Data classification helps ensure that the data is protected in the most cost-effective manner.
The classification is different in every company, but in general there are two man groups:
Private Business
Normally the availability is the main thing, if the service is down, or if data becomes lost, implies a monetary loss and image loss.
Government and military
In Government and military, the confidentiality is the main thing, integrity is the second and availability (normally) is the less important. Because there are secrets to keep, and the money don't come from the data or a service.
The information can be:
Public
Disclosure is not welcome, but it would not impact on the company.
->Business
Proprietary
If disclosed could reduce competitive edge.
(technical specifications of a product)
->Business
Confidential
Disclosure seriously affect a company.
(trade secrets, code)
->Business & Military
Sensitive
Special precaution in the integrity.
->Business
Secret
If disclosed could cause serious damage or national security.
(military plans)
->Military
Top secret
If disclosed, it could cause grave damage to a national security
(spy satellite)
->Military
Sensitive but unclassified (SBU)
Minor secret.
(medical data)
->Government
Unclassified
Data not sensible or classified.
->Military
The sensitivity level:
1. Top secret
2. Secret
3. Confidential
4. SBU
5. Unclasified
Data Classification Procedures
1. Identify custodian responsible for maintaining data and its security level
2. Criteria how is classified
3. The owner set the classification
4. Security controls required
5. Document exceptions
6. Methods to transfer the custody to a different data owner
7. Procedures to declassifying the data
8. Security awareness program
Responsibilities
Senior management, and other levels of management, understand the vision of the company, the business goals and objectives.
The next layer is functional management, who understand their departments and how security affects their department.
The next layers are operational management managers and staff, understand the techniques and procedures.
The data owner is a member of senior management, he is responsible for negligent acts and decide the classification.
The data custodian maintain and protect the data, for ex. system administrator.
The data user, who routinely uses the data.
The chief information officer (CIO) should work with senior to define procedures.
Business managers determine the level of protection needed, and are involved in the selection of safeguards.
Auditor examines the practices.
Security professional, is responsible for security and carry out the senior manager's directives.
DoD Data Classification
- Top Secret
- Secret
- Confidential
- Unclassified
Data classification is done in mandatory access controls.
1 comment:
I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in CISSP, kindly contact us http://www.maxmunus.com/contact
MaxMunus Offer World Class Virtual Instructor led training on CISSP. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
For Demo Contact us.
Nitesh Kumar
MaxMunus
E-mail: nitesh@maxmunus.com
Skype id: nitesh_maxmunus
Ph:(+91) 8553912023
http://www.maxmunus.com/
Post a Comment