This chapter is from the book Show
Classifying DataUnderstand the considerations and criteria for classifying data. Throughout this chapter, we have discussed various aspects of protecting information assets. When we talk about risk analysis and management, we talk about the most cost-effective way of protecting the information asset. Part of setting the level of risk associated with data is placing it in a classification. After data is classified, a risk analysis can be used to set the most cost-effective ways of protecting that data from various attacks. Classifying data is supposed to tell you how the data is to be protected. More sensitive data, such as human resources or customer information, can be classified in a way that shows that disclosure has a higher risk. Information data, such as those used for marketing, would be classified at a lower risk. Data classified at a higher risk can create security and access requirements that do not exist for lower risks, which might not require much protection altogether. Commercial ClassificationClassification of commercial or nongovernment organizations does not have a set standard. The classification used is dependent on the overall sensitivity of the data and the levels of confidentiality desired. Additionally, a nongovernment organization might consider the integrity and availability of the data in its classification model. There is no formula in creating the classification system—the system used is dependent on the data. Some organizations use two types of classification: confidential and public. For others, a higher granularity might be necessary. Table 3.4 contains a typical list of classifications that can be used for commercial organizations, from highest to lowest. Table 3.4 COMMERCIAL DATA CLASSIFICATIONS FROM HIGHEST TO LOWEST
Government ClassificationGovernment classification of data is something created out of policy for maintaining national security or the privacy of citizen data. Military and intelligence organizations set their classifications on the ramifications of disclosure of the data. Civilian agencies also look to prevent unauthorized disclosure, but they also have to consider the integrity of the data. Classifications for Sensitive Data The classifications for the sensitivity of data used in government and military applications are top secret, secret, confidential, sensitive but unclassified, and unclassified. The implementation of the classification is based on laws, policies, and executive directives that can be in conflict with each other. Agencies do their best to resolve these conflicts by altering the meaning of the standard classifications. Table 3.5 explains the types of classifications used by government civilian and military organizations. Table 3.5 GOVERNMENT DATA CLASSIFICATIONS FROM HIGHEST TO LOWEST
CriteriaAfter the classification scheme is identified, the organization must create the criteria for setting the classification. No set guidelines exist for setting the criteria, but some considerations are as follows:
Creating Procedures for Classifying DataUsing this information, your organization can create a procedure for classifying data. Government organizations already have this procedure defined. Nongovernment organizations have a lot of flexibility in setting the procedures that best suit their needs. Step By Step 3.2 is an example of a procedure your organization can use. STEP BY STEP 3.2 Creating Data Classification Procedures
Which is the most important protection for information classified?Actualy ,the highest level of security controls should be applied to Restricted data. Restricted: Data should be classified as Restricted Data when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates.
What are the 4 types of classified matters?Documents and other information must be properly marked "by the author" with one of several (hierarchical) levels of sensitivity—e.g. restricted, confidential, secret, and top secret.
Is top secret the highest level of classification?Top Secret is the highest level of classification. However some information is further categorized/marked by adding a code word so that only those who have been cleared for each code word can see it.
What are the three levels of security classification?(S) There are three levels of classification – TOP SECRET, SECRET, and CONFIDENTIAL.
|