Manualshelf

Datasheet

ManualsBrandsFor Dummies ManualsSoftware978-0-470-48738-9
19202122232425262728
Book IX
Chapter 1
Fundamentals
of Security
1061
Do Not Forget about Data Protection
Compliance and classification
Part of securing your computing environment is understanding how to pro-
tect the business from disclosure of information and by ensuring the busi-
ness is compliant with government and industry regulations that surround
computing and data.
Compliance
Data compliance is the concept of protecting the data from information
leaks and ensuring recoverability of information by following government
regulations and industry regulations. For example, if you are in the health
industry, you must be compliant with the Health Insurance Portability and
Accountability Act (HIPAA), which requires that health records and patient
information be secured and kept private.
Companies are also required to protect customer information as outlined
by to the Privacy Act. Companies are no longer allowed to share customer
information with other businesses, including contact information such as
e-mail addresses and phone numbers.
Another example of data compliance is ensuring that your company has
taken the correct steps and implemented the correct controls to adhere to
the Sarbanes-Oxley Act, which outlines that the company must be able to
prove that adequate auditing controls have been put in place in case an inci-
dent requires review of internal information, such as company e-mails.
If you are the security manager for your company, be sure to spend time
researching which government regulations and industry regulations your
company falls under. With your list of regulations in hand, then you can
determine the steps you need to take to be compliant.
Classification
Part of securing company information is through data classification, which
assigns a level of sensitivity to information, such as Confidential or Top
Secret. After the level of sensitivity is assigned to the information, the neces-
sary controls are put in place to protect that classification of information.
Each data classification has specific security measures that need to be
implemented to keep it secure. For example, a company might decide that
top secret information cannot leave the “top secret” system — say, by
disabling the ports on the system that typically would allow connecting a
removable drive.
49_487389-bk09ch01.indd 106149_487389-bk09ch01.indd 1061 9/10/09 11:03 PM9/10/09 11:03 PM