Wednesday, January 15, 2020

CISSP: Data Classification


Data Classification

  • Primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. 
  • To determine how much effort, money, and resources are allocated to protect the data and control access to it. 
  • To provide security mechanisms for storing, processing, and transferring data. 
  • Addresses how data is removed from a system and destroyed.
  • Process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities. Similarities could include value, cost, sensitivity, risk, vulnerability, power, privilege, possible levels of loss or damage, or need to know.
  • Primary objective is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity.
The following are benefits of using a data classification scheme:
  • It demonstrates an organization’s commitment to protecting valuable resources and assets.
  • It assists in identifying those assets that are most critical or valuable to the organization.
  • It lends credence to the selection of protection mechanisms.
  • It is often required for regulatory compliance or legal restrictions.
  • It helps to define access levels, types of authorized uses, and parameters for declassification and/or destruction of resources that are no longer valuable.
  • It helps with data lifecycle management which in part is the storage length (retention), usage, and destruction of the data.
Data classification is based on
  • Usefulness/Timeliness/Value/Cost/Maturity/Age/Lifetime of the data
  • Association with personnel
  • Data disclosure damage assessment (how disclosure of data would affect the organization)
  • Data modification damage assessment (how modification of data would affect the organization)
  • National security implications of the data
  • Authorized access to the data (who has access to the data)
  • Restriction from the data (who is restricted from the data)
  • Maintenance and monitoring of the data (who should maintain and monitor the data)
  • Storage of the data
Phases/Steps to data classification
  1. Identify the custodian, and define their responsibilities.
  2. Specify the evaluation criteria of how the information will be classified and labeled.
  3. Classify and label each resource. (The owner conducts this step, but supervisor reviews it)
  4. Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria.
  5. Select the security controls that will be applied to each classification level to provide the necessary level of protection.
  6. Specify the procedures for declassifyingresources and the procedures for transferring custody of a resource to an external entity.
  7. Create an awareness program to instruct all personnel about the classification system.
Government/Military classification
  • Top secret highest level of classification. The unauthorized disclosure will have drastic effects and cause grave damage to national security. Top-secret data is compartmentalized on a need-to-know basis; a user could have top-secret clearance and have access to no data until the user has a need to know.
  • Secret is used for data of a restricted nature. The unauthorized disclosure will have significant effects and cause critical damage to national security.
  • Confidential is used for data of a sensitive, proprietary, or highly valuable nature. The unauthorized disclosure will have noticeable effects and cause serious damage to national security.
  • Sensitive But Unclassified (SBU) is used for data that is for internal use or for office use only (FOUO). Protects information that could violate the privacy rights of individuals.
  • Unclassified is used for data that is neither sensitive nor classified.
Private/Business Sector
  • Confidential This is used for data that is extremely sensitive and for internal use only. A significant negative impact could occur for a company if confidential data is disclosed. Sometimes labeled as proprietary. If proprietary data is disclosed, it can have drastic effects on the competitive edge of an organization.
  • Private is used for data that is of a private or personal nature and intended for internal use only. If disclosed a significant negative impact could occur for the company/individuals.
  • Sensitive is used for data that is more classified than public data. A negative impact could occur for the company if sensitive data is disclosed.
  • Public is the lowest level of classification. This is used for all data that does not fit in one of the higher classifications. Its disclosure does not have a serious negative impact on the organization.
Confidential and private data in a commercial business/private sector classification scheme both require roughly the same level of security protection. The real difference between the two labels is that confidential data is company data whereas private data is data related to individuals, such as medical data.


Reference
Mike Chapple. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide.
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)