Information Classification

In the following sections, we will discuss the various information classification systems, roles in the security process, and information access controls.

Public Information

Public information is primarily information that is made available either to the larger public or to specific individuals who need it. Financial statements of a privately held organization might be information that is publicly available, but only to individuals or organizations that have a legitimate need for it.

The important thing to keep in mind is that an organization needs to develop policies about what information is available and for what purposes it will be disseminated. It is also helpful to make it clear to members of the organization who has authorization to make these kinds of disclosures. There are organizations that gather competitive data for a fee; they often use social engineering approaches to gain information about an organization. Good policies help prevent accidents from occurring with sensitive information.

The following sections discuss the difference between limited and full distribution.

Limited Distribution

Limited distribution information is not intended for release to the public. This category of information is not secret, but it is private. If a company were seeking to obtain a line of credit, the information provided to a bank is of a private nature. This information, if disclosed to competitors , might give insight into their plans or the financial health of the organization. The information, if disclosed to customers, might scare them and cause them to switch to a competitor.

These types of disclosures are usually held in confidence by banks and financial institutions. These institutions will typically have privacy, confidentiality regulations, and policies that must be followed by all employees of the institution.

Software manufacturers typically release early versions of their products to customers who are willing to help evaluate functionality. These early versions of the software may not always work properly, and they have features that are not included in the final version. This version of the software is a beta test.

Before a beta tester is allowed to use the software, they will be required to sign a nondisclosure agreement (NDA). The NDA tells the tester what privacy requirements exist for the product.

The product being developed will change, and any problems with the beta version probably will not be a great secret. However, the NDA reminds the tester of their confidentiality responsibilities.

Statements indicating privacy or confidentiality are very common on limited-access documents. These statements should indicate that disclosure of the information without permission is a breach of confidentiality. This may help someone remember that the information is not for public dissemination .

Full Distribution

Marketing materials are examples of information that should have full distribution to anybody who wants it. Annual reports to stockholders and other information of a public relations orientation are examples of full distribution.

The key element of the full distribution classification involves decision- making responsibility. Who makes the decision about full disclosure? Larger organizations have a corporate communications department that is responsible for managing this process. If you are not sure, it is good idea to ask about dissemination of information. Do not assume that you know. This is the purpose of an information classification policy.

Private Information

Private information involves information that is intended only for use internally in the organization. This type of information could potentially embarrass the company, disclose trade secrets, or adversely affect personnel. Private information may also be referred to as working documents or work product. It is very important that private information not be disclosed, as it can potentially involve litigation if the disclosure was improper.

You will learn about the difference between internal and restricted information in the following sections.

Internal Information

Internal information includes personnel records, financial working documents, ledgers, customer lists, and virtually any other information that is needed to run a business. This information is valuable and must be protected.

In the case of personnel and medical records, disclosure to unauthorized personnel creates liability issues. Many organizations are unwilling to do anything more than verify employment because of the fear of unauthorized disclosure. A school views student information as internal. Schools cannot release information about students without specific permission from the student.

Restricted Information

Restricted information refers to any information that could seriously damage the organization if disclosed. This includes proprietary processes, trade secrets, strategic information, and marketing plans. This information should never be disclosed to an outside party unless senior management gives specific authorization. In many cases, this type of information would also be placed on a need-to-know basis . Unless you need to know, you wouldn't be informed.

Government and Military Classifications

The U.S. government and the military have a slightly different set of concerns relating to information classification. Governmental agencies are very concerned about privacy and national security. Because of this, a unique system of classification and access controls has been implemented to protect information.

Following is a list of some of the types of government classifications:

Unclassified This classification is used to indicate that the information poses no risk or potential loss due to disclosure. Anybody can gain access to this category of information. Many training manuals and regulations are unclassified.

Sensitive But Unclassified This classification is used for low-level security. This classification indicates that disclosure of this information might cause harm, but it would not harm national defense efforts. The amount of toilet paper a military base uses may be considered sensitive. This information might help an intelligence agency guess at the number of personnel on a base.

Confidential The Confidential classification is used to identify low- level secrets. This classification is used extensively by the military to prevent access to sensitive information. Confidential is generally the lowest level of classification used by the military. Information that is lower than Confidential is generally considered unclassified. Confidential, however, does allow this information to be restricted for access under the Freedom of Information Act. The maintenance requirements for a machine gun may be classified as Confidential. This information would include drawings, procedures, and specifications that disclose how the weapon works.

