Case
Energy sector - Security and data classification project
Many of our projects address critical and strategic issues for our customers who, therefore, choose to not disclose their name.
Environment
The client is specialized in the management, use and maintenance of technical installations. They maintain customer installations through long-term contracts usually signed for periods of at least 10 years. Upon new guidelines from its parent company, the client has been requested to implement appropriate IT security controls, including a data classification system aimed at mapping data and hosting servers to several information classes according to their sensitivity. Data sensitivity is evaluated according to the risks inherent to confidentiality, integrity and availability failure.
Solution
Trasys helped the client in establishing the data classification. The IT systems were classified and security controls were recommended according to the sensitivity of the systems. Trasys provided the entire framework for the mission, including the methodology and a risk assessment approach related to business impact analysis. This deliberate choice was justified by the difficulty to accurately measure the possible occurrence of the potential threats. Therefore data classification has been rather based on the possible impacts. The methodology used included, among others:
Selection of the most important business processes.
Processes documentation.
Business impact analysis of each process through interviews with the Business Process owners:
Inventory of the Information Systems supporting the process, including end-user tools.Impacts identification and measurement in case of failure of these Information Systems (each system considered separately).
Identification and documentation of business continuity plans
Measurement of residual impacts
Consolidation of residual impacts over all the processes and information systems
Definition of security frameworks i(e.g. sets of security controls)
Classification of the information systems according to these security frameworks
Benefits
Thanks to the methodology used, the client got a complete and detailed documentation of its core business processes. In particular, the new documentation maps the information systems with the company’s activities (including end-user tools like MS Office) and describes possible business impacts resulting of potential failures of confidentiality, integrity and availability.