1 / 20

New Information Classification Policy

New Information Classification Policy. Cristina Sanz Díaz Risk & Compliance January 2014. Contents 1. Why do we need an information classification policy? 2. How to classify information? 3. How to handle information? 4. Practical concepts and tips. 1. Why a new classification policy?.

urban
Download Presentation

New Information Classification Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. New Information Classification Policy Cristina SanzDíaz Risk & Compliance January 2014

  2. Contents 1.Why do we need an information classification policy? 2. How to classify information? 3. How to handle information? 4. Practical concepts and tips

  3. 1. Why a new classification policy?

  4. How can you protect Amadeus information? • Proper Classification and labelling of documents • Proper handling of information

  5. Why a new information classification policy? How to classify information? How to handle information? 2. How to classify information?

  6. New visual identity

  7. Why a new information classification policy? How to classify information? How to handle information? The four levels / Definitions Public • Confidential Highly sensitive internal documents and data and other information used or produced to provide Amadeus with a significant competitive advantage, for strategic business planning or to support the technical or financial success of a major projector implementation e.g. Information about planned acquisitions • Information used or produced specifically to support Amadeus business (ie. not for general circulation inside or outside the organization) • e.g. Service levels, Training materials, Org Charts Information that due to its content and context requires no special protection e.g. Press announcements and statements • Information used or produced to provide Amadeus with a competitive advantage, for specific business planning and/or to support the technical or financial success of a project or implementation • e.g. Technical product or program documentation, New product concepts and proposals

  8. Amadeus Classification Levels Disclosure impact: information that can be available for public distribution without any adverse impact on Amadeus business. e.g.: press announcement, marketing flyers Labeling: / Handling : / Communication:as permitted by approval for external communication Symbol:/ Disclosure impact: Unauthorized disclosure of this information could have a limited adverse effect on Amadeus operations, assets or individuals. e.g.: Organization Charts, Procedures, Policies Labeling: Confidential & Restricted Handling: - No specific requirements for storage, transfer or disposal apart of duty of care - access with 1 factor authentication (e.g. password) Communication: - Can be shared among a targeted audience (e.g. document control) - must onlybe shared with external parties (e.g. partners, vendors, etc.)under NDA. Symbol: Disclosure impact: Unauthorized disclosure of this information could have a severe or catastrophicadverse effect on Amadeus operations, assets or individuals. e.g.: employee data, acquisitions, privileged information, major organizational changes, etc. Labeling: Confidential & Secret Handling: - stored encrypted on Amadeus devices(not on portable media) & no printout - access with 2 factor authentication (e.g. RSA Token) - Transferred encrypted - securely disposed Communication: - Can be shared among a very limited number of individuals - must only be shared with external parties (e.g. consultants, etc.) under NDA. Symbol: Disclosure impact: Unauthorized disclosure of this information could have a seriousadverse effect on Amadeus operations, assets or individuals. e.g.: Contracts, PNR, Customer data, etc. Labeling: Strictly Confidential Handling: - stored encrypted on all Amadeus devices & printout in a locked storage - access with 2 factor authentication (e.g. RSA Token) - Transferred encrypted - securely disposed Communication: - Can be shared among a targeted audience (e.g. document control) - must only be shared with external parties (e.g. partners, vendors, etc.) under NDA. Symbol: Each classification has consequences on their labeling and handling. Confidential & Secret Strictly Confidential Public Confidential & Restricted Note: handling = storage, transfer, access, disposal NDA = Non disclosure agreement

  9. Confidential Public Subject to content. Duty of care to be applied by owner of information

  10. Why a new information classification policy? How to classify information? How to handle information? Access to Templates

  11. Why a new information classification policy? How to classify information? How to handle information? 3. How to handle information?

  12. What are the questions you need to ask yourself? Why a new information classification policy? How to classify information? How to handle information? • How and where do I store information? • To whom do I give access to? • Do I encrypt emails when sending confidential information? • Do I securely dispose documents when not longer needed? • Am I careful with information in public environments (airports, planes or trains)?

  13. Why a new information classification policy? How to classify information? How to handle information? Handling information • Storage: • Soft copy • Print out • Access • Transfer • Internally • externally • Disposal NDA

  14. Why a new information classification policy? How to classify information? How to handle information? Handling - Stored encryptedon Amadeus devices(not on portable media) & noprintout - Transferred encrypted using secured channels (HTTPS or SFTP) subject to an NDA with external parties - Securely disposed - Access with 2 factor authentication(e.g. RSA Token) - Stored encryptedon all Amadeus devices & printout in a locked storage - Transferred encrypted using secured channels (HTTPS or SFTP) subject to an NDA with external parties - Securely disposed - Access with 2 factor authentication(e.g. RSA Token) • Apart of duty of care there is no specific requirements for: • - Storage • - Transfer (subject to an NDA with external parties) • - Disposal • - Access for the targeted audience with 1 factor authentication (e.g. password) Strictly Confidential Confidential & Restricted Confidential & Secret Public

  15. Information Lifecycle

  16. 4. Practical concepts and tips

  17. Security Policies, Standards, Model Security Policies, Standards, Model Security Strategy / Governance Security Strategy / Governance Dashboards & Scorecard Dashboards & Scorecard Security Awareness Security Awareness IT Risk Assessment Services IT Risk Assessment Services Compliance Management Compliance Management SecurityHandling of the information(3/4) User can leverage technologies that has been put in place by Amadeus. • Authentication Mechanism: • Something you know (e.g. password) • Something you have (e.g. RSA token) • Something you are (e.g. fingerprint) • Authentication Strength: • 3 factors authentication: all of the above • 2 factors authentication: 2 of the above • 1 factor authentication: 1 of the above Security Services Catalogue Security Services Catalogue • Authentication Service • Ensure who a person claims to be Management Management Technology Technology Operations Operations Authentication Service Authentication Service Physical Security Physical Security Authorization Service Authorization Service Business Continuity Management Business Continuity Management • Authorization Service • Specify access (read/write/delete) to information • Notify when a person leave or change job • Authorization shall follow: • The Least Privilege Principle • Segregation of Duties (SoD) Encryption Service Encryption Service Incident Management Incident Management Logs & Correlation Service Logs & Correlation Service Asset Classification & Management Asset Classification & Management Digital signature & Non-repudiation Service Digital signature & Non-repudiation Service Security Operations Management Security Operations Management Infrastructure Security Infrastructure Security Monitoring Service Monitoring Service 17 Note: 2 x “1 factor authentication” is not equal to “2 factors authentication”

  18. How to encrypt emails for internal users

  19. How to encrypt emails for external users

  20. Thank you

More Related