Classification and Roles (Lecture 5) Flashcards
What is Data Classification?
Classification or categorisation is the primary means by which data is protected based on its need for secrecy, sensitivity or confidentiality
Ineffective to treat all data the same way
Securing everything at low security means sensitive data easily accessible and securing everything high is too expensive
What can data classification be used for?
Determine how much effort, money and resources are allocated to protect the data and control access to it
Data Classification organises items, objects and subjects into groups or categories based on what similarities?
Value Cost Sensitivity Risk Vulnerability Privilege Levels of loss or damage Need to know
What are the benefits of using a data classification scheme?
Demonstrates an organisation’s commitment to protecting valuable resources
Assists in identifying assets that are most critical
Gives credence to the selection of protection mechanisms
Required for regulatory compliance or legal restrictions
Defines access levels, types of authorised users and parameters for declassification
Aids in date life-cycle management
When is a classification label assigned to data?
Once it is evaluated and then label either added to the data object or it occurs automatically when data is placed into a storage mechanism or behind a security protection mechanism
List steps for a classification scheme (7)
Identify custodian and define their responsibilities
Specify the evaluation criteria and how data will be classified and labelled
Classify and label each resource
Document any exceptions to classification policy
Select security controls that will be applied to each classification level to provide necessary level of protection
Specify procedures for declassifying resources and procedures for transferring custody to external entity
Create enterprise-wide awareness program to instruct all personnel about the system
When is declassification required and what happens if this fails to be implemented
Required once an asset no longer warrants or needs the protection of its currently assigned classification
Failure means security resources wasted and value of protection for higher level info is degraded
List and briefly explain UK Government classification scheme
Official - majority of information processed by public sector. Includes routine operations and services.
Secret - Very sensitive information that justifies heightened protection measures where compromise could seriously damage military capabilities, international relations or affect Serious Organised Crime (SOC)
Top Secret - Highest level, most sensitive information requiring highest level of protection where compromise could cause widespread loss of life or threaten security or economic wellbeing of country
List levels of commercial classification schemes
Public
Sensitive
Private/confidential
Explain commercial classification levels
Confidential (sometimes proprietary)- Highest level, used for data extremely sensitive for internal use only. Significant negative impact could occur if disclosed
Private - used for data of a private or personal nature intended for internal use only. Significant negative impact if disclosed (GDPR)
Sensitive - More classified than public - Negative impact can occur if disclosed
Public - Lowest level - Used for all data which doesn’t fit in other categories. Disclosure does not have serious negative impact
Define Ownership
Formal assignment of responsibility to an individual or group
A company document can define owners but can not enforce ownership
What is a security role?
A part an individual plays in the overall scheme of security implementation and administration within an organisation
Describe Senior manager security role and responsibility
Assigned to the person who is ultimately responsible for the security maintained by an organisation and who should be most concerned about protection of assets
Signs off all policy issues
Endorsement of security policy indicated the accepted ownership of implemented security
Describe Security Professional security role and responsibility
InfoSec officer or Computer Incident Response Team (CIRT) role assigned to a trained network, systems and security engineer who is responsible for following directives mandated by senior management
Functional responsibility for security, including writing security policy and implementing it
Describe Data Owner security role and responsibilities
Assigned to the person who is responsible for classifying information for placement and protection within the security solution
Typically high level manager ultimately responsible for data protection
Data Owner usually delegates responsibility of the actual data management tasks to a data custodian