

    Study Security Domain in Data Security Aspect of Enterprise | Melukis visi Dengan Realitas

    Balas

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Blog Stats

  • 68.174 hits
April 2007
S S R K J S M
 1
2345678
9101112131415
16171819202122
23242526272829
30  

Top Clicks

  • Tidak ada

%d blogger menyukai ini: