Classification and Roles (Lecture 5) Flashcards
What is Data Classification?
Classification or categorisation is the primary means by which data is protected based on its need for secrecy, sensitivity or confidentiality
Ineffective to treat all data the same way
Securing everything at low security means sensitive data easily accessible and securing everything high is too expensive
What can data classification be used for?
Determine how much effort, money and resources are allocated to protect the data and control access to it
Data Classification organises items, objects and subjects into groups or categories based on what similarities?
Value Cost Sensitivity Risk Vulnerability Privilege Levels of loss or damage Need to know
What are the benefits of using a data classification scheme?
Demonstrates an organisation’s commitment to protecting valuable resources
Assists in identifying assets that are most critical
Gives credence to the selection of protection mechanisms
Required for regulatory compliance or legal restrictions
Defines access levels, types of authorised users and parameters for declassification
Aids in date life-cycle management
When is a classification label assigned to data?
Once it is evaluated and then label either added to the data object or it occurs automatically when data is placed into a storage mechanism or behind a security protection mechanism
List steps for a classification scheme (7)
Identify custodian and define their responsibilities
Specify the evaluation criteria and how data will be classified and labelled
Classify and label each resource
Document any exceptions to classification policy
Select security controls that will be applied to each classification level to provide necessary level of protection
Specify procedures for declassifying resources and procedures for transferring custody to external entity
Create enterprise-wide awareness program to instruct all personnel about the system
When is declassification required and what happens if this fails to be implemented
Required once an asset no longer warrants or needs the protection of its currently assigned classification
Failure means security resources wasted and value of protection for higher level info is degraded
List and briefly explain UK Government classification scheme
Official - majority of information processed by public sector. Includes routine operations and services.
Secret - Very sensitive information that justifies heightened protection measures where compromise could seriously damage military capabilities, international relations or affect Serious Organised Crime (SOC)
Top Secret - Highest level, most sensitive information requiring highest level of protection where compromise could cause widespread loss of life or threaten security or economic wellbeing of country
List levels of commercial classification schemes
Public
Sensitive
Private/confidential
Explain commercial classification levels
Confidential (sometimes proprietary)- Highest level, used for data extremely sensitive for internal use only. Significant negative impact could occur if disclosed
Private - used for data of a private or personal nature intended for internal use only. Significant negative impact if disclosed (GDPR)
Sensitive - More classified than public - Negative impact can occur if disclosed
Public - Lowest level - Used for all data which doesn’t fit in other categories. Disclosure does not have serious negative impact
Define Ownership
Formal assignment of responsibility to an individual or group
A company document can define owners but can not enforce ownership
What is a security role?
A part an individual plays in the overall scheme of security implementation and administration within an organisation
Describe Senior manager security role and responsibility
Assigned to the person who is ultimately responsible for the security maintained by an organisation and who should be most concerned about protection of assets
Signs off all policy issues
Endorsement of security policy indicated the accepted ownership of implemented security
Describe Security Professional security role and responsibility
InfoSec officer or Computer Incident Response Team (CIRT) role assigned to a trained network, systems and security engineer who is responsible for following directives mandated by senior management
Functional responsibility for security, including writing security policy and implementing it
Describe Data Owner security role and responsibilities
Assigned to the person who is responsible for classifying information for placement and protection within the security solution
Typically high level manager ultimately responsible for data protection
Data Owner usually delegates responsibility of the actual data management tasks to a data custodian
Describe Data Custodian security role and responsibilities
Assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management
Perform all activities necessary to provide adequate protection for the CIA Triad of data
Includes performing and testing backups, validating data integrity, deploying security solutions
Describe User/operator security role and responsibilities
User role assigned to any person who has access to the secured system
Access tied to work tasks and limited to just enough access to perform duties (principle of least privilege
Responsible for understanding and upholding security policy by following operational procedures within defined security parameters
Describe Auditor security role and responsibilities
Responsible for reviewing and verifying that the security policy is properly implemented and security solutions adequate
May be assigned to a security professional or trained user
Produce compliance and effectiveness reports reviewed by senior managers
Name 3 security control frameworks
COBIT (Control OBjectives for Information and related Technology
OSSTMM (Open Source Security Testing Methodology Manuel)
ITIL (Information Technology Infrastructure Library)
What is the International Organisation for Standardisation (ISO)
Designed to be used by organisations that intend to select controls within process of implementing an Information Security Management System, implement commonly accepted IS controls and develop own security management guidelines ISO/IEC 27001
ISO/IEC 27002:2013 gives guidelines for organisational IS standards and management practices including selection and management of controls
List requirements or specifications of ISO/IEC 27001
Specifies generic ISMS requirements suitable for any type of organisation
Senior management must demonstrate leadership and commitment to ISMS, mandate policy and assign IS roles
Adequate, competent resources must be assigned, awareness raised , documentation controlled
Address findings in reviews and audits
How many controls/clauses are there for ISO/IEC 27001?
114 controls in 14 clauses and 35 control categories
Name 2 control categories and how many controls they have in them
Physical and environmental security (15 controls)
Cryptography (2 controls)
What is Due Care?
Using reasonable care to protect the interests of an organisation
What is Due Diligence?
Practicing the activities that maintain the due care effort
What is a security policy?
A document that defines the scope of security needed by the organisation and discusses the assets that require protection and extend to which security solutions should go to provide necessary protection