Classification and Restriction of Information in Company X
Karikoski, Riku (2020)
Karikoski, Riku
2020
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2020052714287
https://urn.fi/URN:NBN:fi:amk-2020052714287
Tiivistelmä
Information security is an important part of individuals and businesses on an everyday basis. Information itself can be physical, electronic or even immaterial as an individual’s knowledge. For companies it is crucial of making sure that the information and knowledge that is shared within the company stays within the company and that is where information classification and restriction plays a part. The background for the making of this thesis was the need for the case company (titled Company X) to have a unified, written document policy for information classification and availability restriction. Information classification refers to who gets to view and what information, whereas availability restriction refers to what information can be given out and under what circumstances. The main goal was to create general suggestions for creating such a policy, rather than to create the policy itself. For this purpose, two research questions were made: how the policy should be like and what is the current status of the policy within the company.
The research methods selected were an interview with the CSO/Vice President of the company and a questionnaire directed at the employees of the company. The results provided many key points to focus on with the development of the policy, such as defining the life cycle of information within the company, combining all existing policy guidelines under one document as well as to make the policy easy to comprehend and find when needed. During the questionnaire it also became apparent that the general knowledge of the policy within the company was rather poor.
Several conclusions were made and turned into suggestions to improve the policy. The policy follows the Katakri criteria and to create a new document for the policy it was suggested that all current information would be reviewed and possibly updated. Another theme was the need to create a system to track the copying of information within the company. The other themes that were suggested for development was to improve the knowledge of the company employees on the policy as well as include proper definitions and a quick referencing section to the document.
The research methods selected were an interview with the CSO/Vice President of the company and a questionnaire directed at the employees of the company. The results provided many key points to focus on with the development of the policy, such as defining the life cycle of information within the company, combining all existing policy guidelines under one document as well as to make the policy easy to comprehend and find when needed. During the questionnaire it also became apparent that the general knowledge of the policy within the company was rather poor.
Several conclusions were made and turned into suggestions to improve the policy. The policy follows the Katakri criteria and to create a new document for the policy it was suggested that all current information would be reviewed and possibly updated. Another theme was the need to create a system to track the copying of information within the company. The other themes that were suggested for development was to improve the knowledge of the company employees on the policy as well as include proper definitions and a quick referencing section to the document.