信息安全策略之三：Information Sensitivity Policy

摘要：此为国外某大型企业的信息安全策略规范，涉及企业信息安全的各方面，共数十个策略，我将陆续翻译整理出来。这是第三篇：信息敏感性策略。 

欢迎转载，但请注明出处及译者。请不要用于商业用途。

原文：

Information Sensitivity Policy

1.0    Purpose

The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of <Company Name> without proper authorization.

 

The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).

       

All employees should familiarize themselves with the information labeling and handling guidelines that follow this introduction. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect <Company Name> Confidential information (e.g., <Company Name> Confidential information should not be left unattended in conference rooms).

 

Please Note: The impact of these guidelines on daily activity should be minimal.

 

Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to Infosec.

       

2.0    Scope

All <Company Name> information is categorized into two main classifications:

·         <Company Name> Public

·         <Company Name> Confidential

 

<Company Name> Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to <Company Name> Systems, Inc.

 

<Company Name> Confidential contains all other information. It is a continuum, in that it is understood that some information is more sensitive than other information, and should be protected in a more secure manner. Included is information that should be protected very closely, such as trade secrets, development programs, potential acquisition targets, and other information integral to the success of our company. Also included in <Company Name> Confidential is information that is less critical, such as telephone directories, general corporate information, personnel information, etc., which does not require as stringent a degree of protection.

 

A subset of <Company Name> Confidential information is "<Company Name> Third Party Confidential" information. This is confidential information belonging or pertaining to another corporation which has been entrusted to <Company Name> by that company under non-disclosure agreements and other contracts. Examples of this type of information include everything from joint development efforts to vendor lists, customer orders, and supplier information. Information in this category ranges from extremely sensitive to information about the fact that we've connected a supplier / vendor into <Company Name>'s network to support our operations.

 

<Company Name> personnel are encouraged to use common sense judgment in securing <Company Name> Confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their manager

      

3.0    Policy

The Sensitivity Guidelines below provides details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only, as <Company Name> Confidential information in each column may necessitate more or less stringent measures of protection depending upon the circumstances and the nature of the <Company Name> Confidential information in question.

       

3.1     Minimal Sensitivity: General corporate information; some personnel and technical information

 

Marking guidelines for information in hardcopy or electronic form.

 

Note: any of these markings may be used with the additional annotation of "3rd Party Confidential".

 

Marking is at the discretion of the owner or custodian of the information. If marking is desired, the words "<Company Name> Confidential" may be written or designated in a conspicuous place on or in the information in question. Other labels that may be used include "<Company Name> Proprietary" or similar labels at the discretion of your individual business unit or department. Even if no marking is present, <Company Name> information is presumed to be "<Company Name> Confidential" unless expressly determined to be <Company Name> Public information by a <Company Name> employee with authority to do so.

 

Access:  <Company Name> employees, contractors, people with a business need to know.

Distribution within <Company Name>:  Standard interoffice mail, approved electronic mail and electronic file transmission methods.

Distribution outside of <Company Name> internal mail:  U.S. mail and other public or private carriers, approved electronic mail and electronic file transmission methods.

Electronic distribution:  No restrictions except that it be sent to only approved recipients.

Storage:  Keep from view of unauthorized people; erase whiteboards, do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate.

Disposal/Destruction:  Deposit outdated paper information in specially marked disposal bins on <Company Name> premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

 

3.2     More Sensitive: Business, financial, technical, and most personnel information

 

Marking guidelines for information in hardcopy or electronic form.

 

Note: any of these markings may be used with the additional annotation of "3rd Party Confidential". As the sensitivity level of the information increases, you may, in addition or instead of marking the information "<Company Name> Confidential" or "<Company Name> Proprietary", wish to label the information "<Company Name> Internal Use Only" or other similar labels at the discretion of your individual business unit or department to denote a more sensitive level of information. However, marking is discretionary at all times.

