Overview It is important to gain an understanding of the different kinds of data that an organization
Question:
Overview
It is important to gain an understanding of the different kinds of data that an organization is collecting. As a cybersecurity analyst, you need to know the data! Know the criticality of the data you organize and analyze, and the impact on the organization, in case of a breach or loss of data. As you develop the data life cycle plan, keep in mind that one of the goals is to protect the confidentiality, integrity, and availability of the organization's data. Consider the following:
- Is some information highly confidential?
- Would your company be at risk if certain data were leaked?
- Would your customers be at risk?
- What if your data disappeared?
As a security analyst, you will need to view this task using your adversarial mindset.
Part of data life cycle management and risk management is to classify the data. Classifying data can vary between organizations. Classification is based on the criticality of the information and the risks associated with possible attacks. For example, in the case of a data breach, a customer's email address would be considered low risk, while a customer's credit card information or Social Security number would be high risk and therefore have higher security protection. Data classification is simply a way of grouping the data based on its level of criticality. This allows for varying degrees of security protection for each group.
Scenario
You are part of a cybersecurity consulting firm that has been hired by Green Thumb Nursery to help develop a risk management plan. The initial round of on-site, in-person interviews has already been conducted by your leadership team and you are tasked with helping them complete the finalized documentation for the data life cycle plan. This includes performing a data inventory to identify data critical to the organization in order to implement a data classification standard.
Prompt
Using your expertise as a cybersecurity consultant, complete the Data Inventory and Data Classification tab in your Project Two Milestone One template, linked in the milestone assignment in Module Three of your course. One row of the template has been completed to provide you with an example. Begin by reviewing the Classification Matrix tab to learn about the categories used for data classifications. You must address the critical elements listed below.
- Data Inventory: Using the components listed in the System Resource/Component column, complete the Data Inventory column.
- Identify the appropriate types of data found in each system resource/component.
- Data Classification: Using the information in the Data Inventory column, complete the Data Classification column.
- Apply the appropriate classification to the data you identified in your data inventory.
- Justification: Complete the Data Classification Justification column.
- Justify your rationale for applying each classification.
CATEGORY | DESCRIPTION | SAMPLE DOCUMENTS / RECORDS | DISTRIBUTION | DESTRUCTION/ DISPOSAL |
PUBLIC or open | Information that may be broadly distributed without causing damage to the organization, its employees and stakeholders. The [PR Office/Marketing Dept/Information Security Management dept/etc.] must pre-approve the use of this classification. These documents may be disclosed or passed to persons outside the organization. | Marketing materials authorized for public release such as advertisements, brochures, published annual accounts, Internet Web pages, catalogues, external vacancy notices | No restrictions | Recycling/trash |
SENSITIVE | Information whose unauthorized disclosure, particularly outside the organization, would be inappropriate and inconvenient. Disclosure to anyone outside of [Company name] requires management authorization. | Most corporate information falls into this category. Departmental memos, information on internal bulletin boards, training materials, policies, operating procedures, work instructions, guidelines, phone and email directories, marketing or promotional information (prior to authorized release), investment options, transaction data, productivity reports, disciplinary reports, contracts, Service Level Agreements, internal vacancy notices, intranet Web pages | Internal: use an internal mail envelope. External: use a sealed envelope. Electronic: use internal email system. Encryption is required for transmission to external email addresses. FAXing: take care over the FAX number! | |
Paper documents: shred. Electronic data: erase or degauss magnetic media. Send CDs, DVDs, dead hard drives, laptops, etc., to IT for appropriate disposal | ||||
CONFIDENTIAL/ PRIVATE or Proprietary | Highly sensitive or valuable information, both proprietary and personal. Must not be disclosed outside of the organization without the explicit permission of a Director-level senior manager. | Passwords and PIN codes, VPN tokens, credit and debit card numbers, personal information (such as employee HR records, Social Security Numbers), most accounting data, other highly sensitive or valuable proprietary information | Internal: use a sealed envelop inside an internal mail envelope. Hand deliver if possible. External: use a plain sealed envelope. Hand deliver or send by registered mail, courier,etc. Electronic: use internal email system only. Encrypt data. FAXing: requires phone confirmation of receipt of a test page immediately prior to sending the FAX, and phone confirmation of full receipt. | Paper documents: shred using an approved cross-cut shredder. Electronic data:erase or degauss magnetic media. Send CDs, DVDs, dead hard drives, laptops, etc., to IT for appropriate disposal. |
This work is copyright 2009, Richard O. Regalado and ISO27k implementers' forum, some rights reserved. It is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 License. You are welcome to reproduce, circulate, use and create derivative works from this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to the ISO27k implementers' forum www.ISO27001security.com), and (c) derivative works are shared under the same terms as this. | ||||
Auditing Cases An Interactive Learning Approach
ISBN: 978-0132423502
4th Edition
Authors: Steven M Glover, Douglas F Prawitt