The nature of specific data content that exists in the processing environment, and the controls that should apply to these, is dependent upon various factors. This policy does not mandate or endorse particular data content. Rather, the business decision process used to evaluate the inclusion or exclusion of particular data content should consider those items listed below. Regardless as to the specific data content that exists in the environment, all aspects of this policy must be enforced. Considerations for evaluating data content include:
- Legal and regulatory obligations in the locales in which we operate.
- Can privacy, confidentiality, security, and integrity of the data be ensured to the satisfaction of customers and legal authorities?
- Is it in line with our business goals and objectives?
- Do customers require or demand access to specific data content.
- What is common local practice?
- What rules govern the movement across international boundaries of different data content, and do we have in place controls to enforce these rules?
Data classification is necessary to enable the allocation of resources to the protection of data assets, as well as determining the potential loss or damage from the corruption, loss or disclosure of data.
To ensure the security and integrity of all data the default data classification for any data asset is either Confidential Customer Data or Proprietary Company Data.
The Data Security organization is responsible for evaluating the data classification schema and reconciling it with new data types as they enter usage. It may be necessary, as we enter new business endeavours, to develop additional data classifications.
All data found in the processing environment must fall into one of the following categories:
- Public Company Data – Public company data is defined as data that any entity either internal or external to S-Square can access. The disclosure use or destruction of Public company data will have limited or no adverse effects on S-Square nor carry any significant liability. (Examples of Public company data include readily available news, stock quotes, or sporting information.)
- Proprietary Company Data – Proprietary company data is any information that derives its economic value from not being publicly disclosed. It includes information that S-Square is under legal or contractual obligation to protect. The value of proprietary company information to S-Square would be destroyed or diminished if such information were disclosed to others. Most S-Square sensitive information should fall into this category. Proprietary company information may be copied and distributed within S-Square only to authorized users. Proprietary company information disclosed to authorized external users must be done so under a non-disclosure agreement.
- Confidential Company Data – Confidential Company Data is information that is not to be publicly disclosed, regardless of its economic value. The disclosure, use, or destruction of Confidential Company Data can have adverse effects on S-Square and possibly carry significant civil, fiscal, or criminal liability. This designation is used much less frequently. It is used for highly sensitive information whose access is restricted to selected, authorized employees. The recipients of confidential information have an obligation not to reveal the contents to another individual unless that person has a valid need to know for the information. Company confidential information must not be copied without authorization from the identified owner.
- Confidential Customer Data – Confidential customer data is defined as data that only authorized internal S-Square entities or specific authorized external entities can access. The disclosure, use, or destruction of confidential customer data can have adverse effects on S-Square and their relationship with their customers, and possibly carry significant liability for both. Confidential customer data is entrusted to and may transit or is stored by S-Square (and others) over which they have custodial responsibility but do not have ownership.
- Public Customer Data – Public customer data is defined as data that any entity either internal or external to S-Square can access. The disclosure, use, or destruction of Public customer data will have limited or no adverse effects on S-Square or the customer and carry no significant liability. Public customer data is entrusted to and may transit or be stored by S-Square (and others) over which they have custodial responsibility but do not have ownership.
In order to classify data, it is necessary that an owner be identified for all data assets. The owner of data is responsible for classifying their data according to the classification schema noted in this policy. If an owner cannot be determined for a S-Square data asset, the Data Security organization must act as its custodian.
The default classification for all data not classified by its owner must be either confidential customer data or Proprietary company data.
The Data Security organization is responsible for developing, implementing, and maintaining procedures for identifying all data assets and associated owners.
The owner of all customer data is the individual owner who generates or is assigned ownership of that data. (Data such as public key certificates generated by an external Certificate Authority but assigned to a specific customer are considered owned by that customer.
On occasion, data assets may need to be released to entities outside of S-Square. When a legitimate business reason exists for releasing sensitive information, a written Non-Disclosure Agreement (NDA), requiring the data recipient’s agreement to maintain that data in confidence and restrict its use and dissemination, must be obtained before disclosing the data.
Data Security Principles
S-Squares’ business goals, objectives, and needs for security can be derived from three principles: accountability, authorization, and availability. These three principles emphasize the need for security to function properly in S-Squares’ processing environment, which is comprised of applications, network, and system resources. Non-compliance with these principles can have serious, adverse, and deleterious effects on S-Square.
