tailieunhanh - security assessment case studies for implementing the nsa iam phần 4

Trung bình cao Bảo mật thông tin khách hàng Tài khoản Thông tin nhân viên thông tin doanh nghiệp Tài chính nghiên cứu và phát triển cao cao trung bình toàn vẹn cao trung bình cao cao trung bình cao Watermark cao cao trung bình sẵn có thấp trung bình thấp trung bình thấp | Determining the Organization s Information Criticality Chapter 3 107 Figure Example Completed Matrix with High-Water Mark Confidentiality Integrity Availability Customer Information Medium High Low Account Information High High Low Employee Information High Medium Medium Corporate Finances High High Medium Research Development Medium Medium Low High Watermark High High Medium No TE As the assessment team works with the customer to fill out the OICM it s normal for the customer to want to change some things. Remember that this matrix is not static. You could end up changing multiple items several times in the process. The customer should be in control because they understand their business. You re providing expertise to guide their decision process. You should understand that if your definitions change you will need to revisit the OICM to see if any of the ratings have changed based on the new definitions. The Customer Perception of the Matrix Often the customer will end up with misconceptions about the matrix and what it s intended to convey to the target audience. These issues typically arise before the process is complete so your team will need to reiterate the goal of these activities. Confront these issues as they arise by explaining why the matrix is important to upper management. In putting together the OICM our goal is to distill the information architecture and its impact on the organization into an easy-to-read matrix. We ve defined the critical pieces of information and prioritized them based on their impact on operations. So now we can understand that the loss of security attributes to these pieces of information can impact the company in varying degrees. If the customer can understand the correlation we have drawn between these things the matrix should be easy for them to comprehend. 108 Chapter 3 Determining the Organization s Information Criticality One issue that inevitably pops up is the concern that some information types may .