Organizational Processes

• Goal - to ensure that any change does not lead to reduced or compromised security

• Purpose - make all changes subject to detailed documentation and auditing

• Change control process goals / requirements

  • Changes are always controlled

  • Testing process to verify results

  • All changes can be reversed

  • Users are informed before changes occur

  • Effects of changes are analyzed

  • Negative impact of changes is minimized

  • Changes are reviewed and approved by Change Advisory Board (CAB)

Data Classification

• Primary means by which data is protected based on need for secrecy, sensitivity and confidentiality

• Classification criteria of data

  • Usefulness

  • Timeliness

  • Value or cost

  • Maturity or age

  • Lifetime (when it expires)

  • Association with personnel

  • Data disclosure damage assessment

  • Data modification damage assessment

  • National security implications

  • Authorized access

  • Restriction from data

  • Maintenance and monitoring

  • Storage of data

• Seven steps to implement a classification scheme

  1. Identify the custodian and define their responsibilities

  2. Specify the evaluation criteria of how the information will be classified and labeled

  3. Classify and label each resource (this step is done by the owner, but a supervisor should review it.)

  4. Document any exceptions to the classification policy and integrate them into the evaluation criteria

  5. Select the security controls that will be used for each classification level to provide the correct level of protection

  6. Specify the procedures to declassify resources and procedure for transferring custody of a resource to an external party

  7. Create an organization wide awareness program to instruct all personnel about the classification system.

Data Classification Schemes

• Government / Military classification

  • Top Secret

    • Highest level of classification

    • Disclosure would cause grave damage to national security

    • Handled on a need-to-know basis

  • Secret

    • Data of a restricted nature

    • Disclosure would cause critical damage to national security

  • Confidential

    • Used for data of a sensitive, proprietary, or highly valuable nature

    • Disclosure would cause serious damage to national security

    • Used for all data between secret and sensitive but unclassified

  • Sensitive but unclassified

    • Used for data that is for internal use or for office use only

    • Used to protect information that could violate the privacy rights of individuals

  • Unclassified

    • Data that is neither sensitive nor classified

    • Does not compromise confidentiality or cause any noticeable damage.

• Acronym: US Can Stop Terrorism

  • Unclassified

  • Secret

  • Confidential

  • Secret

  • Top Secret

• Commercial business / private sector classification

  • Confidential

    • Highest level of classification

    • Extremely sensitive and for internal use only

    • Disclosure would cause significant negative impact

    • Drastic effects on the competitive edge of an organization

  • Private

    • Data that is of a private or personal nature and intended for internal use only

  • Sensitive

    • Data that is more classified than public data

  • Public

    • Lowest level of classification

    • Data that does not fit in one of the higher classifications

• Difference confidential vs private

  • They require same level of protection

  • Confidential data is company data

  • Private data is related to individuals

• Ownership

  • formal assignment of responsibility to an individual or group

  • Extra security governance must be implemented to provide enforcement of ownership in the physical world