 

Access:  <Company Name> employees and non-employees with signed non-disclosure agreements who have a business need to know.

Distribution within <Company Name>:  Standard interoffice mail, approved electronic mail and electronic file transmission methods.

Distribution outside of <Company Name> internal mail:  Sent via U.S. mail or approved private carriers.

Electronic distribution:  No restrictions to approved recipients within <Company Name>, but should be encrypted or sent via a private link to approved recipients outside of <Company Name> premises.

Storage: Individual access controls are highly recommended for electronic information.

Disposal/Destruction:  In specially marked disposal bins on <Company Name> premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

            

3.3     Most Sensitive: Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of our company

 

Marking guidelines for information in hardcopy or electronic form.

 

Note: any of these markings may be used with the additional annotation of "3rd Party Confidential". To indicate that <Company Name> Confidential information is very sensitive, you may should label the information "<Company Name> Internal: Registered and Restricted", "<Company Name> Eyes Only", "<Company Name> Confidential" or similar labels at the discretion of your individual business unit or department. Once again, this type of <Company Name> Confidential information need not be marked, but users should be aware that this information is very sensitive and be protected as such.

 

Access:  Only those individuals (<Company Name> employees and non-employees) designated with approved access and signed non-disclosure agreements.

Distribution within <Company Name>:  Delivered direct - signature required, envelopes stamped confidential, or approved electronic file transmission methods.

Distribution outside of <Company Name> internal mail:  Delivered direct; signature required; approved private carriers.

Electronic distribution:  No restrictions to approved recipients within <Company Name>, but it is highly recommended that all information be strongly encrypted.

Storage:  Individual access controls are very highly recommended for electronic information. Physical security is generally used, and information should be stored in a physically secured computer.

Disposal/Destruction:  Strongly Encouraged: In specially marked disposal bins on <Company Name> premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:  Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

 

4.0    Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

 

5.0    Definitions

Terms and Definitions

 

Appropriate measures

To minimize risk to <Company Name> from an outside business connection. <Company Name> computer use by competitors and unauthorized personnel must be restricted so that, in the event of an attempt to access <Company Name> corporate information, the amount of information at risk is minimized.

 

Configuration of <Company Name>-to-other business connections

Connections shall be set up to allow other businesses to see only what they need to see. This involves setting up both applications and network configurations to allow access to only what is necessary.

           

Delivered Direct; Signature Required

Do not leave in interoffice mail slot, call the mail room for special pick-up of mail.

           

Approved Electronic File Transmission Methods

Includes supported FTP clients and Web browsers.

            

Envelopes Stamped Confidential

You are not required to use a special envelope. Put your document(s) into an interoffice envelope, seal it, address it, and stamp it confidential.

           

Approved Electronic Mail

Includes all mail systems supported by the IT Support Team. These include, but are not necessarily limited to, [insert corporate supported mailers here…]. If you have a business need to use other mailers contact the appropriate support organization.

           

Approved Encrypted email and files

Techniques include the use of DES and PGP. DES encryption is available via many different public domain packages on all platforms. PGP use within <Company Name> is done via a license. Please contact the appropriate support organization if you require a license.

           

Company Information System Resources

Company Information System Resources include, but are not limited to, all computers, their data and programs, as well as all paper information and any information at the Internal Use Only level and above.

           

Expunge

To reliably erase or expunge data on a PC or Mac you must use a separate program to overwrite data, supplied as a part of Norton Utilities. Otherwise, the PC or Mac's normal erasure routine keeps the data intact until overwritten. The same thing happens on UNIX machines, but data is much more difficult to retrieve on UNIX systems.

           

Individual Access Controls

Individual Access Controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner. On UNIX machines, this is accomplished by careful use of the chmod command (use man chmod to find out more about it). On Mac’s and PC's, this includes using passwords on screensavers, such as Disklock.            

