- Defining Security Principles
- Security Management Planning
- Risk Management and Analysis
- Policies, Standards, Guidelines, and Procedures
- Examining Roles and Responsibility
- Management Responsibility
- Understanding Protection Mechanisms
- Classifying Data
- Employment Policies and Practices
- Managing Change Control
- Security Awareness Training
Understand the considerations and criteria for classifying data.
Throughout this chapter, we have discussed various aspects of protecting information assets. When we talk about risk analysis and management, we talk about the most cost-effective way of protecting the information asset. Part of setting the level of risk associated with data is placing it in a classification. After data is classified, a risk analysis can be used to set the most cost-effective ways of protecting that data from various attacks.
Classifying data is supposed to tell you how the data is to be protected. More sensitive data, such as human resources or customer information, can be classified in a way that shows that disclosure has a higher risk. Information data, such as those used for marketing, would be classified at a lower risk. Data classified at a higher risk can create security and access requirements that do not exist for lower risks, which might not require much protection altogether.
Classification of commercial or nongovernment organizations does not have a set standard. The classification used is dependent on the overall sensitivity of the data and the levels of confidentiality desired. Additionally, a nongovernment organization might consider the integrity and availability of the data in its classification model.
There is no formula in creating the classification systemthe system used is dependent on the data. Some organizations use two types of classification: confidential and public. For others, a higher granularity might be necessary. Table 3.4 contains a typical list of classifications that can be used for commercial organizations, from highest to lowest.
Table 3.4 COMMERCIAL DATA CLASSIFICATIONS FROM HIGHEST TO LOWEST
Data that is to have the most limited access and requires a high degree of integrity. This is typically data that will do the most damage to the organization should it be disclosed.
Data that might be less restrictive within the company but might cause damage if disclosed.
Private data is usually compartmental data that might not do the company damage but must be keep private for other reasons. Human resources data is one example of data that can be classified as private.
Proprietary data is data that is disclosed outside the company on a limited basis or contains information that could reduce the company's competitive advantage, such as the technical specifications of a new product.
Public data is the least sensitive data used by the company and would cause the least harm if disclosed. This could be anything from data used for marketing to the number of employees in the company.
Government classification of data is something created out of policy for maintaining national security or the privacy of citizen data. Military and intelligence organizations set their classifications on the ramifications of disclosure of the data. Civilian agencies also look to prevent unauthorized disclosure, but they also have to consider the integrity of the data.
Classifications for Sensitive Data
The classifications for the sensitivity of data used in government and military applications are top secret, secret, confidential, sensitive but unclassified, and unclassified.
The implementation of the classification is based on laws, policies, and executive directives that can be in conflict with each other. Agencies do their best to resolve these conflicts by altering the meaning of the standard classifications. Table 3.5 explains the types of classifications used by government civilian and military organizations.
Table 3.5 GOVERNMENT DATA CLASSIFICATIONS FROM HIGHEST TO LOWEST
Disclosure of top secret data would cause severe damage to national security.
Disclosure of secret data would cause serious damage to national security. This data is considered less sensitive than data classified as top secret.
Confidential data is usually data that is exempt from disclosure under laws such as the Freedom of Information Act but is not classified as national security data.
Sensitive But Unclassified (SBU)
SBU data is data that is not considered vital to national security, but its disclosure would do some harm. Many agencies classify data they collect from citizens as SBU. In Canada, the SBU classification is referred to as protected (A, B, C).
Unclassified is data that has no classification or is not sensitive.
After the classification scheme is identified, the organization must create the criteria for setting the classification. No set guidelines exist for setting the criteria, but some considerations are as follows:
Who should be able to access or maintain the data?
Which laws, regulations, directives, or liability might be required in protecting the data?
For government organizations, what would the effect on national security be if the data were disclosed?
For nongovernment organizations, what would the level of damage be if the data was disclosed or corrupted?
Where is the data to be stored?
What is the value or usefulness of the data?
Creating Procedures for Classifying Data
Using this information, your organization can create a procedure for classifying data. Government organizations already have this procedure defined. Nongovernment organizations have a lot of flexibility in setting the procedures that best suit their needs. Step By Step 3.2 is an example of a procedure your organization can use.
STEP BY STEP
3.2 Creating Data Classification Procedures
Set the criteria for classifying the data.
Determine the security controls that will be associated with the classification.
Identify the data owner who will set the classification of the data.
Document any exceptions that might be required for the security of this data.
Determine how the custody of the data can be transferred.
Create criteria for declassifying information.
Add this information to the security awareness and training programs so users can understand their responsibilities in handling data at various classifications.