Sorry about coming into this discussion late in the day
Let me see if I understand your requirements.
You want to ensure that your data has been appropriately classified
and if classified at a certain level you want the system to stop
anyone sending the data out of the environment.
if that is correct then you have a problem.
You need user intervention, in every step of the process, that means
that all users need to be trained in security.
That means that your users then will now know how to classify data
appropriately.
with that when users send emails they must be prompted to classify
their emails then you must have rules in the email system that will
deny or allow those classifications out to the internet. As a DSD rule
the classification must appear in the subject and header of the email.
As stated above you could consult DSD and ASIC documentation and use
them as guides on security best practices. Really I don't think you'd
want to employ half their measures in private enterprise because they
are a little excessive in plan and implementation. If you want to
become a public servant then by all means follow them like it's the
one and only bible.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
