2.1 Identify and classify information and assets
- Data classification
- Asset Classification
Before we can protect our data or assets, we must first identify the type of data that we have and what legal requirements we have to protect them. Then we can apply the appropriate controls. This ensures we do not spend too much effort to protect data that should not be protected and ensures that we protect data that is necessary.
Personally Identifiable Information is information that can identify an individual. It can include
- Telephone numbers
- Social Security Numbers, Drivers License numbers
Protected Health Information is health-related information that relates to a specific person. It can include
- Medical treatments
- Lab results
- Health insurance plans
- Payment information for health care
Proprietary Data is any data that gives an organization a competitive advantage.
How the government applies security classifications
- Top Secret – a leak of this data can cause harm to national security. Top Secret data includes nuclear technology and military technology. A user must have a need to know in order to access the data (just because a user has a Top Secret clearance does not mean that they are automatically entitled to access the data).
- Secret – a leak of the data can cause some harm.
- Confidential – the data is proprietary.
- Sensitive but Unclassified – this data is not classified but should not be disclosed.
- Unclassified – this information is available to the public.
- For Official Use Only/Law Enforcement Sensitive – this is data that has no official classification under the law but must still be protected. Its disclosure might be compromise law enforcement informant identities, investigative techniques, or ongoing investigations.
A private company will have its own system of classifying data. If the company is generating, processing, or storing data on behalf of the federal government, then it might be generating classified material and may need to subject that data to the same classification and protection procedures as the government.
The question is, if released, how much damage will the data disclosure cause?
- Confidential/Proprietary – a data breach will cause “exceptionally grave damage”. This includes data such as trade secrets
- Private – data that belongs to customers such as Personal Health Information
- Sensitive – data that is not confidential but still must be protected
- Public – unclassified data that anybody can see. We do protect the integrity of public data so that nobody can modify it.
We might classify the data through one of the following methods
- Context-Based – we classify the data based on its metadata. We make assumptions about what the actual data contains.
- Content-Based – we classify the data based on the content of the data instead of assuming what the data contains from the metadata.
- User-Based – a user manually classifies the data
We classify a physical asset based on the data that it contains and its value to the organization. For example, a server that stores Top Secret data should also be classified as Top Secret. We might mark the server with the label Top Secret.