Organizational Processes
Goal - to ensure that any change does not lead to reduced or compromised security
Purpose - make all changes subject to detailed documentation and auditing
Change control process goals / requirements
Changes are always controlled
Testing process to verify results
All changes can be reversed
Users are informed before changes occur
Effects of changes are analyzed
Negative impact of changes is minimized
Changes are reviewed and approved by Change Advisory Board (CAB)
Data Classification
Primary means by which data is protected based on need for secrecy, sensitivity and confidentiality
Classification criteria of data
Usefulness
Timeliness
Value or cost
Maturity or age
Lifetime (when it expires)
Association with personnel
Data disclosure damage assessment
Data modification damage assessment
National security implications
Authorized access
Restriction from data
Maintenance and monitoring
Storage of data
Seven steps to implement a classification scheme
Identify the custodian and define their responsibilities
Specify the evaluation criteria of how the information will be classified and labeled
Classify and label each resource (this step is done by the owner, but a supervisor should review it.)
Document any exceptions to the classification policy and integrate them into the evaluation criteria
Select the security controls that will be used for each classification level to provide the correct level of protection
Specify the procedures to declassify resources and procedure for transferring custody of a resource to an external party
Create an organization wide awareness program to instruct all personnel about the classification system.
Data Classification Schemes
Government / Military classification
Top Secret
Highest level of classification
Disclosure would cause grave damage to national security
Handled on a need-to-know basis
Secret
Data of a restricted nature
Disclosure would cause critical damage to national security
Confidential
Used for data of a sensitive, proprietary, or highly valuable nature
Disclosure would cause serious damage to national security
Used for all data between secret and sensitive but unclassified
Sensitive but unclassified
Used for data that is for internal use or for office use only
Used to protect information that could violate the privacy rights of individuals
Unclassified
Data that is neither sensitive nor classified
Does not compromise confidentiality or cause any noticeable damage.
Acronym: US Can Stop Terrorism
Unclassified
Secret
Confidential
Secret
Top Secret
Commercial business / private sector classification
Confidential
Highest level of classification
Extremely sensitive and for internal use only
Disclosure would cause significant negative impact
Drastic effects on the competitive edge of an organization
Private
Data that is of a private or personal nature and intended for internal use only
Sensitive
Data that is more classified than public data
Public
Lowest level of classification
Data that does not fit in one of the higher classifications
Difference confidential vs private
They require same level of protection
Confidential data is company data
Private data is related to individuals
Ownership
formal assignment of responsibility to an individual or group
Extra security governance must be implemented to provide enforcement of ownership in the physical world
Last updated