AIFC Security: Impact of Unauthorized Disclosure

Questions and Answers

What is the recommended approach to sharing Restricted information with third parties?

Only share it with colleagues who have business need

Get secure approval from the information owner (correct)

Use the Confidential label instead

Share it with anyone who asks

What should you do if you're unsure about sharing Restricted information?

Check with the information owner for approval

Always choose the Confidential label (correct)

Share it with a large distribution group

Store it in a shared folder

What is the main difference between Restricted and Confidential information?

Restricted information is only for internal use

Restricted information requires a contract and/or NDA

Confidential information is more sensitive (correct)

Confidential information can be shared with anyone

What should you avoid when handling Confidential information?

Sharing it with shared accounts or large distribution groups

What is the purpose of discretionary restrictions on printing, copying, editing and forwarding?

To control the spread of sensitive information

When can you share Confidential information with third parties?

With the information owner's approval and a contract and/or NDA

What is the most severe consequence of unauthorized disclosure of AIFC Body information?

Long-lasting reputational damage

What is the primary purpose of document password protection?

To encrypt documents

What is the result of a significant adverse impact to the AIFC Body due to unauthorized disclosure?

Major financial and legal damage

What is the purpose of the 'Encrypt Only' email option?

To encrypt email

What is the consequence of a major adverse impact to the AIFC Body due to unauthorized disclosure?

Long-lasting reputational damage

What is the purpose of labeling documents as 'Restricted'?

To prevent unauthorized access

What is the consequence of limited adverse impact to the AIFC Body due to unauthorized disclosure?

Temporary loss in confidence from stakeholders

What is the purpose of the 'Do Not Forward' email option?

To prevent email forwarding

What type of information can be released for public consumption?

Information on the Internet from reputable sources

Which of the following is an example of Confidential information?

HR personal data

Who can access information labeled as 'Authorized'?

Colleagues and trusted third parties

What is an example of information that is not considered Unrestricted or Confidential?

IT diagrams

What type of information is considered sensitive?

HR personal data

Which of the following is an example of an Internal document?

Intranet pages

Who can access information on the AIFC Body's public website?

Anyone

What is the purpose of confidentiality agreements?

To protect sensitive information

Study Notes

Unauthorized Disclosure Impacts

• Unauthorized disclosure can have no adverse impact, limited adverse impact, significant adverse impact, or major adverse impact on the AIFC Body and/or AIFC ecosystem.
• Significant adverse impact may lead to significant financial and/or legal liabilities, temporary loss of confidence from stakeholders, and temporary reputational damage.
• Major adverse impact may lead to major financial and/or legal damage, loss of confidence from stakeholders, and long-lasting reputational damage.

Classification and Protection Tools

• Classification labels include Unencrypted, Document Password Protection, and Email Options (Encrypt Only, Do Not Forward).
• Purpose of classification includes persistently marking and classifying documents and emails, encrypting documents, and encrypting email and preventing email attachment forwarding.

Information Classification Levels

• Classification levels include Unrestricted, Restricted, and Confidential.
• Unrestricted information is public information available from reputable sources (e.g., BBC, press releases, marketing announcements, public websites).
• Restricted information is business information that is not Unrestricted and not Confidential, and can be shared with trusted third parties with secure approval of the information owner.
• Confidential information includes HR data (e.g., personal data, employment contracts), strategic plans, salaries, staff appraisals, background checks, KYC reports, audit reports, financial records, litigation files, attorney work product, legal advice, procurement plans, supplier due diligence details, IPs, and corporate security weakness.

Information Sharing and Controls

• Authorized recipients for information include anyone for Unrestricted information, colleagues and trusted third parties for Restricted information, and colleagues and trusted third parties with approval of the information owner for Confidential information.
• Controls include discretionary restrictions on printing, copying, editing, and forwarding.

Description

This quiz assesses the impact of unauthorized disclosure on the AIFC Body and its ecosystem. It evaluates the level of adverse impact, from limited to major, and the consequences of such breaches.