Home » Magazine Archives » April 2008
Security Technology and Design
Most Read
Most Emailed
E-mail Article
Print Article
Convergence Q&A
IT Policy ComplianceThe Latest from SIW
The security week that was: 10/10/08 Understanding wireless bridges for IP networking WINA launches information site on wireless networks Open Network Video Interface Forum opens at Essen Security primer: Outsourcing employee background checks The security week that was: 10/03/08
By Ray Bernard, PSP, CHS III
Security Technology & Design
This month’s column is prompted by feedback from collaborations between physical/corporate security departments and IT departments regarding compliance (or lack thereof) with corporate IT policies that apply to the handling of secure data. The IT departments in most medium and large organizations (and even some small ones), have three critically important policies that directly impact security departments:
• Computer and network use policy — What is and is not acceptable use of the organization’s computers and networks;
• Information systems security policy — Typically requiring anti-virus and other computer and network security be applied to computers and networks; and
• Data classification policy — How data is categorized based on criticality and sensitivity (such as confidential, private and trade secret), to facilitate its protection.
The names for these policies can vary. Some examples are: “Acceptable Computer Use Policy” or “Electronic Media Use Policy”; “Data Security Policy,” “Information Security Policy” or “Network Security Policy”; and “Data Classification Security Policy” or “Data Classification Standard.”
There are many reasons why it is important for security directors and managers to study and understand these policies, as they apply to all computers and networks owned by the organization. Many policies forbid copying organizational non-public data (that would include video stills and clips) to USB memory sticks and other media. The policies also make the manager of a department responsible for policy enforcement.
Data classification and information systems security policies usually establish the concept of “data owner,” “data steward” or “business owner of data” — meaning the data owner is responsible for identifying all of the data that is generated and/or used, and collaborating with a designated person in IT security to correctly classify the data and establish appropriate protective measures. For example, some security investigations material falls into the category of private employee information. Many policies mandate that such information is handled in very specific ways, for both electronic and paper information.
