Data classification helps ensure that the data is protected in the most cost-effective manner.
The classification is different in every company, but in general there are two man groups:
Normally the availability is the main thing, if the service is down, or if data becomes lost, implies a monetary loss and image loss.
Government and military
In Government and military, the confidentiality is the main thing, integrity is the second and availability (normally) is the less important. Because there are secrets to keep, and the money don't come from the data or a service.
The information can be:
Disclosure is not welcome, but it would not impact on the company.
If disclosed could reduce competitive edge.
(technical specifications of a product)
Disclosure seriously affect a company.
(trade secrets, code)
->Business & Military
Special precaution in the integrity.
If disclosed could cause serious damage or national security.
If disclosed, it could cause grave damage to a national security
Sensitive but unclassified (SBU)
Data not sensible or classified.
The sensitivity level:
1. Top secret
Data Classification Procedures
1. Identify custodian responsible for maintaining data and its security level
2. Criteria how is classified
3. The owner set the classification
4. Security controls required
5. Document exceptions
6. Methods to transfer the custody to a different data owner
7. Procedures to declassifying the data
8. Security awareness program
Senior management, and other levels of management, understand the vision of the company, the business goals and objectives.
The next layer is functional management, who understand their departments and how security affects their department.
The next layers are operational management managers and staff, understand the techniques and procedures.
The data owner is a member of senior management, he is responsible for negligent acts and decide the classification.
The data custodian maintain and protect the data, for ex. system administrator.
The data user, who routinely uses the data.
The chief information officer (CIO) should work with senior to define procedures.
Business managers determine the level of protection needed, and are involved in the selection of safeguards.
Auditor examines the practices.
Security professional, is responsible for security and carry out the senior manager's directives.
DoD Data Classification
- Top Secret
Data classification is done in mandatory access controls.