CYB_410_3-3_ProjectTwo_MilestoneOne_Branden_Knight

Data Inventory and Classification Tab Classification Matrix Example Tab CY So The purpose of this spreadsheet is to docum of the spreadsheet tabs is provided below.

Data Life Cycle Plan Branden Knight YB-410: Security Risk Management outhern New Hampshire University ment the data inventory and data classification for Green Thumb Nursery. A list The Data Inventory and Data Classification tab contains a list of Green Thumb's system resources/components needed to run the business, their platforms/OS/versions (as applicable), and a description of their purposes. The tab also contains columns for the data inventory, the data classification, and a rationale for the data classification. The Classification Matrix tab contains a reference for the different categories of data classification: public, sensitive, or private, as well as a data classification example.

Tracking/Backup Server Microsoft Windows Server 2016 Security Cameras Arlo 5 Fixed, 1 PTZ Device used for tracking and logging product data and maintaining data backup Devices used for property monitoring, for example, fixed site cameras and pan, tilt, zoom cameras

Data Inventory Data Classification Data Classification Justification Public Sensitive Sensitive Sensitive Sensitive Sensitive Public Marketing materials Contact information Corporate details and contact information This system is public, as it should be accessible by anyone on the internet. Used for marketing and to provide customers with the ability to access the company webpage. Device information for specific devices connected to the organization's wireless access point The system itself is sensitive and contains information on all devices that are connected to the wireless access point Customer's data, supply data, and overall transaction history The system should only be accessible to customer service employees because of it containing PII and prcing for the merchandise Data on all devices that are connected to a wired internet network IT staff member should only have access to this if they need to change the connection that is wired to the network. Information for all devices that are connected to the company's network, wether if its wireless or wired IT staff memebers should be the only ones who have access to this system and should be secured in a specific area in the company Company has to issue mobile devices, in general For approved company calls, these devices should only be used by the employees. Once the employee is done for the day the phone should be returned The data will include all enviornmental data including the following; power levels, humidty, and temperatures The data should be available publicly the reason being is that it does not contain any private or sensitive data

INFORMATION CLASSIFICATION MATRIX AND HANDLING GUIDE CATEGORY DESCRIPTION SAMPLE DOCUMENTS / RECORDS DISTRIBUTION DESTRUCTION/ DISPOSAL No restrictions Recycling/trash SENSITIVE Note: This classification scheme relates only to the confidentiality of the information. Similar schemes are feasible for integrity and availability requirements. PUBLIC or open Information that may be broadly distributed without causing damage to the organization, its employees and stakeholders. The [PR Office/Marketing Dept/Information Security Management dept/etc.] must pre-approve the use of this classification. These documents may be disclosed or passed to persons outside the organization. Marketing materials authorized for public release such as advertisements, brochures, published annual accounts, Internet Web pages, catalogues, external vacancy notices Information whose unauthorized disclosure, particularly outside the organization, would be inappropriate and inconvenient. Disclosure to anyone outside of [Company name] requires management authorization. Most corporate information falls into this category. Departmental memos, information on internal bulletin boards, training materials, policies, operating procedures, work instructions, guidelines, phone and email directories, marketing or promotional information (prior to authorized release), investment options, transaction data, productivity reports, disciplinary reports, contracts, Service Level Agreements, internal vacancy notices, intranet Web pages Internal : use an internal mail envelope. External : use a sealed envelope. Electronic : use internal email system. Encryption is required for transmission to external email addresses. FAXing : take care over the FAX number! Paper documents: shred. Electronic data : erase or degauss magnetic media. Send CDs, DVDs, dead hard drives, laptops, etc., to IT for appropriate disposal CONFIDENTIAL/ PRIVATE or Proprietary Highly sensitive or valuable information, both proprietary and personal. Must not be disclosed outside of the organization without the explicit permission of a Director-level senior manager. Passwords and PIN codes, VPN tokens, credit and debit card numbers, personal information (such as employee HR records, Social Security Numbers), most accounting data, other highly sensitive or valuable proprietary information. Internal: use a sealed envelop inside an internal mail envelope. Hand deliver if possible. External: use a plain sealed envelope. Hand deliver or send by registered mail, courier, etc . Electronic: use internal email system only. Encrypt data. FAXing: requires phone confirmation of receipt of a test page immediately prior to sending the FAX, and phone confirmation of full receipt. Paper documents: shred using an approved cross-cut shredder . Electronic data: erase or degauss magnetic media. Send CDs, DVDs, dead hard drives, laptops, etc., to IT for appropriate disposal. This work is copyright © 2009, Richard O. Regalado and ISO27k implementers' forum , some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this.