Data Classification
Data Classification While not (explicitly) on the CCNA Security (640-553 IINS) blueprint, all of the Cisco Press books for the CCNA Security exam that I reviewed included data classification (specifically US data classification structures) in their materials, so I am including it here. Data classification - the act of assigning the level of sensitivity to data. Sensitivity - a calculation of the damage that the release of the information would cause. Classified information - sensitive information to which access is restricted by law or regulation to particular classes of persons. A formal security clearance is required to handle classified documents or access classified data. Security clearance - the level of information you are authorized to view. Your security clearance determines the highest classification of information you are able to view. So if you hold a Secret-level clearance, you can view Confidential and Secret data (as well as unclassified data), but not Top-secret data. Need to know - Regardless of sensitivity level, information that is classified may be given only to people who need to know the information. Having a Top Secret clearance does not give one access to all documents classified at that level. Rather, people may access classified information only if they are cleared at the information's sensitivity level and have a need to know.
Public Sector (US) Classifications In the U.S. information is called "classified" if it has been assigned one of the three levels: Confidential, Secret, or Top Secret. Information that is not so labeled is called unclassified information. Confidential -The lowest classification level. It is defined as information which would "damage" national security if disclosed. Secret -The second highest classification. Information is classified secret when its release would cause "serious damage" to national security. Most information that is classified is held at the secret sensitivity. Top secret -This is the highest security level that is publicly disclosed, and is defined as information that would cause "exceptionally grave damage" to national security if disclosed to the public. The term declassified is used for information which has had its classification removed, and downgraded refers to information that has been assigned a lower classification level, but is still classified.
Public Sector (US) Unclassified Information In the U.S. information is called "classified" if it has been assigned one of the three levels: Confidential, Secret, or Top Secret. Information that is not so labeled is called unclassified information. Unclassified – Exactly what it says: information with little or no sensitivity. Sensitive but unclassified (SBU) – One of many ‘classified unclassified’ categories. This is basically information that does not meet the criteria to be classified, but access/distribution is nonetheless controlled. These classifications are constantly in flux and change names quite often. You might also see Unclassified - Law Enforcement Sensitive (U//LES), Unclassified — For Official Use Only (U//FOUO), NOFORN ('no foreign nationals'), Critical Program Information (CPI) , etc. In September 2005, J. William Leonard, director of the U.S. National Archives Information Security Oversight Office was quoted in the press as saying "No one individual in government can identify all the controlled, unclassified [categories], let alone describe their rules." President Barack Obama recently issued Executive Order 13526 to address some of this mess. If you want to cure yourself of insomnia go ahead and peep the executive order online.
Private Sector Classifications Some corporations and non-government organizations also assign sensitive information to multiple levels of protection, either from a desire to protect trade secrets, or because of laws and regulations governing various matters such as personal privacy, sealed legal proceedings and the timing of financial information releases. Private corporations often require written confidentiality agreements and conduct background checks on candidates for sensitive positions. Public - Information made available to the public. Sensitive - Data that could cause embarrassment, but not a security threat. Private - Organizational information that should be kept secret and whose accuracy should be maintained. Confidential - Sensitive organizational information that should be protected with great care. These classifications are not as hard and fast as the government/public sector classifications and can vary greatly from organization to organization.
Data Classification
Data Classification Criteria Value - How valuable the data is to the organization. "How much shit would hit the fan if access was not restricted?" Age - How old the data is. Useful Life - How long will the data be considered relevant/important. “How long before this information is considered obsolete ?” Personal Association - Is this information related to individuals' personal information.
Data Classification Roles Owner - Sets the initial classification level as well as reviews procedures for classifying information. Custodian - Keeps the information up-to-date and accurate. Creates backups and restoration points for data. Maintains the data. User - Accesses and uses the data according to their security clearance. As a network engineer you’re probably going to swim in all three of these pools at some point in your career. For example, you may create a network document and decide who needs access to the document (owner). Over time you will review this document and keep it up-to-date as well as archive changes to the document (custodian). You will also most likely refer to the documentation in the cases where you need to change/troubleshoot the network (user).
Summary While data classification is a deep subject and not one that you will generally think about too much in your day-to-day job as a network engineer, it is good to be familiar with the basic terminology, structures, and scope of data classification. Whether you’re hunkered down in a top secret military facility or simply working in a NOC, you will need to be at least minimally familiar with your organization’s data classification system and procedures. For the CCNA Security exam, I would at least be able to define the terms associated with data classification as well as know the US Public Sector’s data classification structure.
Recommend
More recommend
