Implementation

You cannot implement what senior management won't support. Sure, you will need the employees to buy into the process, but the biggest element of success depends on making sure that security flows from the top. With senior management leading the way, you can further ensure success by setting up a data-classification scheme so that employees realize the importance of the data they work with. You will also want to consider employee trainingwithout it, how will employees know good security practices? As a final step, you will want to build in security controls because they allow you to monitor the level of compliance.

Data Classification

Organizational information that is proprietary or confidential in nature must be protected. Data classification is a useful way to rank an organization's informational assets. The two most common data-classification schemes are military and public. Companies store and process so much electronic information about their customers and employees that it's critical for them to take appropriate precautions to protect this information. Both military and private data-classification systems accomplish this task by placing information into categories. The first step of this process is to assess the value of the information. When the value is known, it becomes much easier to decide what amount of resources should be used to protect the data. It would make no sense to spend more on protecting something with a lesser value or worth.

Each level of classification that is established should have specific requirements and procedures. The military and commercial data-classification models have predefined labels and levels. When an organization decides which model to use, it can evaluate data placement by using criteria such as the following:

• The value of the data
• Its age
• Laws
• Regulations pertaining to its disclosure
• Replacement cost

Military Data Classification

The military data-classification system is widely used within the Department of Defense. This system has five levels of classification:

• Unclassified
• Sensitive
• Confidential
• Secret
• Top secret

Each level represents an increasing level of sensitivity. Sensitivity is the desired degree of secrecy that the information should maintain. If an individual holds a confidential clearance, it would mean that he could access unclassified, sensitive, or confidential information for which he has a need to know. His need-to-know would not extend to the secret or top secret levels. The concept of need-to-know is similar to the principle of least privilege, in that employees should have access only to information that they need to know to complete their assigned duties. Table 3.4 provides details about the military and public/private data-classification models.

Public/Private Data Classification

The public or commercial data classification is also built upon a four-level model:

• Public This information might not need to be disclosed, but if it is, it shouldn't cause any damage.
• Sensitive This information requires a greater level of protection to prevent loss of confidentiality.
• Private This information is for company use only, and its disclosure would damage the company.
• Confidential This is the highest level of sensitivity, and disclosure could cause extreme damage to the company.

Roles and Responsibility

Just as we have discussed the importance of data classification, it's important to provide a clear division of roles and responsibility. This will be a tremendous help when dealing with any security issues. Everyone should be subject to this policy, including employees, consultants, and vendors. The following list highlights some general areas of responsibility different organizational roles should be held to regarding organizational security. Common roles include owner, data custodian, user, and security auditor:

• Data owner Usually a member of senior management. After all, senior management is responsible for the asset and, if it is compromised, can be held responsible. The data owner can delegate some day-to-day duties but cannot delegate total responsibility; senior management is ultimately responsible.
• Data custodian This is usually someone in the IT department. The data custodian does not decide what controls are needed, but he or she does implement controls on behalf of the data owner. Other responsibilities include the day-to-day management of the asset. Controlling access, adding and removing privileges for individual users, and ensuring that the proper controls have been implemented are all part of the data custodian's daily tasks.
• User This is a role that most of us are familiar with because this is the end user in an organization. Users do have responsibilities: They must comply with the requirements laid out in policies and procedures. They must also practice due care.

  The CISSP candidate can be expected to be tested on the concept of due care. Due care is the care an ordinary, reasonable person would exercise under the same or similar circumstances.

• Security auditor This is the person who examines an organization's security procedures and mechanisms. How often this process is performed depends on the industry and its related regulations. As an example, the health care industry is governed by the Health Insurance Portability and Accountability Act (HIPAA) regulations and states that audits must be performed yearly. Regardless of the industry, senior management should document and approve the audit process.

Security Controls

The objective of security controls is to enforce the security mechanisms the organization has developed. Security controls can be administrative, technical, or physical. With effective controls in place, risks and vulnerabilities can be reduced to a tolerable level. Security controls are put in place to protect confidentiality, integrity, and availability.

Administrative

Administrative controls are composed of the policies, procedures, guidelines, and baselines an organization develops. Administrative controls also include the mechanisms put in place to enforce and control employee activity and access, such as the following:

• Applicant screening A valuable control that should be used during the hiring process. Background checks, reference checks, verification of educational records, and NDAs should all be part of the screening process.
• Employee controls Another useful mechanism that can add defense in depth to the organization's administrative controls. Some common employee controls include detailed job descriptions with defined roles and responsibilities. These are procedures that mandate the rotation of duties, the addition of dual controls, and mandatory vacations.
• Termination procedures A form of administrative control that should be in place to address the termination of employees. Termination procedures should include exit interviews, review of NDAs, suspension of network access, and checklists verifying that employees have returned all equipment they had in their care, such as remote-access tokens, keys, ID cards, cellphones, pagers, credit cards, laptops, and software.

Technical

Technical controls are the logical mechanisms used to control access, authenticate users, identify unusual activity, and restrict unauthorized access. Some of the devices used as technical controls include firewalls, IDS systems, and authentication devices such as biometrics. Technical controls can be hardware or software.

Physical

Physical controls are the controls that are most typically seen. Examples of physical controls include gates, guards, fences, locks, CCTV systems, turnstiles, and mantraps. Because these controls can be seen, it's important to understand that people might attempt to find ways to bypass them. You've probably seen this at a card keycontrolled entrance: One person opens the door, and two or three walk in.