- Basic Security Principles
- Data Management: Determine and Maintain Ownership
- Data Standards
- Data Security, Protection, Sharing, and Dissemination
- Classifying Information and Supporting Assets
- Asset Management and Governance
- Determine Data Security Controls
- Laws, Standards, Mandates and Resources
- Exam Prep Questions
- Answers to Exam Prep Questions
- Need to Know More?
Classifying Information and Supporting Assets
Organizational information that is proprietary or confidential in nature must be protected. Data classification is a useful way to rank an organization’s informational assets. A well-planned data classification system makes it easy to store and access data. It also makes it easier for users of data to understand its importance. As an example, if an organization has a clean desk policy and mandates that company documents, memos, and electronic media not be left on desks, it can change people’s attitudes about the value of that information. However, whatever data classification system is used, it should be simple enough that all employees can understand it and execute it properly. Two common data classification plans are discussed next.
The two most common data-classification schemes are military and public. Organizations store and process so much electronic information about their customers and employees that it’s critical for them to take appropriate precautions to protect this information. The responsibility for the classification of data lies with the data owner. Both military and private data classification systems accomplish this task by placing information into categories and applying labels to data and clearances to people that access the data.
The first step of this process is to assess the value of the information. When the value is known, it becomes much easier to decide the amount of resources that should be used to protect the data. It would make no sense to spend more on protecting something with a lesser value. By using this system, not all data is treated equally; data that requires more protection gets it, and funds are not wasted protecting data that does not need it.
Each level of classification established should have specific requirements and procedures. The military and commercial data-classification models have predefined labels and levels. When an organization decides which model to use, it can evaluate data placement by using criteria such as the following:
Laws pertaining to data
Regulations pertaining to disclosure
Regardless of which model is used, the following questions will help determine the proper placement of the information:
Who owns the asset or data?
Who controls access rights and privileges?
Who approves access rights and privileges?
What level of access is granted to the asset or data?
Who currently has access to the asset or data?
Classification of data requires several steps:
Identify the data custodian.
Determine the criteria used for data classification.
Task the owner with classifying and labeling the information.
Identify any exceptions to the data classification policy.
Determine security controls to be applied to protect each category of information.
Specify sunset policy or end of life policy and detail in a step-by-step manner how data will be reclassified or declassified. Reviews specifying rentention and end of life should occur at specific periods of time.
Develop awareness program.
Military Data Classification
The military data-classification system is mandatory within the U.S. Department of Defense. This system has five levels of classification:
Top Secret—Grave damage if exposed.
Secret—Serious damage if exposed.
Confidential—Disclosure could cause damage.
Sensitive but Unclassified or Restricted—Disclosure should be avoided.
Unclassified or Official—If released, no damage should result.
Each classification represents a level of sensitivity. Sensitivity is the desired degree of secrecy that the information should maintain. If you hold a confidential clearance, it means that you could access unclassified, sensitive, or confidential information for which you have a need to know. Your need to know would not extend to the secret or top secret levels. The concept of need-to-know is similar to the principle of least privilege in that employees should have access only to information that they need to know to complete their assigned duties.
Public/Private Data Classification
The public or commercial data classification is also built on a four-level model:
Confidential—This is the highest level of sensitivity and disclosure could cause extreme damage to the organization.
Private—This information is for organization use only and its disclosure would damage the organization.
Sensitive—This information requires a greater level of protection to prevent loss of confidentiality.
Public—This information might not need to be disclosed, but if it is, it shouldn’t cause any damage.
Table 2.1 provides details about the military and public/private data-classification models.
TABLE 2.1 Commercial and Military Data Classifications
Commercial Business Classifications