Task 1.5: Understanding the Value of Documents
Identifying the value of the documents your company has is an important task. Documents have value—some more than others. You might lose a quote from a vendor for the new server you have requested and have little to worry about. But what if you lost a client list that had credit card and other personal information? Clearly, some documents and the information they contain are more valuable than others. Factors that impact organizations and how they handle information include the following:
- Government regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act hold corporations accountable for the privacy, integrity, and security of information.
- Industry is more dependent than ever on the Internet. Many organizations use it for critical and sensitive communications.
- Identity theft and loss of personal information is at an all-time reported high.
These issues are affecting businesses and placing an increased emphasis on how they handle information.
Scenario
Your organization recently lost a laptop with sensitive company information on it. The data on the drive was not encrypted. This incident has started a big debate at work on the value of documentation and data. Your boss has asked you to investigate a system that could be used to value documents and the information they hold. You will be asked to make recommendations at the next staff meeting.
Scope of Task
Duration
This task should take about 15 minutes.
Setup
For this task you need a group of people from throughout the organization working with you. While you may be an expert on IT systems, you may not know the value of documents or information in the HR department. Gathering data from different people in different departments will provide better results.
Caveat
Documents and data, whether in paper or electronic form, need adequate protection. Sometimes this fact is grossly overlooked.
Procedure
In this task, you will learn how to categorize and place a value on documents and data.
Equipment Used
For this task, you must have:
- A pen or pencil
Details
This task will introduce you to some of the methods of information classification. You will be required to take specific documents and determine which category they belong in. This will allow you to specify the level of protection needed.
Information Classification
All companies must take steps to protect the integrity and confidentiality of their information assets. An information-classification system is one way to do this. Information classification helps identify sensitive information and can assist an organization in meeting government regulations, such as HIPAA, and other regulatory requirements. Such a system also helps prevent identity theft.
Two systems are primarily used to classify information:
- Governmental classification
- Commercial classification
This task will look at commercial classification, which is broken into the following four categories:
Confidential This is the most sensitive rating. This is the information that keeps a company competitive. This information is for internal use, and its release or alteration could seriously affect or damage the corporation.
Private This category of restricted information is considered of a personal nature and might include medical records or human-resource information.
Sensitive This information requires controls to prevent its release to unauthorized parties. Damage could result from its loss of confidentiality or its loss of integrity.
Public Disclosure or release of information in this category would cause no damage to the corporation.
Using the commercial classification categories, place the items in Table 1.12 into their proper categories.
TABLE 1.12 Commercial Information Classification
| Item | Classification |
| Employee medical records | |
| Trade secrets | |
| Prototypes of next year’s products | |
| Schedule of public events | |
| Customer database | |
| Pending sales events | |
| Sales-call list | |
| Monthly customer profit reports | |
| Router configuration | |
| Network diagrams and schematics |
After completing Table 1.12, compare it to the results shown in Table 1.13.
TABLE 1.13 Commercial Information Classification—Answers
| Item | Classification |
| Employee medical records | Private |
| Trade secrets | Confidential |
| Prototypes of next year’s products | Confidential |
| Schedule of public events | Public |
| Customer database | Confidential |
| Pending sales events | Sensitive |
| Sales-call list | Sensitive |
| Monthly customer profit reports | Confidential |
| Router configuration | Sensitive |
| Network diagrams and schematics | Sensitive |
Did the answers agree with what you felt was the adequate level of protection? Were you more conservative than the answers shown in Table 1.13? Although your answers may vary from the chart, the goal is to see how certain documents, data, and information have more value than others. Part of the job of a security professional is to determine that value and work with management to develop adequate protection.
Computer security is not just about networks. It also encompasses the technological and managerial procedures applied to protect the confidentiality, integrity, and availability of information.
Criteria for Completion
You have completed this task when you have placed the various documents into their proper categories.