Classification and Roles (Lecture 5)

Question 1

What is Data Classification?

Answer 1

Classification or categorisation is the primary means by which data is protected based on its need for secrecy, sensitivity or confidentiality

Ineffective to treat all data the same way

Securing everything at low security means sensitive data easily accessible and securing everything high is too expensive

Question 2

What can data classification be used for?

Answer 2

Determine how much effort, money and resources are allocated to protect the data and control access to it

Question 3

Data Classification organises items, objects and subjects into groups or categories based on what similarities?

Answer 3

Value
Cost
Sensitivity
Risk
Vulnerability
Privilege
Levels of loss or damage
Need to know

Question 4

What are the benefits of using a data classification scheme?

Answer 4

Demonstrates an organisation’s commitment to protecting valuable resources

Assists in identifying assets that are most critical

Gives credence to the selection of protection mechanisms

Required for regulatory compliance or legal restrictions

Defines access levels, types of authorised users and parameters for declassification

Aids in date life-cycle management

Question 5

When is a classification label assigned to data?

Answer 5

Once it is evaluated and then label either added to the data object or it occurs automatically when data is placed into a storage mechanism or behind a security protection mechanism

Question 6

List steps for a classification scheme (7)

Answer 6

Identify custodian and define their responsibilities

Specify the evaluation criteria and how data will be classified and labelled

Classify and label each resource

Document any exceptions to classification policy

Select security controls that will be applied to each classification level to provide necessary level of protection

Specify procedures for declassifying resources and procedures for transferring custody to external entity

Create enterprise-wide awareness program to instruct all personnel about the system

Question 7

When is declassification required and what happens if this fails to be implemented

Answer 7

Required once an asset no longer warrants or needs the protection of its currently assigned classification

Failure means security resources wasted and value of protection for higher level info is degraded

Question 8

List and briefly explain UK Government classification scheme

Answer 8

Official - majority of information processed by public sector. Includes routine operations and services.

Secret - Very sensitive information that justifies heightened protection measures where compromise could seriously damage military capabilities, international relations or affect Serious Organised Crime (SOC)

Top Secret - Highest level, most sensitive information requiring highest level of protection where compromise could cause widespread loss of life or threaten security or economic wellbeing of country

Question 9

List levels of commercial classification schemes

Answer 9

Public
Sensitive
Private/confidential

Question 10

Explain commercial classification levels

Answer 10

Confidential (sometimes proprietary)- Highest level, used for data extremely sensitive for internal use only. Significant negative impact could occur if disclosed

Private - used for data of a private or personal nature intended for internal use only. Significant negative impact if disclosed (GDPR)

Sensitive - More classified than public - Negative impact can occur if disclosed

Public - Lowest level - Used for all data which doesn’t fit in other categories. Disclosure does not have serious negative impact

Question 11

Define Ownership

Answer 11

Formal assignment of responsibility to an individual or group

A company document can define owners but can not enforce ownership

Question 12

What is a security role?

Answer 12

A part an individual plays in the overall scheme of security implementation and administration within an organisation

Question 13

Describe Senior manager security role and responsibility

Answer 13

Assigned to the person who is ultimately responsible for the security maintained by an organisation and who should be most concerned about protection of assets

Signs off all policy issues

Endorsement of security policy indicated the accepted ownership of implemented security

Question 14

Describe Security Professional security role and responsibility

Answer 14

InfoSec officer or Computer Incident Response Team (CIRT) role assigned to a trained network, systems and security engineer who is responsible for following directives mandated by senior management

Functional responsibility for security, including writing security policy and implementing it

Question 15

Describe Data Owner security role and responsibilities

Answer 15

Assigned to the person who is responsible for classifying information for placement and protection within the security solution

Typically high level manager ultimately responsible for data protection

Data Owner usually delegates responsibility of the actual data management tasks to a data custodian

Question 16

Describe Data Custodian security role and responsibilities

Answer 16

Assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management

Perform all activities necessary to provide adequate protection for the CIA Triad of data

Includes performing and testing backups, validating data integrity, deploying security solutions

Question 17

Describe User/operator security role and responsibilities

Answer 17

User role assigned to any person who has access to the secured system

Access tied to work tasks and limited to just enough access to perform duties (principle of least privilege

Responsible for understanding and upholding security policy by following operational procedures within defined security parameters

Question 18

Describe Auditor security role and responsibilities

Answer 18

Responsible for reviewing and verifying that the security policy is properly implemented and security solutions adequate

May be assigned to a security professional or trained user

Produce compliance and effectiveness reports reviewed by senior managers

Question 19

Name 3 security control frameworks

Answer 19

COBIT (Control OBjectives for Information and related Technology

OSSTMM (Open Source Security Testing Methodology Manuel)

ITIL (Information Technology Infrastructure Library)

Question 20

What is the International Organisation for Standardisation (ISO)

Answer 20

Designed to be used by organisations that intend to select controls within process of implementing an Information Security Management System, implement commonly accepted IS controls and develop own security management guidelines ISO/IEC 27001

ISO/IEC 27002:2013 gives guidelines for organisational IS standards and management practices including selection and management of controls

Question 21

List requirements or specifications of ISO/IEC 27001

Answer 21

Specifies generic ISMS requirements suitable for any type of organisation

Senior management must demonstrate leadership and commitment to ISMS, mandate policy and assign IS roles

Adequate, competent resources must be assigned, awareness raised , documentation controlled

Address findings in reviews and audits

Question 22

How many controls/clauses are there for ISO/IEC 27001?

Answer 22

114 controls in 14 clauses and 35 control categories

Question 23

Name 2 control categories and how many controls they have in them

Answer 23

Physical and environmental security (15 controls)

Cryptography (2 controls)

Question 24

What is Due Care?

Answer 24

Using reasonable care to protect the interests of an organisation

Question 25

What is Due Diligence?

Answer 25

Practicing the activities that maintain the due care effort

Question 26

What is a security policy?

Answer 26

A document that defines the scope of security needed by the organisation and discusses the assets that require protection and extend to which security solutions should go to provide necessary protection