Information Classification
Information Classification, gives to organizations a way to address their most significant risks, by affording them the appropriate level of security.
Prevent unauthorized disclosure and failure of confidentiality, helps identify sensitive and vital information (supports CIA).
Criteria: value, age and useful life (de-classified), personal association (if data contains personal information should remain classified).
Distribution events: court order, government contracts, senior level approval.Demonstrates due diligence, identifies most sensitive info, regulatory compliance or reasons. (high level benefit, commitment to security)
Lattice model: every resource and user is associated with one of an ordered set of classes. Resources may only be accessed by those whose associated class is as high or higher than that of the resource.
Bell-LaPadula Model (Orange Book): most common model. Relationships -assigned level of access or privilege, security clearance. Object's level of sensitivity (security classification). Write access - same or higher level, read access - same or lower level, read/write - same level. MAC
In addition must have a Need-to-Know - just because you have "secret" clearance doesn't mean all "secret" data just data with a Need-to-Know.
Benefits at the corporate level:
- CIA are improved, because appropriate controls are used
- Protection mechanisms are implemented where they are needed most (less costly controls)
- Quality of decisions on trusted data
- Process to review on a periodic basis to determine data classifications
- Low Costs are front-end start-up costs
- Executive sponsor (success factor), Risk analysis matrix
- Policy
- Business impact analysis
- Establishing classification
- Defining roles and responsibilities
- Identifying owners
- Classifying information and applications
- Ongoing monitoring
Policy - essential tool, defines that data is an asset of the corporation and must be protected, classified based on data value, sensitivity, risk of loss or compromise, and legal and retention requirements. Information must first be recognized and treated as an asset of the company before efforts can be expended protecting it.
Data Management Policy: definitions for each classification; security criteria for each classification (software and data); roles and responsibilities for each group of individuals.
Access control security - How much it is going to cost to not protect the valuable information?
Roles:
Owner - may be executive or manager, final corporate responsibility of the data protection, classify the level, reviews classification level, delegates responsibility of data protection to the custodian.
Custodian - day-to-day responsibility generally IT, regular backups and testing recovery, performs restoration when required, maintains records in accordance with the classification policy.
End User - anyone the routinely uses the data as part of job, must follows operating procedures, due care to protect, computing resources of company for company purposes only.
Procedures:
Identify administrator/custodian
Specify classification criteria
Classify by owner
Specify exceptions to classification policy
Specify controls for each classification level
Specify procedures for declassifying or transferring custody
Enterprise awareness program
Shon Harris, CISSP All-in-One Exam Guide, Third Edition (All in One)
References:
Official (ISC)2 Guide to the CISSP Exam
CISSP All-in-One Exam Guide, Third Edition (All in One)
CISSP ® : Certified Information Systems Security Professional Study Guide, Third Edition
