Domain 2: Classifying Data Flashcards
Unauthorized disclosure could cause exceptionally grave damage to national security
Classification label
Top Secret
Unauthorized disclosure could cause serious damage to national security
Secret
Unauthorized disclosure could cause damage to national security
Confidential
A formal determination of whether a user can be trusted with a specific level of information
Clearance
A document approved from the data owner that outlines all the rules and requirements for accessing data, as well as the consequences should the data become lost, destroyed or compromised.
Formal Access Approval
Sensitive info should not persist beyond a certain period or legal requirement, as this needlessly exposes the data to threats of disclosure when in fact the data is no longer needed.
Retention
AKA senior management creates the InfoSec program and ensures it is properly staffed and funded
Business or Mission Owners
- Manager who is ultimately responsible for the data of an organization i.e. CEO, president, dept. head
- They determine data sensitivity labels and frequency of data backup
Data Owners
- Manager responsible for the actual computer that houses the data.
- Typically the same person as the data owner, but this can be delegated to someone else
Asset Owner or (System Owner)
Responsible for granting appropriate access to personnel.
Administrators
- Personal that provides day-to-day tasks relating to the handling the data
- i.e. perform data backups, patch systems, configure antivirus, etc.
- i.e. personal in the IT dept. or the security admin.
Custodian
- Users that create and manage sensitive data within an organization
- i.e. Human Resources
Data Controllers
- Manages data on behalf of data controllers
- i.e. outsource payroll company (Paycom)
Data Processors
- Created in 1980’s by the DoD to impose security standards for computers the gov purchased and used
- Orange book of the rainbow series
- Replaced by International Common Criteria
Trusted Computer System Evaluation Criteria (TCSEC)
What are TCSEC categories?
Category A Verified protection (Highest level of protection)
Category B Mandatory protection
Category C Discretionary protection
Category D Minimal protection
- Trusted Computer System Evaluation Criteria (TCSEC) category
- In the development cycle for systems each phase is documented, evaluated, and verified before moving to the next step
Category A Verified protection (Highest level of protection)
- Trusted Computer System Evaluation Criteria (TCSEC) category
- More granularity of control is mandated
- Used to allow very limited sets of subjects/objects
Category B Mandatory protection
- Trusted Computer System Evaluation Criteria (TCSEC) category
- Systems in this category do provide some security controls but are lacking more sophisticated and stringent controls that address specific needs for secure systems
Category C Discretionary protection
- Trusted Computer System Evaluation Criteria (TCSEC) category
- Reserved for systems that have been evaluated but do not meet requirements to belong to any other category
Category D Minimal protection
- Part of the rainbow series
- Gov standards relating to networking
- Now outdated
Red Book
- Part of the rainbow series
- Gov standards relating to password creation and management
- Now outdated
Green Book
- Users must have a security clearance and access approval that permits all info processed by the system
- A valid need to know only for the info they will access on the system
System high mode
- Users must have a security clearance, access approval, and a valid need to know for all info processed by the system
- All users on the system can access all the data on the system
- Enforced by admin personnel who physically limit access to the system
Dedicated mode
- Users must have a security clearance for all info processed by the system
- Access approval and a valid need to know only for info they will access on the system, (not for all the info processed by the system)
Compartmented mode
- Users must have a security clearance, access approval, and a valid need to know that permits only the info they will access on the system
- Do not need these things for all the info processed by the system
- Enforced primarily by hardware or software on a system
Multilevel mode
- Component of TCSEC
- System components that were designed to adhere to and enforce the security policy of the system as a whole
- i.e. OS kernel and the supporting programs that configure file ownership and permissions
Trusted Computer Base (TCB)
- Data that is for internal use or for office use only
- Used to protected info that could violate the privacy rights of individuals
Sensitive but Unclassified
Unauthorized disclosure does not compromise confidentiality or cause any noticeable damage
Unclassified
- Private sector classification level
- Proprietary data if disclosed could have drastic effects on the competitive edge of an organization
Confidential
- Private sector classification level
- Data related to individuals of a company and intended for internal use only
- i.e. medical data
Private
- Private sector classification level
- Data that could have a negative impact if disclosed
Sensitive
- Private sector classification level
- Disclosure does not have a serious impact on the organization
Public
- The imaginary boundary that separates the TCB from the rest of the system
- TCB components communicate with non-TCB components using trusted paths
Security perimeter
In order to implement a classification scheme, list the 7 steps you must perform:
- Identify the custodian, and define their responsibilities.
- Specify the evaluation criteria of how the information will be classified and labeled.
- Classify and label each resource. (The owner conducts this step, but a supervisor should review it.)
- Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria.
- Select the security controls that will be applied to each classification level
- Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity.
- Create an enterprise-wide awareness program to instruct all personnel about the classification system.
- Defined a list of security controls based on industry best practices
- Provided centralization of security controls across different organizational departments (i.e. facilities, IT, HR, etc)
- First international standard used for developing an org internal security program
British Standard (BS)7799
- Based on BS7799
- Defines general requirement for setting up an information security management system
- Typically used to as a basis for certification by an accredited third-party
- List of security controls based on industry best practices
ISO 27001
- Based on BS7799
- Goes into more detail on the specifics of information security controls
- Provides industry specific general security guidelines (i.e. financial services, healthcare, etc…)
- Focuses on security governance
ISO 27002
ISO guidelines for information security management system for organizations in the healthcare industry
ISO 27799
ISO guidelines for information security management system for organizations in the financial industry
ISO 27015