Insecure Internet Links

Insecure Internet Links are all network links that originate from a locale or travel over lines that are not totally under the control of <Company Name>.

           

Encryption

Secure <Company Name> Sensitive information in accordance with the Acceptable Encryption Policy. International issues regarding encryption are complex. Follow corporate guidelines on export controls on cryptography, and consult your manager and/or corporate legal services for further guidance.

           

One Time Password Authentication

One Time Password Authentication on Internet connections is accomplished by using a one time password token to connect to <Company Name>'s internal network over the Internet. Contact your support organization for more information on how to set this up.

           

Physical Security

Physical security means either having actual possession of a computer at all times, or locking the computer in an unusable state to an object that is immovable. Methods of accomplishing this include having a special key to unlock the computer so it can be used, thereby ensuring that the computer cannot be simply rebooted to get around the protection. If it is a laptop or other portable computer, never leave it alone in a conference room, hotel room or on an airplane seat, etc. Make arrangements to lock the device in a hotel safe, or take it with you. In the office, always use a lockdown cable. When leaving the office for the day, secure the laptop and any other sensitive material in a locked drawer or cabinet.

                       

Private Link

A Private Link is an electronic communications path that <Company Name> has control over it's entire distance. For example, all <Company Name> networks are connected via a private link. A computer with modem connected via a standard land line (not cell phone) to another computer have established a private link. ISDN lines to employee's  homes is a private link. <Company Name> also has established private links to other companies, so that all email correspondence can be sent in a more secure manner. Companies which <Company Name> has established private links include all announced acquisitions and some short-term temporary links

                      

6.0    Revision History

 

译文：

信息敏感性策略

1.0 目的

信息安全策略是为了帮助员工明确哪些信息可以告诉其他人，而哪些敏感信息如果没有适当授权的话不能泄露给企业之外的人员。

这些规程适用于任何介质中存储和共享的信息，它们包括但不仅限于：电子信息、纸质信息、语言或影像信息（如电话或会议视频）。

所有员工都应该熟悉这里所介绍的信息分类和处理规程。应当了解规程中的敏感性级别定义，并着重理解应采取的适当步骤，以保护企业的机密性信息。

请注意：这些规程对于日常活动的影响应控制到最小。

如果对于具体信息的适当分级有问题的话，请向你的经理咨询。如果对于本策略中的规程有问题的话，请咨询信息安全部门。

2.0 范围

       企业中的所有信息可大致分为两类：

n         公开的

n         机密的

       企业公开信息指那些由正式授权的人宣布为公开知识的信息，并且可以自由透露给任何人而不会对企业系统造成破坏。

       企业机密信息包括除公开信息之外的所有信息。机密信息是有差异的，在其中有些信息会比其他信息更敏感，因此也需要更加安全的措施进行保护。绝密信息（included）指那些需要被严密保护的信息，例如商业机密、开发计划、潜在收购目标、以及其他与企业成败密切相关的信息。而秘密信息指重要程度较低的信息，如电话目录、普通的公司信息、个人信息等，它们不需要非常严密的保护措施。

       企业机密信息中的一个子集是第三方机密信息。这些信息指企业委托的其他机构的机密性信息，这种委托关系是通过非泄露协议或其他契约来实现的。此类信息的例子包括与其他厂商的合作项目中的所有信息、客户订单、以及供应商信息等。

       鼓励企业员工运用一些共识性判断来适度的保护企业机密性信息。如果员工对于具体信息的敏感程度不能确定，应向他们的经理咨询。

3.0 策略

       下列的敏感性规程详细阐述了如何保护不同敏感性级别的信息。这些规程仅作为参考，在实际应用中可能会采取更严格或更宽松的保护措施，这依赖于实际情况和机密信息的性质。

3.1  最小敏感性：普通的公司信息；一些个人和技术信息。

       信息的标记规程可通过复印或电子的形式。

       注意：所有这些标记都可能被用作第三方机密的附加注释。

       标记由信息的所有者或保管者来确定。如果需要作标记，则在信息的显著位置可能需要标注有“企业机密”的字样。其他可能被使用的标记字样包括“企业所有”或其它类似标记，这由各自的业务部门来决定。即使没有作标记，除非是已经被正式授权人员明确宣称为公开信息，否则所有信息都被认为是机密的。

