Sunday, April 13, 2008

Data classification

The reason to classify data is to organize it according to its sensitivity to loss or disclosure, indicating the level of confidentiality, integrity and availability required.

Data classification helps ensure that the data is protected in the most cost-effective manner.

The classification is different in every company, but in general there are two man groups:

Private Business


Normally the availability is the main thing, if the service is down, or if data becomes lost, implies a monetary loss and image loss.

Government and military


In Government and military, the confidentiality is the main thing, integrity is the second and availability (normally) is the less important. Because there are secrets to keep, and the money don't come from the data or a service.


The information can be:

Public


Disclosure is not welcome, but it would not impact on the company.
->Business

Proprietary


If disclosed could reduce competitive edge.
(technical specifications of a product)
->Business

Confidential


Disclosure seriously affect a company.
(trade secrets, code)
->Business & Military

Sensitive


Special precaution in the integrity.
->Business

Secret


If disclosed could cause serious damage or national security.
(military plans)
->Military

Top secret


If disclosed, it could cause grave damage to a national security
(spy satellite)
->Military

Sensitive but unclassified (SBU)


Minor secret.
(medical data)
->Government

Unclassified


Data not sensible or classified.
->Military


The sensitivity level:
1. Top secret
2. Secret
3. Confidential
4. SBU
5. Unclasified



Data Classification Procedures


1. Identify custodian responsible for maintaining data and its security level
2. Criteria how is classified
3. The owner set the classification
4. Security controls required
5. Document exceptions
6. Methods to transfer the custody to a different data owner
7. Procedures to declassifying the data
8. Security awareness program


Responsibilities


Senior management, and other levels of management, understand the vision of the company, the business goals and objectives.
The next layer is functional management, who understand their departments and how security affects their department.
The next layers are operational management managers and staff, understand the techniques and procedures.

The data owner is a member of senior management, he is responsible for negligent acts and decide the classification.

The data custodian maintain and protect the data, for ex. system administrator.

The data user, who routinely uses the data.

The chief information officer (CIO) should work with senior to define procedures.

Business managers determine the level of protection needed, and are involved in the selection of safeguards.

Auditor examines the practices.

Security professional, is responsible for security and carry out the senior manager's directives.

DoD Data Classification


- Top Secret
- Secret
- Confidential
- Unclassified

Data classification is done in mandatory access controls.

No comments: