Appendix D: Data Classification (1/2)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

283

Appendix D

Data Classiﬁcation

Data classiﬁcation is the basis for determining how data is treated — e.g., how long

it is retained, how it is handled (conﬁdential, public, etc.), and how it is protected.

It is based on operational, regulatory, and other business requirements and impacts

many areas of a company. Some groups that may have signiﬁcant input in data

classiﬁcation policy include ﬁnance, information technology (IT), and human

resources. These groups have operational and regulatory requirements with different

data including some of the examples listed below:

• Financial records

• Personnel records

• System logs

For example, the ﬁnance group has classiﬁcation requirements driven by oper-

ational needs related to ﬁnancial analysis and regulatory requirements related to

taxation and Securities and Exchange Commission (SEC) reporting (if it is a publicly

traded company).

Some of the key risks of not having a sound data classiﬁcation process include:

• Loss of critical data due to inappropriate treatment

• Compromise of conﬁdential data during transmission or destruction due

to a lack of appropriate security measures

• Inappropriate disclosure of information as a result of lack of classiﬁcation

or no classiﬁcation, resulting in ﬁnes or damage to a company’s reputation

or legal exposure

This questionnaire is based on the International Standards Organization (ISO)

17799 standard and past experience and is meant to serve as an initial set of questions.

These questions should be asked of people who are signiﬁcantly involved in the data

classiﬁcation process. This questionnaire should be modiﬁed to the extent necessary

to reﬂect the speciﬁc client’s business based on what you have learned so far.

1. Is a data classiﬁcation policy in place?

Guidance:

A data classiﬁcation policy is required at the minimum in order

to have consistent and enforceable classiﬁcation practices. It is possible

AU1706_book.fm Page 283 Wednesday, July 28, 2004 11:06 AM

284

A Practical Guide to Security Assessments

that there is no documented scheme but there is some scheme that personnel

generally know about and follow. The policy helps ensure that all person-

nel are using the same classiﬁcations. If there is an “ad-hoc” or unwritten

policy in place, it can potentially be leveraged to create the security policy.

Risk:

The risks associated with not having a data classiﬁcation policy

include:

• There is a lack of or inconsistent data classiﬁcations being used, which

can result in data not receiving appropriate treatment relative to oper-

ational, legal, and other requirements.

• It is difﬁcult to enforce consistent data classiﬁcation practices without

a formal policy that has been communicated to personnel.

Client Response:

2. Are any procedures in place to show users how they are to classify

information and communicate it to the relevant people in the organization?

Guidance:

In order for personnel to understand how to implement the data

classiﬁcation policy, a process they can follow should be documented and

readily accessible. The procedure should articulate responsibilities (e.g.,

data owners, IT) and deﬁne a process for classifying data and communi-

cating the classiﬁcation to the appropriate parties. If there is already a pro-

cess that is working well, it should be formalized into a documented

procedure. The documented procedure will make users accountable to a

process and help ensure that personnel know about it and that it is done

consistently. The other value of procedures is when there is employee turn-

over. Documented procedures can be used by new employees to quickly

come up to speed.

Risk:

Without documented procedures, there is a risk of:

• Noncompliance with the data classiﬁcation policy

• Incorrect or inconsistent data classiﬁcation processes

Both of these cases can result in data not being classiﬁed properly and

not receiving the appropriate treatment.

Client Response:

3. Does your company have any operational, regulatory, or other require-

ments that might dictate the need for data classiﬁcation?

AU1706_book.fm Page 284 Wednesday, July 28, 2004 11:06 AM

Appendix D

285

Guidance:

This question should help determine how important data clas-

siﬁcation is for the company. Some smaller companies might treat all data

in the same way and may not have any need for data classiﬁcation. In larger

companies, data classiﬁcation is probably something to be concerned

about, as they are more likely to have those types of requirements.

Risk:

Not applicable. This question is to help determine the scope of data

classiﬁcation in the company.

Client Response:

4. Have there been any security incidents recently that could potentially have

been prevented if a data classiﬁcation policy was in place? If so, what

steps have been taken to prevent such incidents from happening again?

Guidance:

If an incident has occurred, the nature of the incident, the com-

pany’s response, and subsequent actions to prevent it from happening

again are important to discuss and may lead to ﬁndings for the assessment.

For example, colleges and universities are always handling sensitive stu-

dent information — e.g., grades, disciplinary information. The risk related

to exposing sensitive student information can be reduced if student infor-

mation is classiﬁed so that it receives the appropriate level of security.

Risk:

Not applicable. The purpose of this question is to gather informa-

tion. There is no associated risk.

