Tuesday, May 22, 2012

Business IT vs IT Supplier Fun#2 - setting data classification

Last month, I wrote a story about BIT vs ITS on who should be the one setting the security requirements... well, as you may have guessed, the saga shall continue. This time, it's about data classification.

The Storybrooke Post today's headlines: XYZ Company fined 100Mil by Storybrooke State for non-compliance with Data Security Act 1337

Business IT bloke: What the heck is this? <* smashing the paper on the table *> . After our last meeting, we have given you all the security requirements for our system. How come we are still non-compliance with that Data Security Act? I believe we have a breach of contract here!
IT Supplier chap: I don't think so. We have carried-out and protected your data in accordance with your security requirements. The recent audit report carried-out by XYZ Group Internal Audit department confirms that. <* showing the report to BIT bloke *>
Business IT bloke: There must be some mistakes somewhere!
Information Security lad: <* skimming the Internal Audit report, Data Security Compliance Report and Security Requirements Specification *> . Ok guys, I think I know what went wrong... The Data Security Compliance Report states that XYZ company fails to comply to Data Security Act 1337, section 4.3 - Protection of Personal Data of Employee e.g. birthday, home address ....etc.. etc.. . However in the Security Requirements Specification document, in the section Data Classification, your BIT colleague responded as "For Internal Use" for all items, personal data included. And, in the SLA offered by ITS, it is clearly mentioned that protection of data depends on data classification set. Encryption will only be enforced on data that has been classified as "Confidential". Thus, in this case, ITS is not obliged to enforce encryption to protect the "personal data" stored on your system.
The Data Security Act 1337 requires that personal data must be encrypted, hence when the Data Security Compliance auditors found this, they gave you a fail.
Business IT bloke: Damm.. the business owner didn't response to us in time, and we have deadline to catch. That's why we answered to the Security Requirements Specification in that way...
Information Security lad: I could understand you have deadline to meet. But at the end of the day, if something happens, who would be the fall guy? I believe you as BIT is the one would be blamed by the business for all these troubles. Thus, it is very crucial that you get things right at the very beginning to avoid something like this. We have learned a very expensive lesson today....
As we mentioned many times, if you are not sure, you can always come to Information Security team for advice. We know that we could be "pain in the ass" sometimes, but remember, information security is a business enabler. We are not trying to make your life difficult, we are mere doing our job to protect the company's interest.

Moral of the story?

1. You must always set the data classification on your data. It may not be significant in your eye, but it may be entirely different in the eye of law.
2. Information security team is your friend, not the enemy :) 

Ain't security fun? ;) 

Acknowledgement: Picture taken from http://www.flickr.com/photos/jdhancock/4842967148/sizes/m/in/photostream/

No comments:

Post a Comment