In this section, a sample data ownership study for the data in the database will be explained. During this study, the information architecture officer conducts a survey for the business units to which the data belongs. This study aims to understand the sensitivity and confidentiality of the data belonging to the business unit owned by that data.
First of all, the following questions are answered in the survey study to be conducted by the information architecture for business units:
- Are there any sections other than this section that use this information? (Yes No)
- What is the impact level if there is unauthorized access to the information? (High / Medium / Low)
- What is the risk of information disclosure? (Very Risky / Risky / No Risk)
- What is the effect if data loss occurs as a result of not backing up this information REGULARLY? (NONE: Lost information is not needed, LESS: Information can be reproduced in a short time, MEDIUM: Information can be reproduced but takes TIME, MOST: It has a great effect, The loss cannot be compensated.)
- Can data be recreated when information is deleted? (Yes No)
- Are you sure this information is REGULARLY backed up? (Yes No)
- Who can this information be shared with? (A-Only top managers, B-Managers within the Unit, C-Authorized users within the Unit, D-Unit personnel, E-Unit personnel and related unit personnel, F-Temporary employees (intern etc.), G-Corporate personnel, H -Corporate customers, I-Public…(Every option includes the above)
- Confidentiality: How does the CONFIDENTIALITY of the disclosed information affect the Institution in case of damage to the information asset? In case of damage to the information asset, for the Institution (A-Critical information is not disclosed. The information institution below the exposed critical level DOES NOT AFFECT/VERY IMPACT, B-Critical information is not disclosed. Information institution below the revealed critical level IMPACTS, The impact can be compensated in the medium term , C-Critical information is revealed. Revealed critical information institution IMPACTS, Impact can be compensated in the medium term, D-Critical information is revealed. Revealed critical information institution IMPACTS. Impact cannot be compensated or compensated in the long term)
- Integrity: How will the Institution be affected if the INTEGRITY of the information asset is damaged? In case of damage to the information asset; (A-Critical information does not change out of control. Changing out of control does not affect the information institution under its critical level / little affects, B-Critical information does not change out of control. Changing out of control affects the information institution under the critical level. The effect is moderate can be compensated in the long term, C-Critical information changes out of control, a changed information institution AFFECTS. The effect can be compensated in the medium term, D-Critical information changes out of control, a changed information institution EFFECTS. The effect cannot be compensated or compensated in the long term)
- Availability: How will the Institution be affected if the ACCESSIBILITY (usability) of the information asset is damaged? In case of damage to the information asset; (A-Critical information can be accessed. The information institution below the critical level whose accessibility is damaged DOES NOT AFFECT/ VERY LITTLE IMPACT(1 week or more), B-Critical information can be accessed. Information institution below the critical level whose accessibility is compromised AFFECTS. The impact can be compensated in the medium term. (1 day-5days),C-Critical information cannot be accessed. Information institution whose accessibility is damaged IMPACTS, The effect can be compensated in the medium term (3-6 hours endurance), D-Critical information cannot be accessed. Information whose accessibility is damaged affects the institution. The effect cannot be compensated or it can be compensated in the long term. (0-3 hours endure))
According to the results obtained as a result of this survey, the sensitivity and criticality levels of the information can be determined. Confidentiality of data can be classified into three or four categories depending on the institution’s request: Unclassified, Service-Specific, Confidential, Top Secret (This item may be optional). According to the results of this survey, the sensitivity levels are among the survey questions, Confidentiality question 8 and What is the Exposure Risk number 3? According to the answers given to their questions, they can be classified into three categories as follows:
- Unclassified: (Confidentiality=A & Risk of Exposure=None)
- Service Specific: (Privacy=A & Exposure Risk=Risk, Confidentiality=B & Exposure Risk=None, Privacy=B & Risk of Exposure=Risk)
- Confidential: (Confidentiality=C & Risk of Exposure=Risk, Confidentiality=C & Risk of Exposure= Very Risky,
Privacy=D & Risk of Exposure= Very Risky)
Classification according to the level of criticality occurs in three categories: L1 level (Level 1 or high), L2 level (Level 2 or intermediate), L3 level (Level 3 or low). The criticality level can be classified into three categories according to the answers given to questions 2,4,8,9 and 10 of the survey questions:
- L3-Low 🙁 Unauthorized Access(II)=Low & Data Loss Impact (IV)=None, Low & Integrity=A & Accessibility=A,B & Privacy=A,B,C,D)
(Unauthorized Access(II)=Low Data Loss Impact (IV)=None, Low & Integrity=B & Accessibility=A,B,C & Privacy=A,B,C)
(Unauthorized Access(II)=Medium & Data Loss Impact (IV)=None, Low & Integrity=B & Accessibility=A,B,C & Privacy=A,B,C,)
- L2- Moderate:(Unauthorized Access(II)=High & Data Loss Impact (IV)=Very & Integrity=B & Accessibility=B,C,D & Privacy=A,B,C,D,)(Unauthorized Access(II) )=Medium & Data Loss Impact (IV)=Most & Integrity=C & Accessibility=B,C,D & Privacy=A,B,C,D,)
(Unauthorized Access(II)=High & Data Loss Impact (IV)=Moderate & Integrity=B,C & Accessibility=B,C & Privacy=A,B,C,D,)
(Unauthorized Access(II)=Medium & Data Loss Impact (IV)=Medium & Integrity=B,C & Accessibility=B,C,D & Privacy=A,B,C,D)
(Unauthorized Access(II)=Low & Data Loss Impact (IV)=Low, Moderate & Integrity=B & Accessibility=D & Privacy=A,B,C,D)
- L1-High(Unauthorized Access(II)=High & Data Loss Impact (IV)=Very & Integrity=D,C & Accessibility=D,C,B,A & Privacy=B,C,D)
(Unauthorized Access(II)=High & Data Loss Impact (IV)=Medium & Integrity=D & Accessibility=D,C,B,A & Privacy=B,C,D,)
(Unauthorized Access(II)=Medium & Data Loss Impact (IV)=Most & Integrity=D,C & Accessibility=D,C & Privacy=B,C,D)
(Unauthorized Access(II)=Medium & Data Loss Impact (IV)=Most & Integrity=D,C & Accessibility=D,C & Privacy=B,C,D,)
After the information is classified in the institution, care should be taken to open the sensitive and critical data, which are categorized according to their sensitivity and criticality, only to authorized persons, and to store them by masking in test environments. Critical information should be backed up more frequently than other information, and back-up tests should be performed regularly. In case of any access interruption, access to critical information should be provided between 3 and 6 hours. Critical information should be updated and stored on other servers besides the server to which it is connected.
Comments are closed.