Organizations use information classification to help users understand the security requirements around handling different types of information. In this video, learn information classification techniques, including: assigning information to classification levels, labeling classified information, and proper information handling and disposal practices.
- [Narrator] Organizations use information classification to help users understand the security requirements around handling different types of information. Data classification policies describe the security levels of information used in an organization and the process for assigning information to a particular classification level. The different security categories or classifications used by an organization determine the appropriate storage, handling, and access requirements for classified information.
Security classifications are assigned based upon both the sensitivity of the information and the criticality of that information to the enterprise. Classification schemes vary, but all basically try to group information into high, medium, and low sensitivity levels and differentiate between public and private information. The military uses the familiar top secret, secret, confidential, and unclassified scheme, while a business might use friendlier terms to accomplish the same goal.
Data classification is extremely important because it is used as the basis for other data security decisions. For example, a company might require the use of strong encryption to protect sensitive and highly sensitive information both at rest and in motion. This is an example of a data handling requirement. Data classification also drives decisions regarding asset classification. For example, an organization may designate security classification levels for systems and then only allow systems to process information at their security level or lower.
This practice is commonly followed in the defense industry, where a computer system might be labeled as unclassified, secret, or top secret. An unclassified system would not, then, be allowed to handle information that was classified secret, while a top secret system would be allowed to process that information. In addition, administrators assume that any information stored on a system is classified at the highest level authorized for that system. If information is retrieved from a system that is authorized to process secret information, that information must be assumed to be secret unless it undergoes a manual classification review.
When an organization classifies information, it should also include labeling requirements that apply consistent markings to sensitive information. Using standard labeling practices ensures that users are able to consistently recognize sensitive information and handle it appropriately. Labels may be applied to both information and assets. Finally, every organization should adopt secure disposal procedures for sensitive information.
This should include the wiping techniques used to securely erase hard drives, flash drives, and other storage media before they are thrown away, recycled, or otherwise discarded. This is extremely important because of data remanence issues. Simply deleting files or formatting a hard disk is not sufficient to remove all traces of data from a device. Security administrators must use specialized tools to securely wipe storage devices and prevent the future retrieval of information believed to be deleted.
These include software applications such as Darik's Boot and Nuke, and hardware tools such as magnetic degaussers and device shredders. Information classification is a difficult undertaking that often requires beginning with a laborious inventory of sensitive information. But it pays off by giving employees a consistent way to identify, label, handle, and dispose of sensitive information.
- Using information classification
- Selecting and implementing security controls
- Conducting ongoing risk management activities
- Comparing adware, spyware, and ransomware
- Dangers posed by advanced persistent threats (APTs)
- Understanding attackers
- Types of attacks, including networking and password attacks
- Social engineering attacks
- Scanning for vulnerabilities
- Business continuity and disaster recovery planning
- Managing vendor relationships