Organizations use information classification to help users understand the security requirements around handling different types of information. In this video, you will learn information classification techniques, including assigning information to classification levels, labeling classified information, and proper information handling and disposal practices.
- [Instructor] Organizations use information classification to help users understand the security requirements around handling different types of information. Data classification policies describe the security levels of information used in an organization and the process for assigning information to a particular classification level. The different security categories or classifications used by an organization determine the appropriate storage, handling, and access requirements for classified information.
Security classifications are assigned based upon both the sensitivity of information and the criticality of that information to the enterprise. Classification schemes vary but all basically try to group information into high, medium, and low sensitivity levels and differentiate between public and private information. For example, the military uses the familiar top-secret, secret, confidential, and unclassified classification scheme. A business, on the other hand, might use friendlier terms to accomplish the same goal using terms like highly sensitive, sensitive, internal, and public to classify information.
Data classification is extremely important because it is used as the basis for other data security decisions. For example, a company might require the use of strong encryption to protect sensitive and highly sensitive information, both at rest and in motion. This is an example of a data handling requirement. When an organization classifies information, it should also include labeling requirements that apply consistent markings to sensitive information.
Using standard labeling practices ensures that users are able to consistently recognize sensitive information and handle it appropriately. Finally, every organization should adopt secure disposal procedures for sensitive information. This should include the wiping techniques used to securely erase hard drives, flash drives, and other storage media before they are thrown away, recycled, or otherwise discarded. This is extremely important because of data remnance issues.
Simply deleting files or formatting a hard disk is not sufficient to remove all traces of data from the device. Security administrators must use specialized tools to securely wipe storage devices and prevent the future retrieval of information believed to be deleted. These include software applications such as Darik's Boot and Nuke, otherwise known as DBAN, and hardware tools such as magnetic degaussers and device shredders. Information classification is a difficult undertaking that often requires beginning with a laborious inventory of sensitive information but it pays off by giving employees a consistent way to identify, label, handle, and dispose of sensitive information.
Members who take all eight courses in the series will be prepared to take and pass the CISSP exam. Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Understanding data security policies and roles
- Limiting data collection
- Developing security baselines
- Leveraging industry standards
- Restricting access to data with Windows and Linux file permissions
- Encrypting data
- Securing cloud storage