CISSP For Dummies
You must understand the purpose of a data classification scheme, and be familiar with commercial data classification criteria and the government data classification scheme.
Information and data, in all their various forms, are valuable business assets. As with other, more tangible assets, the information’s value determines the level of protection required by the organization. Applying a single protection standard uniformly across all an organization’s assets is neither practical nor desirable.
A data classification scheme helps an organization assign a value to its information assets based on its sensitivity to loss or disclosure as well as to determine the appropriate level of protection. Additionally, data classification schemes may be required for regulatory or other legal compliance.
Commercial data classification
Commercial data classification schemes are typically implemented to protect information that has a monetary value, to comply with applicable laws and protect privacy, and to limit liability. Criteria by which commercial data is classified include
-
Value: This is the most common classification criterion in commercial organizations. It is based on monetary value or some other intrinsic value.
-
Age/useful life: Information that loses value over time, becomes obsolete or irrelevant, or becomes common/public knowledge is classified this way.
-
Cross-Reference Regulatory requirements: Private information, such as medical records subject to HIPAA (Health Insurance Portability and Accountability Act of 1996) regulations and educational records subject to the Privacy Act (see Chapter 12) may have legal requirements for protection. Classification of such information may be based not only on compliance but also on liability limits.
Descriptive labels are often applied to company information, such as Confidential and Proprietary and Internal Use Only. However, the organizational requirements for protecting information labeled as such are often not formally defined or are unknown. Organizations should formally identify standard classification levels as well as specific requirements for labeling, handling, storage, and destruction/disposal.
Government data classification
Government data classification schemes are generally implemented to
-
Protect national interests or security
-
Comply with applicable laws
-
Protect privacy
Instant Answer One of the more common systems, used within the U.S. Department of Defense (DoD), consists of five broad categories for information classification: Unclassified, Sensitive but Unclassified (SBU), Confidential, Secret, and Top Secret. (We discuss all these in upcoming sections.)
Instant Answer Within each classification level, certain safeguards are required in the use, handling, reproduction, transport, and destruction of Defense Department information. In addition to having an appropriate clearance level at or above the level of information being processed, individuals must have a need-to-know before they can access the information. Those who need to know are those who require the information to perform an assigned job function.
Unclassified
The lowest government data classification level is unclassified. Unclassified information isn’t sensitive, and unauthorized disclosure won’t cause any harm to national security. Unclassified information may include information that was once classified at a higher level but has since been declassified by an appropriate authority. Unclassified information isn’t automatically releasable to the public and may include additional modifiers such as For Official Use Only or For Internal Use Only.
Sensitive but Unclassified (SBU)
Sensitive but Unclassified information is one of the more common modifiers of Unclassified information. It generally includes information of a private or personal nature. Examples include test questions, disciplinary proceedings, and medical records.
Confidential
Confidential information is information that, if compromised, could cause damage to national security. Confidential information is the lowest level of classified government information.
Secret
Secret information is information that, if compromised, could cause serious damage to national security. Secret information must normally be accounted for throughout its life cycle to destruction.
Top Secret
Top Secret information is information that, if compromised, could cause grave damage to national security. Top Secret information may require additional safeguards such as special designations and handling restrictions.
Категории