Classification and Roles (Lecture 5) Flashcards

1
Q

What is Data Classification?

A

Classification or categorisation is the primary means by which data is protected based on its need for secrecy, sensitivity or confidentiality

Ineffective to treat all data the same way

Securing everything at low security means sensitive data easily accessible and securing everything high is too expensive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What can data classification be used for?

A

Determine how much effort, money and resources are allocated to protect the data and control access to it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Data Classification organises items, objects and subjects into groups or categories based on what similarities?

A
Value
Cost
Sensitivity
Risk
Vulnerability
Privilege
Levels of loss or damage
Need to know
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the benefits of using a data classification scheme?

A

Demonstrates an organisation’s commitment to protecting valuable resources

Assists in identifying assets that are most critical

Gives credence to the selection of protection mechanisms

Required for regulatory compliance or legal restrictions

Defines access levels, types of authorised users and parameters for declassification

Aids in date life-cycle management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When is a classification label assigned to data?

A

Once it is evaluated and then label either added to the data object or it occurs automatically when data is placed into a storage mechanism or behind a security protection mechanism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List steps for a classification scheme (7)

A

Identify custodian and define their responsibilities

Specify the evaluation criteria and how data will be classified and labelled

Classify and label each resource

Document any exceptions to classification policy

Select security controls that will be applied to each classification level to provide necessary level of protection

Specify procedures for declassifying resources and procedures for transferring custody to external entity

Create enterprise-wide awareness program to instruct all personnel about the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When is declassification required and what happens if this fails to be implemented

A

Required once an asset no longer warrants or needs the protection of its currently assigned classification

Failure means security resources wasted and value of protection for higher level info is degraded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List and briefly explain UK Government classification scheme

A

Official - majority of information processed by public sector. Includes routine operations and services.

Secret - Very sensitive information that justifies heightened protection measures where compromise could seriously damage military capabilities, international relations or affect Serious Organised Crime (SOC)

Top Secret - Highest level, most sensitive information requiring highest level of protection where compromise could cause widespread loss of life or threaten security or economic wellbeing of country

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

List levels of commercial classification schemes

A

Public
Sensitive
Private/confidential

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain commercial classification levels

A

Confidential (sometimes proprietary)- Highest level, used for data extremely sensitive for internal use only. Significant negative impact could occur if disclosed

Private - used for data of a private or personal nature intended for internal use only. Significant negative impact if disclosed (GDPR)

Sensitive - More classified than public - Negative impact can occur if disclosed

Public - Lowest level - Used for all data which doesn’t fit in other categories. Disclosure does not have serious negative impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define Ownership

A

Formal assignment of responsibility to an individual or group

A company document can define owners but can not enforce ownership

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a security role?

A

A part an individual plays in the overall scheme of security implementation and administration within an organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Describe Senior manager security role and responsibility

A

Assigned to the person who is ultimately responsible for the security maintained by an organisation and who should be most concerned about protection of assets

Signs off all policy issues

Endorsement of security policy indicated the accepted ownership of implemented security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe Security Professional security role and responsibility

A

InfoSec officer or Computer Incident Response Team (CIRT) role assigned to a trained network, systems and security engineer who is responsible for following directives mandated by senior management

Functional responsibility for security, including writing security policy and implementing it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Describe Data Owner security role and responsibilities

A

Assigned to the person who is responsible for classifying information for placement and protection within the security solution

Typically high level manager ultimately responsible for data protection

Data Owner usually delegates responsibility of the actual data management tasks to a data custodian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Describe Data Custodian security role and responsibilities

A

Assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management

Perform all activities necessary to provide adequate protection for the CIA Triad of data

Includes performing and testing backups, validating data integrity, deploying security solutions

17
Q

Describe User/operator security role and responsibilities

A

User role assigned to any person who has access to the secured system

Access tied to work tasks and limited to just enough access to perform duties (principle of least privilege

Responsible for understanding and upholding security policy by following operational procedures within defined security parameters

18
Q

Describe Auditor security role and responsibilities

A

Responsible for reviewing and verifying that the security policy is properly implemented and security solutions adequate

May be assigned to a security professional or trained user

Produce compliance and effectiveness reports reviewed by senior managers

19
Q

Name 3 security control frameworks

A

COBIT (Control OBjectives for Information and related Technology

OSSTMM (Open Source Security Testing Methodology Manuel)

ITIL (Information Technology Infrastructure Library)

20
Q

What is the International Organisation for Standardisation (ISO)

A

Designed to be used by organisations that intend to select controls within process of implementing an Information Security Management System, implement commonly accepted IS controls and develop own security management guidelines ISO/IEC 27001

ISO/IEC 27002:2013 gives guidelines for organisational IS standards and management practices including selection and management of controls

21
Q

List requirements or specifications of ISO/IEC 27001

A

Specifies generic ISMS requirements suitable for any type of organisation

Senior management must demonstrate leadership and commitment to ISMS, mandate policy and assign IS roles

Adequate, competent resources must be assigned, awareness raised , documentation controlled

Address findings in reviews and audits

22
Q

How many controls/clauses are there for ISO/IEC 27001?

A

114 controls in 14 clauses and 35 control categories

23
Q

Name 2 control categories and how many controls they have in them

A

Physical and environmental security (15 controls)

Cryptography (2 controls)

24
Q

What is Due Care?

A

Using reasonable care to protect the interests of an organisation

25
Q

What is Due Diligence?

A

Practicing the activities that maintain the due care effort

26
Q

What is a security policy?

A

A document that defines the scope of security needed by the organisation and discusses the assets that require protection and extend to which security solutions should go to provide necessary protection