Secret Secret information, if disclosed, could cause serious and irreparable damage to defense efforts. Information that is classified as Secret requires special handling, special training, and storage. This information is considered a closely guarded secret of the military or government. Troop movements, deployments, capabilities, and other plans would be minimally classified as Secret. The military views the unauthorized disclosure of Secret information as criminal and potentially treasonous.

Top Secret The Top Secret classification is the highest unclassified classification level. There are rumored to be higher levels of classification. The names of these classifications are in themselves classified Top Secret. Information that is classified as Top Secret poses a grave threat to national security. It must not be compromised. Information such as intelligence activities, nuclear war plans, and weapons systems development would normally be classified as Top Secret.

The government has also developed a process to formally review and downgrade classification levels on a regular basis. This process generally downgrades information based on age, sensitivity, and usefulness . There are methods of overriding this downgrade process to prevent certain information from being declassified. Some secrets are best left secret.

The military also uses an additional method of classifying information and access. This additional method has the effect of compartmentalizing information.

For example, if you were a weapons developer, it is not very likely that you would need access to information from spy satellites . You would be given special access to information that is needed for the project on which you are working.

This limited access might be necessary for the specific project. When the project is finished, access to this special information is revoked . This allows information to be protected and access limited to a need-to-know basis.

The process of obtaining a security clearance either for the military or for a government contractor can be a quite involved one. The normal process would investigate you, your family, and potentially anybody else who could put you in a compromised position. The process can take months, and it involves agents doing fieldwork to complete the investigation.

Roles in the Security Process

Effective security management requires the establishment of a clear set of roles and responsibilities for everyone involved in the process. You are learning to fill some of these roles as part of your Security + certification:

Owner The owner of the data is primarily responsible for establishing the protection and use of the data. The owner, in most situations, is a senior manager or other decision-maker within an organization. The owner is responsible for making sure that everyone follows all relevant and appropriate laws and regulations. Ultimately, the owner usually delegates some or all of the roles associated with the data to other individuals in the organization.

Custodian The custodian of the data is responsible for maintaining and protecting the data. In a computer environment, the custodian is usually the IT department. Network administrators, backup operators, and others perform custodial functions on the data. The security policies, standards, and guidelines should lay out these responsibilities and provide mechanisms to perform them.

User The user is the person or department that uses the data. Users of data may perform input, output, editing, and other functions allowed by the role they have in the process.

Two additional roles warrant discussion, as you may find yourself doing one or both of them:

Security Professional Security professionals are concerned with one or more aspects of the process. They may be investigators , implementers, testers, or policy developers. Investigators become involved in the process when a security problem has been identified. Testers, on the other hand, may be called to look for exploits or to test security processes for weaknesses. Policy developers help management develop and implement policies for the organization.

Note

Security professionals frequently encounter information they would normally not need to know. Discretion is a critical skill for a security professional. You may be asked to deny the existence of certain information in an organization. This implicit trust relationship should not be taken lightly.

{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}

Auditor Auditors are involved in the process of ensuring that practices, policies, mechanisms, and guidelines are followed within an organization. This function may involve reviewing documentation, reviewing activity logs, conducting interviews, and performing any number of other processes necessary to ensure that organizational security policies are followed. The role of the auditor is not that of a police officer, rather a consultant. An auditor can help an organization identify and correct deficiencies in security.

Each of these roles presents a special challenge, and it exposes you to information and processes that most individuals would not encounter in an organization. It is very important that you take these responsibilities seriously, and you should not divulge the information or process you uncover to any unauthorized individuals. You must hold yourself to a higher standard than those around you.

Information Access Controls

Access control defines the methods to ensure that users of your network only have access to what they authorized. The process of access control should be spelled out in the security policies and standards. Several models exist to accomplish this. This section will briefly explain the Bell La-Padula model, the Biba model, the Clark-Wilson model, the Information Flow model, and the Noninterference model. Each of these models approaches access control from a slightly different perspective.

Bell La-Padula Model

The Bell La-Padula model was designed for the military to address the storage and protection of classified information. The model is specifically designed to prevent unauthorized access to classified information. The model prevents the user from accessing information that has a higher security rating than they are authorized to access. The model also prevents information from being written to a lower level of security.

For example, if you are authorized to access Secret information, you are not allowed to access Top Secret information, nor are you allowed to write to the system at a level lower than the Secret level. This creates upper and lower bounds for information storage. This process is illustrated in Figure 6.11. Notice in the illustration that you cannot read up or write down . This means that a user cannot read information at a higher level than they are authorized to access. A person writing a file cannot write down to a lower level than the security level they are authorized to access.

