Sensitive Information Requires Strong Controls

Sensitive, secret, proprietary, or confidential information must be protected. The best way to accomplish this is through the use of strong data classification controls. Data classification is a useful way to rank an organization’s informational assets. The two most common data-classification schemes are military and public. The responsibility for the classification of data falls on the data owner. Individuals at the top of the organizational structure need to take the lead in implementing policies designed to protect this information. There are several ways to accomplish this task. Both military and private data-classification systems accomplish this task by placing information into categories. The first step of this process is to assess the value of the information. When the value is known, it becomes much easier to decide what amount of resources should be used to protect the data.
Each level of classification that is established should have specific requirements and procedures. The military and commercial data-classification models have predefined labels and levels. When an organization decides which model to use, it can evaluate data placement by using criteria such as the following:

• Data value
• Data age
• Laws pertaining to data
• Regulations pertaining to disclosure
• Replacement cost

Regardless of which model is used, the questions below will help determine the proper placement of the information.

• Who owns the asset?
• Who controls access rights and privileges?
• Who approves access rights and privileges?
• What level of access is granted to the asset?
• Who currently has access to the asset?

The military data-classification system is widely used within the DoD. This system has five levels of classification:

• Top secret – Grave damage if exposed
• Secret – Serious damage if exposed
• Confidential – Disclosure could cause damage
• Sensitive but unclassified – Disclosure should be avoided
• Unclassified – If released, no damage should result

Each level represents an increasing level of sensitivity. Sensitivity is the desired degree of secrecy that the information should maintain. If an individual holds a confidential clearance, it would mean that he could access unclassified, sensitive, or confidential information for which he has a need to know. His need-to-know would not extend to the secret or top-secret levels. The concept of need-to-know is similar to the principle of least privilege in that employees should have access only to information that they need to know to complete their assigned duties.
Public/Private Data Classification is another approach to data classification. The public or commercial data classification is built upon a four-level model:

• Confidential –This is the highest level of sensitivity and disclosure could cause extreme damage to the company.
• Private – This information is for company use only and its disclosure would damage the company.
• Sensitive – This information requires a greater level of protection to prevent loss of confidentiality.
• Public – This information might not need to be disclosed, but if it is, it shouldn’t cause any damage.

The number one thing that data classification does is to force an organization to examine its informational assets and place a value on them. Only then can a company start to look at what level of control is needed to protect this information.

Geef als eerste een reactie

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.