You cannot implement what senior management won't support. Sure, you will need the employees to buy into the process, but the biggest element of success depends on making sure that security flows from the top. With senior management leading the way, you can further ensure success by setting up a data-classification scheme so that employees realize the importance of the data they work with. You will also want to consider employee trainingwithout it, how will employees know good security practices? As a final step, you will want to build in security controls because they allow you to monitor the level of compliance.
Data Classification
Organizational information that is proprietary or confidential in nature must be protected. Data classification is a useful way to rank an organization's informational assets. The two most common data-classification schemes are military and public. Companies store and process so much electronic information about their customers and employees that it's critical for them to take appropriate precautions to protect this information. Both military and private data-classification systems accomplish this task by placing information into categories. The first step of this process is to assess the value of the information. When the value is known, it becomes much easier to decide what amount of resources should be used to protect the data. It would make no sense to spend more on protecting something with a lesser value or worth.
Each level of classification that is established should have specific requirements and procedures. The military and commercial data-classification models have predefined labels and levels. When an organization decides which model to use, it can evaluate data placement by using criteria such as the following:
Military Data Classification
The military data-classification system is widely used within the Department of Defense. This system has five levels of classification:
Each level represents an increasing level of sensitivity. Sensitivity is the desired degree of secrecy that the information should maintain. If an individual holds a confidential clearance, it would mean that he could access unclassified, sensitive, or confidential information for which he has a need to know. His need-to-know would not extend to the secret or top secret levels. The concept of need-to-know is similar to the principle of least privilege, in that employees should have access only to information that they need to know to complete their assigned duties. Table 3.4 provides details about the military and public/private data-classification models.
Commercial Business Classifications |
Military Classifications |
---|---|
Top secret |
|
Confidential |
Secret |
Private |
Confidential |
Sensitive |
Sensitive |
Public |
Unclassified |
Public/Private Data Classification
The public or commercial data classification is also built upon a four-level model:
Information has a useful life. Data-classification systems need to build in mechanisms to monitor whether information has become obsolete. If that is the case, it should be declassified or destroyed. |
Roles and Responsibility
Just as we have discussed the importance of data classification, it's important to provide a clear division of roles and responsibility. This will be a tremendous help when dealing with any security issues. Everyone should be subject to this policy, including employees, consultants, and vendors. The following list highlights some general areas of responsibility different organizational roles should be held to regarding organizational security. Common roles include owner, data custodian, user, and security auditor:
The CISSP candidate can be expected to be tested on the concept of due care. Due care is the care an ordinary, reasonable person would exercise under the same or similar circumstances. |
Security Controls
The objective of security controls is to enforce the security mechanisms the organization has developed. Security controls can be administrative, technical, or physical. With effective controls in place, risks and vulnerabilities can be reduced to a tolerable level. Security controls are put in place to protect confidentiality, integrity, and availability.
Administrative
Administrative controls are composed of the policies, procedures, guidelines, and baselines an organization develops. Administrative controls also include the mechanisms put in place to enforce and control employee activity and access, such as the following:
Technical
Technical controls are the logical mechanisms used to control access, authenticate users, identify unusual activity, and restrict unauthorized access. Some of the devices used as technical controls include firewalls, IDS systems, and authentication devices such as biometrics. Technical controls can be hardware or software.
Physical
Physical controls are the controls that are most typically seen. Examples of physical controls include gates, guards, fences, locks, CCTV systems, turnstiles, and mantraps. Because these controls can be seen, it's important to understand that people might attempt to find ways to bypass them. You've probably seen this at a card keycontrolled entrance: One person opens the door, and two or three walk in.
Because some controls will be highly visible, others should be designed as more covert, to ensure defense in depth. |
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
Acknowledgments
We Want to Hear from You!
Introduction
Self-Assessment
The CISSP Certification Exam
Physical Security
Security-Management Practices
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Operations Security
Business Continuity Planning
Law, Investigations, and Ethics
Cryptography
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2