In the context of this policy, the following provides the overall concepts or security principles for which all users and vendors are responsible. It is the responsibility of the Data Security organization to define the specific mechanisms necessary to support these principles.
All network, system, and application events should be attributable to a specific and unique individual. It should be possible to attribute a responsible individual to every event through an identification service and to verify that the individual so assigned has been properly identified through an authentication service. It must also be possible to trace any event so as to reconstruct the time, place, and circumstances surrounding it through an audit service.
In this context identification refers to a security service that recognizes a claim of identity by comparing a user-id offered with stored security information.
Authentication refers to a security service that verifies the claimed identity of the user, for example a password. Auditability refers to a security service that records information of potential security significance.
All network, system, and application events must only result from allowable actions through access control mechanisms. Permission may be derived directly from an individual’s identity, or from a job classification or administrative privilege based on that individual’s identity. The principle of “least privilege” specifies that individuals only be granted permission for actions needed to perform their jobs.
Limiting actions to those properly authorized protects the confidentiality and integrity of data within the S-Square processing environment.
In this context access control refers to a security service that allows or denies a user request based on privilege, group information, or context. Confidentiality refers to a security service that prevents disclosure of information to unauthorized parties while the information is in use or transit or being storage or destroyed.
All permitted activity should operate with reliability. The data necessary to carry out such events must be readily retrieved and correct with high confidence. All results of an event must be completed, unless the event is aborted in its entirety. The results of an event should not depend in unexpected ways on other concurrent events. The security services themselves must be documented and easily administered.
In this context integrity refers to a security service that guarantees data has not been altered, deleted, repeated, or rearranged during transmission, storage, processing, or recovery.
Core Security Principles
The information systems security architecture, policies, procedures, practices, and guidelines are developed in concert with the principles stated below. The following are the common core security principles recommended by industry best practices.
- Accountability Principle – The accountability and responsibility of information systems security should be explicit.
- Awareness Principle – Owners, providers, and users of information systems, and other parties should be informed about (or readily able to gain appropriate knowledge of) the existence and general extent of policies, responsibilities, practices, procedures, and organization for security of information systems.
- Ethics Principle – Information systems and the security of information systems should be provided and used in accordance with the ethical standards applicable to your operating environment.
- Multidisciplinary Principle – Policies, responsibilities, practices, and procedures for the security of information systems should consider all relevant aspects of this effort, including technical (e.g. software and hardware engineering), administrative, organizational, operational, commercial, educational, and legal.
- Proportionality Principle – Security levels, costs, practices, and procedures should be appropriate and proportionate to the values of and degree of reliance on the information systems and to the severity, probability, and extent of potential for direct and indirect, tangible and intangible harm.
- Integration Principle – Policies, practices, and procedures for the security of information systems should be coordinated and integrated with each other and with other measures, practices, and procedures of the organization to ensure a coherent system of security.
- Timeliness Principle – All personnel, assigned agents, and third-party providers, should act in a timely, coordinated manner to prevent and to respond to breaches of the security of information systems.
- Reassessment Principle – The security of information systems should be reassessed periodically.
- Democracy Principle – The security of an information system should be weighed against the rights of customers, users, data owners, data custodians and other individuals affected by the system, and against your rights as the owners and operators of these systems.
- Certification and Accreditation Principle – Information systems and information security professionals should be certified to be technically competent and management should approve them for operation.
- Internal Control Principle – Information security forms the core of an organization’s information internal control system.
- Adversary Principle – Controls, security strategies, architectures, policies, standards, procedures, and guidelines should be developed and implemented in anticipation of attack from intelligent, rational, and irrational adversaries with harmful intent or harm from negligent or accidental actions.
- Least Privilege Principle – An individual should be granted only enough privilege to accomplish assigned tasks, but no more.
- Separation of Duty Principle – Responsibilities and privileges should be allocated in such a way that prevents an individual or a small group of collaborating individuals from inappropriately controlling multiple key aspects of a process and causing unacceptable harm or loss.
- Continuity Principle – Information security professionals should identify their organization’s needs for disaster recovery and continuity of operations and should prepare the organization and its information systems accordingly.
- Simplicity Principle – Information professionals should favour small and simple safeguards over large and complex safeguards.
- Policy-Centred Security Principle – Policies, standards, and procedures should be established as a basis for managing the planning, control, and evaluation of information security activities.