       访问：企业员工、承包人、需要了解的业务合作者。

       企业内分发：通过被认可的电子邮件或电子文件传输方式在部门间分发。

       企业内部邮件的对外分发：美国邮政（U.S. mail）或其它公共/专用的邮政服务，被认可的电子邮件和电子文件传输方式。

       电子分发：除了收件人是被认可的之外，没有其他限制。

       存储：不要被未授权人员看到；擦掉写字板上的信息；不要将信息遗忘在桌面上；机器需要安全管理；防止丢失；如果有条件的话，电子信息需要相应的个体访问控制。

       清除/销毁：不用的纸质信息应在企业中标有特殊标记的处理机柜中进行销毁；电子数据应被删除/清空；介质应被安全消磁或物理销毁。

       对于故意或无意的信息泄露的处罚：包括终止合同，直至追究民事/刑事法律责任。

3.2  高敏感性：业务、财政、技术、以及重要的人员信息。

       信息的标记规程可通过复印或电子的形式。

       注意：所有这些标记都可能被用作第三方机密的附加注释。随着信息敏感程度的增加，可能除了“企业机密”或“企业所有”的标记字样外，还需要增加或替代为其他标记以表示信息的高敏感程度，如“企业内部专用”或其他类似字样，这将由各自的业务部门来确定。不过是否作标记是自由决定的。

       访问：企业员工和需要了解该信息的签署有非泄露协议的业务合作者。

       企业内分发：通过被认可的电子邮件或电子文件传输方式在部门间分发。

       企业内部邮件的对外分发：通过美国邮政（U.S. mail）或被认可的专用邮政服务。

       电子分发：对于企业内部分发，除了收件人是被认可的之外，没有其他限制。如果分发给外部的被认可收件人，则需要通过加密或专用链接的方式传输。

       存储：强烈建议对于电子信息应用个体访问控制机制。

       清除/销毁：使用企业中标有特殊标记的处理机柜；电子数据应被删除/清空；介质应被安全消磁或物理销毁。

       对于故意或无意的信息泄露的处罚：包括终止合同，直至追究民事/刑事法律责任。

3.3  最高敏感性：商业机密，市场运作机密，其他与企业成败密切相关的人员、财政、源代码、及技术信息。

       信息的标记规程可通过复印或电子的形式。

       注意：所有这些标记都可能被用作第三方机密的附加注释。为了标明信息是非常敏感的，可能需要标记“企业内部专用：已注册并受限”、“企业绝密”、“企业专用”等类似字样，这将由各自的业务部门来确定。同样，这些信息机密性标记并不是必须的，但用户一定要了解此类信息是非常敏感的，并且需要采取相应的保护措施。

       访问：被企业授权访问并签署非泄露协议的员工和其他人员。

       企业内分发：直接递交-要求签名，有机密性邮戳的信封，或被认可的电子文件传输方式。

       企业内部邮件的对外分发：直接递交-要求签名，或被认可的专用邮政服务。

       电子分发：只限企业内部，除了收件人是被认可的之外，没有其他限制。强烈建议使用高强度的加密技术对所有信息加密。

       存储：强烈建议对于电子信息应用个体访问控制机制。信息应被存储在物理上安全的计算机中。

       清除/销毁：强烈建议：使用企业中标有特殊标记的处理机柜；电子数据应被删除/清空；介质应被安全消磁或物理销毁。

对于故意或无意的信息泄露的处罚：包括终止合同，直至追究民事/刑事法律责任。

4.0 执行

所有违反此策略的员工都会面临纪律处分，直至中止雇佣合同。

5.0 定义

术语和定义

 

