Information KAGE is an information security framework which I proposed to establish high level and simple guidelines for information protection. The framework offers in part a concept called Know Your Data which we will explore.
As you may know, the US Patriot Act was partly established to required banks to implement Know Your Customer (KYC) programs for identifying customers and monitoring their transactions. The KAGE data security framework is not very much different from the KYC conceptually whereby it requires concerned parties to establish a data knowledge framework called Know Your Data (KYD) in order to protect information during the entire data life cycle. Information KAGE requires that data must be classified, located, protected, and monitored throughout the data lifecycle. That said, the data classification value must be assigned objectively in order to also meet the external security requirements such as regulations and contractual agreements.
The KAGE framework proposes 4 high level principles for data protection which are identified by each latter in the KAGE acronym. This acronym is proposed to help remember each principle of the framework.
Know Your Data (KYD) - When developing an information security strategy, professionals must first identify and Know what information they want to protect for their companies. Once data is identified, it must be classified and assigned risk ratings to determine how each data record should be protected. Afterwards, we must track down how target data is introduced into our environments, how it leaves the environment, what systems support the data flow, who should have access, how to protect during data transmission and storage, and when to retire data in order to ensure data is protected at all times. The KYD process can be accomplished with a documented data flow diagram which can be used to review, approve, and formally document the agreed upon data flow. Each time the data flow is changed, the data flow diagram must be updated, reviewed and approved again.
Articulate - Upon documentation of the information protection scope and strategy, management must Articulate their security scope and strategy to the appropriate parties.There are many ways that specific information can be conveyed to all appropriate parties effectively. Visit Identity Management Institute website for communication resources.
Guide - Sometimes, employees have a hard time understanding and interpreting the security requirements and purpose and therefore management must make an effort to Guide and help employees to understand what is expected of them to help the company better secure its confidential information. Targeted training and a strategy is necessary to make risk awareness and education effective.Visit Identity Management Institute website for training resources.
Enforce - Following the creation and communication of all relevant information security documentation related to the scope and strategy of the security efforts, management must Enforce compliance with its security directives through continuous monitoring. The data must be monitored to make sure data is managed according to data classification and the data flow diagram.