The numbers of each class are included in the previous posts as are the descriptors. The three system classes are:
- Financal Systems Databases,
- User Management Systems (Including Active Directory Domain server),
- Key Critical System (this is the system with the highest loss or damage value for the organisation).
By the way, 50% on CIS "level 1" benchmarks is generally a fail to most security people. This is a system that will only survive as it has a firewall. On the Internet, it will last hours. I would have used at least 80% on level 1, but I have seen only three organisations that have met this level. So making this the baseline for this would just be a line of zeros.
Financal Systems Databases
Working for an Audit firm, these are the systems that are generally of most concern. These are systems that hold user data, client data, confidential trade secrets, personally identifiable information on staff and the finances of the organisation.
In Australia, it is a criminal offense not to protect an employees tax file number. I would point the reader to: http://www.privacy.gov.au/act/tfn/ and the guidelines from http://www.privacy.gov.au/publications/tfngls.pdf.
Forgetting even the provisions of the Corporations Act and the requirements to protect and ensure the integrity of financial data, "Unauthorised use or disclosure of tax file numbers is also an offence under the Taxation Administration Act 1953 with a penalty of up to $10,000 fine, two years imprisonment, or both". The Privacy Commissioner has the power to conduct audits on TFN recipients pursuant to section 28(1)(e) of the Act. What a pitty more do not occur.
The commissioner notes that "tax file number information handling procedures and safeguards should anticipate all reasonably foreseeable risks to security. "
With BASEL II, the finacial sector has cleaned up their act in the last couple years. It is a shame about the rest. Shareholders should be hitting retail with a barage of requests for explainations. In one case, a firm I audted was losing over $1,500,000 due to fraud across the POS system alone. This is not even the fact that identity theft was (and is) likely occuring. The fix - about $200,000 to $300,000 as a project taking 12 months. The issue being that it would pay for itself in months.
Why did this project NOT occur (or at least in a highly cut down version that is not effective and that will not comply to PCI-DSS)? Because this would mean disclosure to shareholders. Something I believe is legally required.
User Management Systems (Including Active Directory Domain server)
In this I have included Domain controllers, Active Directory systems and the like.
Again, there is a move towards improvement in some sectores, but it is by no means good.
Key Critical System (this is the system with the highest loss or damage value for the organisation).
This is THE system that the organisation needs the most. This is the system that they have defined as their core system. In a newspaper firm, this is the system that runs the press and which if it was to crash would result in no papers in the morning. In the case of a Stock Exchnage, this is the trading platform.
This gives an idea of how bad things really are.
Go Retail! Forget PCI. Forget the criminal provisions, all these get in the way of losing money! It you want to ensure that you do not have your credit card stollen, use cash - forget giving it to a store.