Still got the old” G:\”,” H:\” or other network shares?
Then it would be best if you thought about the benefit of handling the data in office 365 with AIP, DLP, a classification. All these security loopholes with old file share are something you want to avoid. Because if the truth is to be told, they were created when you bought the first company computer, perhaps already with Windows server NT or Windows server 2003. Today still alive with folders like “old” and outdated as the file structure itself.
How does classification work?
Using classification with Microsoft’s security product AIP (Azure Information Protection), we have implemented our framework for how we classify data based on the GDPR and ISO 27001 standard. For IT, this means applying the business set’s regulations on how the information is to be classified. Are you thinking – “help! what a mountain, how should I get up?” We can, of course, help you, but the most significant work lies with the business. If you are a technical decision-maker, it can quickly go wrong if requirements emerge from the technology instead of the company. Therefore, let the company drive its demands, and you, as a CIO or CISO, only need to do what is required from IT regarding systems and instructions. This can, of course, be added to a database as well so that it is easily accessible, but we will tell you that in another blog post.
How does Agdiwo work with security?
We use the following services to read more about on our page about secure documents: (https://www.agdiwo.se/sakerhet/)
We are using exclusive file storage in the cloud for all documents in Microsoft 365, where we classify files in the central structure, for our emails and data in the personal space Onedrive. All to make it easy for our employees and customers to know that the information we have is secure and accurate.
How do I implement AIP in my organization?
Step #1 – Set goals, so you know where you want to be
What is your goal? It can either be getting the structure more organized, help your employees take better judgment, handle the risk with data and information, or implement a process for handling data. In 2020, organizations with many advanced processes do not control data as a process to try to minimize the damage of loss in data. In this step, ask yourself why this is important for your organization and how your employees benefit and help each other make the process better. And by doing this step right, you own the process and data.
Step #2 – Create a matrix for how to classify documents and what should happen to them.
A workshop or compliance audit with the business provides many answers to these questions.
- Confidentiality – Consequence
- Integrety- Consequence
- Availability – Consistency
Below you can find an example of files that have been reviewed and classified according to the organization’s requirements. Either automatically or through a manual classification by the user himself.
Step #3 – Reflect the requirements in the matrix against classification categories
Non-sensitive information that requires basic protection but has no known impact on the business or individuals if distributed.
Internal information that with low probability harms the business or individuals. Encrypted but accessible for all to see and edit.
Confidential information that is strategically important and can harm the business and individuals if it is compromised. All messages and files are encrypted, and you can choose whether the people who receive the link directly or everyone at the company should be able to read and edit the file or message.
Highly confidential information that could seriously harm the business and individuals if compromised. This information requires the highest level of protection, whether required by law, regulation, policy, agreement, or risk. Here, all levels are encrypted, and you can send it with only read permission for shorter periods.
Step #4 – Technical Implementation
Now that we have a framework and rules to relate to, we can technically set this up and demonstrate that the functions work as intended. Here we have set up our labels and also divided what should happen and how we ensure these technically.
Step #5 – Launch to the business
Roll this out to your business with care, install necessary updates and agents as needed, and carefully train your staff, customers, and suppliers. Remember that it takes time and that the business needs to turn the work into its services and processes.
Who takes the lead?
Both IT and the business can take the lead, but my recommendation is to draw up the project and determine what you want to achieve.
|Compliance Review||Compliance with rules and regulations|
|Fileshare||File archiving using a central server solution.|
|GDPR||The General Data Protection Regulation (EU) applies throughout the EU and aims to create a uniform and equivalent level of personal data protection so that the free flow of data within Europe is not hindered.|
|ISO 27001||An ISO / IEC standard from the Information Security Management System (ISMS) regarding information security by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC).|
|Microsoft AIP||Microsoft Azure Information Protection is a cloud-based solution that enables organizations to classify and protect documents and emails using labels.|