16 Aug Data Classification – Evaluating Sensitivity
Data classification is the process by which data is evaluated for its risk and sensitivity and then assigned a label which determines the level of security that will be used to protect that data. Simply put, less sensitive data is protected at a lower level and more sensitive data is protected at a higher level. There are two different classifications schemes in general use, one scheme is used in government and military settings and the other in commercial, private sector settings.
Data classification is an important component of an effective security program, giving organizations a mechanism to appropriately direct the effort, money and resources required to protect data. If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to have an understanding of why and how data is classified. You should make sure you know the five levels of government/military classification and the four levels of commercial, private sector classification.
Benefits of Classification
Having a data classification scheme in place provides necessary structure to the protection of an organization’s data. It provides guidance for identifying which assets are most critical or valuable to the organization and helps to define access levels and permissible use. A complete system also provides guidance for data lifecycle management and includes parameters for the declassification and/or destruction of resources that are no longer valuable.
With few exceptions, most organizations have data that varies in its sensitivity. A single private sector IT system, for example, might house everything from benign marketing flyers and cafeteria menus to personally identifiable employee payroll data and proprietary strategic planning documents.
While it might be tempting to secure all systems at the highest level to avoid any accidental release of sensitive data, there are a number of factors that make such a broad-brush approach not only impractical, but actually detrimental to the organization. More rigorous security controls tend to be more expensive, so providing high security to items which are not sensitive wastes resources that would be better applied to the more sensitive data. Also, keeping data secure involves putting restrictions on how that data is accessed. Securing data at too high a level places an unnecessary burden on the organization, making it more difficult and time consuming for employees to do their jobs.
In addition to providing structure to data security, data classification provides important signals to an organization and its employees. By labeling data as sensitive and needing protection, all employees will be aware that steps need to be taken to prevent its release. If no classification system were in place, employees would need to evaluate each item individually every time it is accessed. Not only would such a system be inefficient, the risk of mishandling sensitive data would be unacceptably high.
U.S. Government Classification System
The United States government classification system is established under executive order and federal regulations which describe the classification, declassification, and handling of national security information generated by the U.S. government and contractors. Improper handling of classified data can have severe legal consequences.
There are five levels of classification used by the United States government and military, as shown below:
Let’s dive into the definitions of each of these classification levels:
- Top Secret: Disclosure of top secret data would cause grave damage to national security. Top secret data is given the highest levels of protection and access is restricted to persons with a “need to know.”
- Secret: Disclosure of secret data would cause serious damage to national security. While this data is considered less sensitive than data classified as top secret, it is nonetheless given a high level of protection with many safeguards and procedures that must be followed.
- Confidential: Confidential is the lowest level of government classified data. Its release would cause some harm to national security.
- Sensitive But Unclassified (SBU): The SBU designation is used for data that is not classified, but there are reasons to protect the information from release. The SBU designation is often used when release of data could violate the privacy rights of citizens.
- Unclassified: Unclassified is data that has no classification or is not sensitive.
Corporate Classification Systems
There is no single classification system in use by private sector entities. For security certification exam preparation you will want to focus on four designations commonly used in businesses and other private sector organizations:
- Highly Sensitive: In many schemes, highly sensitive information is the highest level of private sector classification. Confidential data is highly sensitive and significant harm could come to the company if it is disclosed. Examples of highly sensitive information include Social Security numbers, health records, credit card information and other highly regulated and valuable data elements.
- Sensitive: Sensitive information is information that does not reach the highly sensitive level, but could cause serious harm to the company if disclosed to unauthorized individuals. Examples of sensitive information might include employee records or secret business plans.
- Internal: Internal information is information that the company does not intend to disclose publicly, but would cause minimal harm if accidentally or maliciously disclosed. A company directory might fit into this category.
- Public: Public is the lowest level of classification. It is used for data which is intended for public disclosure, such as marketing materials or a company website.
Understanding data classification is an important component of your preparation for a variety of security certification programs. If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam.