2.1 Identify and Classify Information and Assets

Question 1

Who is in the best position to know the true Value of an asset?

Answer 1

The asset/data owner.

Question 2

What three organizational components should be put in place to address requirements to protect valuable assets?

Answer 2

Organizational Policies, Procedures, and Processes.

Question 3

As an assets value increases, what else should increase?

Answer 3

Effort invested to protect the asset.

Question 4

What does Asset Classification ensure?

Answer 4

That an asset receives appropriate levels of protection based on the assets value to the organization.

Question 5

After all assets have been identified, what should happen?

Answer 5

The owner should be identified for each Asset.

Question 6

Why must an asset owner be identified following asset identification?

Answer 6

Because Asset owners know the data best and can assign assets appropriate classification levels that determine how they will be protected.

Question 7

What four benefits does the Information Classification Process provide?

2 Identifications, 2 Commitments

Answer 7

Identifies Critical Information that is critical for business success | Identifies assets that must only be modified in specifically authorized ways | Commits to protect valuable assets by creating awareness amoung users that the assets should be protected from unauthorized access | Helps ensure a commitment to confidentiality.

Question 8

Why is “Data Classification” insufficient for an organization’s goals?

Answer 8

Data classficiation is narrow, rather “Asset classification” encompasses all valued assets belonging to an organization. Progressive organizations realize assets can be tangible or nontangible and require appropriate protections in each case.

Question 9

What is an Asset?

Answer 9

Anything that represents value, either quantitative or qualitative, to an organization.

Question 10

How is the CIA triad reprsented in Asset Classification?

Answer 10

In the Asset Classification, Confidentiality can be referred to as sensitivity, Integrity as accuracy and meaningfulness, and Availability as criticality.

Question 11

How many Classifications should an Asset Undergo?

Answer 11

Three: Sensitivity, Accuracy, and Criticality (SAC).

Question 12

For Asset Classification to be successful, who must drive classification?

Answer 12

Data Owners.

Question 13

What common risk occurs during Asset Classfication? What inversely happens when calculating asset protection costs?

Answer 13

Data owners overprioritize their assets. Though when it comes to assigning protections to the high-importance assets, owners often under classify them.

Question 14

How can the risk of overprioritizing and under-classification be resolved during the Asset Classfication Process?

Answer 14

Rather then assign data owners to classify assets, construct an asset classification committee or working group. This group should be compromised of qualified representitives from different areas of the organization. In turn, this makes the classification process more objective, rather then subjective.

Question 15

What can an organization do to ensure Asset Classification becomes Subjective and inconsistent over time?

Answer 15

Ensure that there are consistent processes to classify assets. | Such as a scoring system used by owners to understand the real value the asset represents.

Question 16

If an organization or owner creates an Asset Classification process, such as a scoring system, who should review this process?

Answer 16

The Asset Classification Committee or Committee board.

Question 17

TRUE or FALSE:
Asset Classifciation drives Archiving and Retention requirements.

Answer 17

TRUE

Question 18

What may dictate that an Asset be retained over a determined period of time, even if not in use by the organization?

Answer 18

Laws, Regulations, Industry standards, Privacy requirements, company policies, and related guidances focused on retention.

Question 19

What is the Asset Classficiation Process in Order?

Answer 19

Asset Inventory (Identification) -> Determine and Assign Ownership -> Classify based on Value -> Protect and Handle Based on Classification -> Assess and Review

Question 20

Name several actions that can occur that requires the asset classfication process to be ongoing.

Answer 20

Assets values change (Due to age, legal, regulatory, or compliance needs), Assets are added/removed, owners come and go, laws change, etc.

Question 21

How does Classification and Categorization Differ?

Answer 21

Classification is a system of classes set up by an organization to different asset values and, therefore, protection levels. [Creating classes to categorize assets, such as Top-Secret, Secret, Public, is classification]| Categorization is that act of assigning a classification level to an asset. [Assigning an asset the classification level of ‘Top-Secret’ is Categorization]

Question 22

Name some Classification Examples

Answer 22

Top secret, secret, confidential, sensitive but unclassified, and unclassified. | Financially Sensitive | Company Restricted | Proprietary | Trade Secret | Personally Identifiable Information (PII)

Question 23

TRUE or FALSE:
Classification levels shared between organizations typically assign similar values to categorized assets.

Answer 23

False. | Classification levels, such as ‘Secret’, can be similar across organzations, thogh the value they assign to an asset is often unique to each organization. This is why it’s important for the security function to educate owners and organization eployees on the value of each classification level.

Question 24

What is Security Labeling in Asset Classfication?

Answer 24

The means of adding a system-readable object that states the association between an asset and classification to ensure proper security controls are implemented that support business functions. | Such as Metadata, Barcodes, QR Codes, RFID Tags, GPS Tags, etc.

Question 25

What is Security Markings in Asset Classfication?

Answer 25

Security Marking is the means of adding a human-readable object that states the association between an asset and classification to ensure proper security controls are implemented that support business functions. | Such as Top-Secret sticker listing instructions to handle the document

Question 26

Answer the Following:
Labeling intends to be readable by what/who?
Labeling associates security attributes of subjects and objects that are represented by what?
Labeling enables what kind of enforcement?

Answer 26

System Readable | Internal Data Structures | System-based

Question 27

Answer the Following:
Marking intends to be readable by what/who?
Marking associates security attributes with objects in what form?
Marking enables what kind of enforcement?

Answer 27

Human Readable | Human Readable Form | Process-Bassed

Question 28

When applying security labeling, what must be considered? Give an example of the best lable for grocery store items vs warehouse.

Answer 28

Cost-Effectiveness of Security Label. | Grocery stores can use cheap Barcodes for Items, whereas warehouses may use RFID chips to track items without needed to manually scan each one.

Question 29

Why might someone use a QR code rather than a barcode for security labeling?

Answer 29

To store a large amount of information regarding the labled asset, not just simple ID numbers.