Appropriate measures 适当措施

使企业面临的外部业务连接的风险最小化。必须限制竞争对手和未授权人员对于企业计算机的使用，从而减少对于企业信息的非法访问，使信息风险最小化。

 

Configuration of <Company Name>-to-other business connections    企业到其它组织业务连接的配置

建立的连接应只允许其他组织看到需要了解的信息。这需要对应用程序和网络进行合理的配置，使得只允许访问必要的内容。

 

Approved Electronic File Transmission Methods     被认可的电子文件传输方式

包括FTP客户端和WEB浏览器。

 

Envelopes Stamped Confidential              机密性邮戳的信封

不需要使用特殊的信封。将信件放入办公信封内，贴好封条并填好地址，然后盖上机密性邮戳。

 

Approved Electronic Mail    认可的电子邮件

包括由IT部门所支持的所有邮件系统。如果有业务需要其他邮件系统，请与相关支持部门联系。

 

Approved Encrypted email and files  认可的加密邮件和文件

包括使用DES加密和PGP技术。DES加密可应用于各种操作平台的许多公共领域。PGP通过授权许可在企业内使用。如果需要授权许可，请与相关支持部门联系。

 

Company Information System Resources       企业信息系统资源

企业信息系统资源包括但不仅限于：所有的计算机、数据和程序，所有的纸质信息，和等于及高于“内部专用”级别的所有信息。

 

Expunge        删除

要安全的删除PC或Mac上的数据，必须使用相应工具进行数据覆盖，Norton公司提供这种产品。否则，使用PC或Mac的普通删除并不能真正清除数据。UNIX机器的情况是类似的，但是在UNIX系统中数据更难被恢复。

 

Individual Access Controls 个体访问控制

个体访问控制能够保护信息，使信息除被所有者指定的人员外，不会被其他人访问。在UNIX系统中，可通过使用chmod命令来实现个体访问控制（键入man chmod 可以获得更多信息），在PC机或Mac机上可以通过有口令的屏幕保护程序如Disklock来实现。

 

Insecure Internet Links     不安全的Internet连接

不安全的Internet连接指企业无法完全控制的所有网络连接。

 

Encryption     加密

应遵照可接受加密策略保护企业敏感性信息的安全。国际间关于加密方面的问题相当复杂。应遵守企业关于密码系统出口控制的相关规定，并咨询你的经理和/或公司法律服务人员以得到更多的信息。

 

One Time Password Authentication  一次性口令认证

Internet连接上的一次性口令认证是通过使用一次性口令令牌来实现的，它可以使用户通过Internet连接到企业内部网。请咨询相关支持部门以获得如何安装和使用的更多信息。

 

Physical Security  物理安全

物理安全意味着计算机应时刻保持被使用状态，在无人使用时应将其锁定到某个位置使其无法移动。实现方式包括在使用计算机时需要用特定的钥匙开启机器，这样可以保障不会只凭借简单的重启机器就绕过一些防范措施。如果是膝上电脑或其他便携式电脑，不要将其遗忘在会议室、旅馆房间、飞机座位上等。在住旅馆时，要将电脑安全的锁住或随身携带。在办公室要一直使用电脑锁。如果要离开办公室几天，需要将便携式电脑和其它所有敏感性设备安全的锁在抽屉或柜子中。

 

Private Link  专用链接

专用链接是一条能够被全程控制的电子传输路径。例如，所有的企业网络都是通过专用链接实现互联的。一台计算机通过标准地线（非蜂窝电话）使用modem连接到其它计算机，这就创建了一条专用链接。连接到员工家中的ISDN线路是一条专用链接。企业也与其它组织建立了专用链接，这样所有的相关邮件就可以通过更加安全的方式进行传输。与企业建立专用链接的组织包括所有已宣布的并购公司和一些短期的临时合作伙伴。

6.0 修订历史