3. CobiT 4.1 ISO 27002
PO 2.3: Data Classification Scheme
PO 4.8: Data and System Ownership
DS 5.8: Data Classification
7.2.1: Classification Guidelines
10.7.1: Management of Removable Data
10.8.1: Information Exchange Policies
10.8.2: Exchange Agreements
11.1.1: Access Control Policy
Classificação da Informação
Normas e Frameworks
Art. 5º Os dados ou informações sigilosos serão classificados em ultra-secretos, secretos,
confidenciais e reservados, em razão do seu teor ou dos seus elementos intrínsecos.
Decreto 4.553
4. Classificação da Informação
Fatores Críticos de Sucesso
• Estabelecer na política de segurança da informação normas e
procedimentos para auxiliar a classificação da informação:
–Propriedade
–Classes
–Controles de Acesso
–Reclassificação
–Retenção
5. Contexto: CC:DITEL:Confidencial
Documentos
Emails Planilhas
Documentos
Contexto: CC:DIRTI:Reservado
Documentos
Documentos PDF
PlanilhasEmails
Assessor
Chefe de Gabinete
Papéis
Contribuidor
Papéis
Contribuidor
Revisor
Revisor
Leitor
Leitor
Leitor(no print)
Leitor (no print)
Assessor Especial
Classificação da Informação
Controle de Documentos Baseado em Rótulos
PDF
This slide shows a summary of contexts, users, roles and documents. There are 2 contexts each containing the default roles, rights have been assigned in each context to users and a group, and some documents sealed to the contexts.
Oracle provides a solution to this exact problem. Oracle Information Rights Management allows end users and enterprise applications to seal documents and emails. Sealing files not only encrypts them, it digitally signs them, and also links them back to the organization’s Oracle IRM Server.
Because of this link to the central server, access to the files can be centrally managed even after those files have been distributed; including outside the firewall. When a user attempts to open a sealed file, their PC connects to the server and retrieves their access rights; they will then be able to open that file subject to their rights. Some users may have read-only access, whilst others may have full edit access. Different users can have different rights to the same file, and indeed any copy of that file, regardless of where it resides.
Because the rights are managed centrally on the server, users’ rights can be changed or even revoked. So if a user leaves the organization, when they are removed from the corporate directory, they will automatically have their access revoked to all their sealed documents. All of that sensitive information that they may have backed up on removable media will be completely inaccessible.
In addition to this control of access, the IRM server audits all document access, both online and offline.
So for the first time you are able to secure and track your sensitive information beyond the database, enterprise applications and even the firewall.
To recap…
Web services can be revealed to the internet, although they are more likely to be used solely within the corporate network. The IRM Web Services expose sealed content processing operations and rights management operations.