Figure 6.11: The Bell La-Padula model

The process of preventing a write down keeps a user from accidentally breaching security by writing Secret information to the next lower level, the Confidential level. You would be able to read Confidential information, but since you are approved at that Secret level, you cannot write to the Confidential level. This model does not deal with integrity, only confidentiality. A user of Secret information can potentially modify other documents at the same level they posses.

To see how this works, think about corporate financial information. The Chief Financial Office may have financial information about the company that he needs to protect. The Bell La-Padula model would prevent him from inadvertently posting information at an access level lower than his access level. This prevents unauthorized or accidental disclosure of sensitive information, preventing a write down of the information. A lower-level employee would not be able to access this information because he cannot read up to the level of the CFO.

The Biba Model

The Biba model was designed after the Bell La-Padula model. The Biba model is similar in concept to the Bell La-Padula model, but it is more concerned with information integrity, an area that the Bell La-Padula model does not address. In this model, there is no write up or read down . In short, if you are assigned access to Top Secret information, you cannot read Secret information nor write to any level higher than the level to which you are authorized. This keeps higher-level information pure by preventing less reliable information from being intermixed with it. Figure 6.12 illustrates this concept in more detail. The Biba model was developed primarily for industrial uses, where confidentiality is usually less important than integrity.

Figure 6.12: The Biba model

Think about the data that is generated by a researcher for a scientific project. The researcher is responsible for managing the results of research from a lower-level project and incorporating it into his research data. If bad data were to get into his research, the whole research project would be ruined. With the Biba model, this accident could not happen. The researcher would not have access to the information from lower levels. That information would have to be promoted to the level of the researcher. This system would keep the researcher's data intact and prevent accidental contamination.

The Clark-Wilson Model

The Clark-Wilson model was developed after the Biba model. The approach is a little different from either the Biba or the Bell La-Padula method. In this model, data cannot be accessed directly. Data must be accessed through applications that have predefined capabilities. This process prevents unauthorized modification, errors, and fraud from occurring. If a user needs access to information at a certain level of security, a specific program is used. This program may only allow read access to the information. If a user needs to modify data, another application would need to be used. This allows a separation of duties in that individuals are granted access only to the tools they need. All transactions would have associated audit files and mechanisms to report modifications. Figure 6.13 illustrates this process. Access to information is gained by using a program that specializes in access management. This can be either a single program that controls all access or a set of programs that control access. Many software management programs work using this method of security.

Figure 6.13: The Clark-Wilson model

Let's say you were working on a software product as part of a team. You may need to access certain code to include in your programs. You are not authorized to modify this code; you are merely authorized to use it. You would use a checkout program to get the code from the source library. Any attempt to put modified code back would be prevented. The developers of the code in the source library would be authorized to make changes. This ensures that only people authorized to change the code can accomplish the task.

Information Flow Model

The Information Flow model is concerned with the properties of information flow, not only the direction of the flow. Both the Bell La-Padula and the Biba models are concerned with information flow in predefined manners. They are considered Information Flow models. This Information Flow model is concerned with all information flow, not just up or down. This model requires that each piece of information have unique properties, including operation capabilities. If an attempt were made to write lower-level information to a higher level, the model would evaluate the properties of the information and determine if the operation is legal. If the operation were illegal, the model would prevent this from occurring. Figure 6.14 illustrates this concept.

Figure 6.14: The Information Flow model

Let's use the previous software project as an example. A developer might be working with a version of the software to improve functionality. When the programmer has made improvements to the code, she would want to put that code back into the library. If the attempt to write the code were successful, the code would replace the existing code. If a subsequent bug were found in the new code, the old code would have been changed. The solution here would be to create a new version of the code that incorporates both the new code and the old code. Each subsequent change to the code would require a new version to be created. While this may consume more disk space, it does prevent things from getting lost, and it provides a mechanism to use or evaluate an older version of the code.

Noninterference Model

The Noninterference model is intended to ensure that higher-level security functions do not interfere with lower-level functions. In essence, if a higher- level user were changing information, the lower-level user would not know or be affected by the changes. This prevents the lower-level user from being able to deduce what changes are being made to the system. Figure 6.15 illustrates this concept. Notice that the lower-level user is not aware that any changes have occurred above them.

Figure 6.15: The Noninterference model