Client Response:

5. Do users know the data classiﬁcation scheme and is it published and

easily accessible?

Guidance:

Sometimes a data classiﬁcation scheme exists but few know

about it because it is buried in some obscure intranet site or in some man-

ual, which only a few people have. It is possible that the policy is not with

the rest of the security IT policies or operations policies because it was de-

veloped by the legal department. Users might want to classify information

but if the scheme is not easily accessible, they may not take the time to ﬁnd

out about it and thus may not use it. There may be a need to incorporate

data classiﬁcation into a user awareness program and into existing security

policies.

AU1706_book.fm Page 285 Wednesday, July 28, 2004 11:06 AM

286

A Practical Guide to Security Assessments

Risk:

If users are not aware of the data classiﬁcation policy and if it is not

easily accessible, there is a risk they will not follow it because they do not

know about it or are not willing to take the time to ﬁnd out about it.

Client Response:

6. Does the classiﬁcation scheme provide enough guidance so users can

easily classify information?

Guidance:

When users access the data classiﬁcation policy, it would be

helpful for them to have some criteria or examples to help them classify

information and distinguish the differences between the various classiﬁca-

tions. As users begin to classify data, real examples, which can be used as

reference points by personnel, will become available. One sign of a lack of

guidance is that people are not using the existing classiﬁcation scheme

because the meaning of the classiﬁcations is unclear. If no guidance exists

and personnel are unclear on classifying data, it would be worth incorpo-

rating this into a user awareness program and incorporating examples into

the classiﬁcation policy.

Risk:

Without some guidance or examples of data for each of the classiﬁ-

cations, personnel might not classify data properly. This can lead to incon-

sistent data classiﬁcation and data not getting appropriate treatment.

Client Response:

7. Are speciﬁc roles and responsibilities deﬁned for data classiﬁcation —

speciﬁcally for data owners and system owners?

Guidance:

Data classiﬁcation, like other areas of security or operations in

general, requires clear roles and responsibilities to ensure that key tasks are

performed. In the case of data classiﬁcation, there must be personnel who

“own” the data and are thus responsible for classifying it. One thing to look

out for is that data classiﬁcation might be viewed as an IT problem and as

a result, IT is responsible for classifying the data. IT should not be making

data classiﬁcation decisions because they do not have the expertise to do

so nor do they own the data. The IT group’s responsibility should be to pro-

vide the necessary level of protection for data based on the classiﬁcation.

In addition, data owners should understand that there are costs related to

different classiﬁcations — e.g., there are additional costs related to pro-

tecting conﬁdential documents versus public documents.

AU1706_book.fm Page 286 Wednesday, July 28, 2004 11:06 AM

Appendix D

287

Risk:

Without clearly deﬁned roles and responsibilities, there is a risk that

data will not be classiﬁed properly and will not receive the appropriate

treatment.

Client Response:

8. Is the data classiﬁcation scheme used consistently across the whole orga-

nization?

Guidance:

As a best practice, one data classiﬁcation scheme should be

used consistently across an organization. An example of multiple classiﬁ-

cations is when a company is classifying conﬁdential data. One group

might call it “conﬁdential,” but another group might call the same type of

data “proprietary and conﬁdential.” This will just confuse some personnel

and potentially result in the creation of other classiﬁcations. In addition,

with these rogue classiﬁcations, it is difﬁcult to determine what the impli-

cations are for the various classiﬁcations — i.e., how that data is protected.

If other classiﬁcations are developed, they should go through the appropri-

ate reviews, and personnel should be provided with some education on

them.

Risk:

Without a consistent data classiﬁcation scheme, which has gone

through appropriate reviews, there is a risk that data will not receive appro-

priate treatment as it is unclear what the classiﬁcations mean.

Client Response:

9. Does the classiﬁcation scheme address the following processes for each

classiﬁcation?

• Copying and storage of information

• Retention of data

•Transmission of data

• Destruction of information

• Sensitive information

Guidance:

One of the purposes of the classiﬁcation scheme is to deﬁne

how data should be handled. Based on how data is classiﬁed, the company

should have certain guidelines for key data processes such as the ones listed

above. If a user classiﬁes data with a certain classiﬁcation, the user should

have an understanding of how the data will be treated and what the ﬁnan-

cial and process implications might be. For example, when “conﬁdential”

AU1706_book.fm Page 287 Wednesday, July 28, 2004 11:06 AM

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Appendix D: Data Classification (1/2)

Create new playlist

Sign In

Sign Up

Table of Contents for
Appendix D: Data Classification (1/2)