ABSTRACT
Different industries and different systems have dissimilar
information protection requirements. For example, health-
care organizations might stress the confidentiality of patient
records, whereas banking might be more concerned about
the integrity of monetary transactions. The project
team needs to understand and capture what adequate protec-
tion of information means in their specific context.
Organizations with information or data classification poli-
cies are at an advantage here because the team could more
conveniently identify the type of information that is pro-
cessed as well as the organization’s requirements around
how the information is to be protected. When the types of
information are identified, protection requirements should
be further organized into areas such as storage and exchange,
authentication, and access control. Requirements should be
based not only on the classification of the data (e.g., internal
use, highly confidential) but also on the way in which data is
accessed (e.g., via the Internet, remotely via leased lines, or
from inside the organization) and the type of user (e.g.,
educated employees, public users), as well as the way in
which access is managed (e.g., rule-based, role-based).