Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 55

Security classification and categorization should be the linch pin that ties together the organization's information security and risk mitigation efforts. It's what separates the highest-leverage proprietary information from the routine, nearly-public-knowledge facts and figures. Information classification schemes drive three major characteristics of your information security operations and administration.

 Internal boundaries for information control: Many business processes have “insider knowledge” needed to inform decisions or exert control over risky, hazardous, or sensitive sequences of actions. These can and should be encapsulated with a layer that hides that inside knowledge by allowing controlled “write-up” of inputs and “write-down” of outputs to the points where they interface with other business processes. These boundaries surround data at higher levels, and the trusted processes that can manipulate or see it, from outer, surrounding layers of processes that perforce operate at lower levels of trust. (It's not a coincidence that that sounds like a threat surface.)

 Standards for trust and confidence: It's only logical to require higher levels of trustworthiness for the people, processes, and systems that deal with our most vital information than we would need for those that handle low-risk information. In most cases, greater costs are incurred to validate hardware, software, vendors, our supply chain, and our people to higher levels of trust and confidence; as with all risk mitigation decisions, cost-effectiveness should be a decision factor. The information classification standards and guide should directly lead to answering the question of how much trustworthiness is enough.

 Measures of merit for information security processes: The level of information classification should dictate how we measure or assess the effectiveness of the security measures put in place to protect it.

Taken together these form a powerful set of functional requirements for the design not just of our information security processes but of our business processes as well! But first, we need to translate these into two control or cybernetic principles.