Chapter 7 DXp InformatIon SeCurIty Information •Web application Classification •Access control policies prioritization •Security processes •Information assets •Categorization identification •SLA definition •Security category definition Information Information Security Ownership Policy Definition Identification Figure 7-1. Information security policy process Information Ownership Identification The first step is to create an inventory of the enterprise applications and prioritize them from a security stand point. For each of the identified applications, identify or create the ownership for information owners. Information owners have the full responsibility of creating or identifying the information assets (such as content, documents, images, videos) and categorizing them based on the sensitive nature of the information. During this stage we also define various security categories. For instance, we could define three security categories such as public, private, and confidential. The security categories are identified based on their impact. Loss or leakage of public data only causes minor impact, whereas leakage or loss of confidential data leads to huge financial loss and damages reputation. All personal data such as credit scores, date of birth, education status, and such should be categorized into the “private” category. Information Classification Once all information assets are identified, they should be categorized into predefined security categories. Each of the information assets are added to one of these security categories. The information owner is responsible for identifying the most appropriate security category for the information asset. The security SLAs for each of the security categories are defined. 204