Chapter 5
Asset Management and Data Loss Prevention
Chapter Objectives
After reading this chapter and completing the exercises, you will be able to do the following:
Assign information ownership responsibilities.
Develop and use information classification guidelines.
Understand information handling and labeling procedures.
Identify and inventory information systems.
Create and implement asset classification policies.
Understand data loss prevention technologies.
Is it possible to properly protect information if we do not know how much it is worth and how sensitive it is? Until we classify the information, how do we know the level of protection required? Unless we determine the value to the organization, how can we decide the amount of time, effort, or money that we should spend securing the asset? Who is responsible for making these decisions? How do we communicate the value of our information assets to our employees, business partners, and vendors?
Identification and classification of information assets and systems is essential to the proper selection of security controls to protect against loss of confidentiality, integrity, and availability (CIA):
A loss of confidentiality is the unauthorized disclosure of information.
A loss of integrity is the unauthorized or unintentional modification or destruction of information.
A loss of availability is the accidental or intentional disruption of access to or use of information or an information system.
In this chapter, we look at the various methods and rating methodologies that organizations use to define, inventory, and classify information and information systems. We examine public and private sector classification systems that are used to communicate value and handling instructions. We will determine who is responsible for these activities. Last, we will put these best practices into policy.
FYI: ISO/IEC 27002:2013 and NIST Cybersecurity Framework
Section 8 of ISO 27002:2013 focuses on asset management with the objective of developing classification schemas, assigning classification levels, and developing handling standards to protect information.
The Asset Management category of the NIST Cybersecurity Framework defines asset management as the “data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes that are identified and managed consistently with their relative importance to business objectives and the organization’s risk strategy.”
The ID.AM-5: Resources subcategory includes hardware, devices, data, time, and software. These resources are prioritized based on their classification, criticality, and business value. The following are the additional resources included in the NIST Cybersecurity Framework for the Asset Management category:
COBIT 5 APO03.03, APO03.04, BAI09.02
ISA 62443-2-1:2009 4.2.3.6
ISO/IEC 27001:2013 A.8.2.1
NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14
Information Assets and Systems
What exactly is an information asset and why protect it? An information asset is a definable piece of information, stored in any manner, that is recognized as having value to the organization. Information assets include raw, mined, developed, and purchased data. If the information is damaged, compromised, or stolen, the consequences could include embarrassment, legal liability, financial ruin, and even loss of life.
Examples of organizational information include the following:
Data stores or warehouses of information about customers, personnel, production, sales, marketing, or finances
Intellectual property (IP) such as drawings, schematics, patents, music scores, or other publications that have commercial value
Operational and support procedures
Research documentation or proprietary information based on experimentation or exploration
Strategic and operational plans, processes, and procedures that uniquely define the organization
Information systems are the supporting players. Information systems provide a way and a place to process, store, transmit, and communicate the information. These systems are generally a combination of hardware and software assets and associated services. Information systems can be garden-variety off-the-shelf products or highly customized equipment and code. Support services may be technical services (voice communication and data communication) or environmental (heating, lighting, air conditioning, and power). The location of information systems may be “on premises,” at a contracted data center, or in the cloud.
Who Is Responsible for Information Assets?
This brings us to the question of ownership. Every information asset must be assigned an owner. The success of an information security program is directly related to the defined relationship between the data owner and the information. In the best-case scenario, the data owner also functions as a security champion enthusiastically embracing the goals of CIA.
In Chapter 3, “Cybersecurity Framework,” we defined information ownership as being liable and responsible for protecting the information and the business results derived from using that information. For example, you have a medical file at your doctor’s office that may contain your medical history, digital scans, lab results, and physician notes. The clinicians in the office use that information to provide you with medical care. Because the information is all about you, are you the owner? No. The medical staff uses the information to provide care, so are they the owner? No. The information owner is the one responsible for protecting the confidentiality of your medical record, ensuring the integrity of the information in your records, and making sure that it is available to the clinicians whenever you need care. In a small medical practice, the owner is generally a physician. In a clinic or hospital, the owner is a member of senior management. Although it may seem obvious that every information asset needs an owner, it is not always apparent who should be or who is willing to assume the responsibility of ownership.
The Role of the Data Owner
The ISO 27002:2013 standard recommends that we have a policy that specifically addresses the need to account for our information assets and to assign an owner to the asset. The goal of an Information Ownership policy is to ensure that appropriate protection is maintained. Owners should be identified for all major information assets and be given the responsibility for the safeguarding of the information system. The owner is responsible for the security of the asset.
Figure 5-1 shows the data owner responsibilities.
FIGURE 5-1 Data Owner Responsibilities
As illustrated in Figure 5-1, the data owner responsibilities include the following:
Defining what is an asset
Assigning the economic or business value to the asset
Defining the level of protection required for such asset
Deciding who should have access to the asset and who should grant such access
Delegating day-to-day security and operational tasks
Owners perform the ongoing governance of all asset management, as well as the authorization of any disclosure of information.
However, the owner is not the one who will be tasked with implementing security controls. That responsibility can be delegated to the information custodians, such as system administrators.
Asset (system, data, and resource) custodian responsibilities include the following:
Being a subject matter expert
Implementing protection mechanisms
Monitoring for problems or violations
Reporting suspected incidents
Common custodian roles include network administrators, IT specialists, database administrators, application developers, application administrators, and librarians.
The Role of the Information Security Officer
The information owner is accountable for the protection of the information asset. The information custodian is responsible for managing the day-to-day controls. The role of the Information Security Officer (ISO) is to provide direction and guidance as to the appropriate controls and to ensure that controls are applied consistently throughout the organization. Whereas information owners and custodians focus on specific information assets, the ISO is responsible for the security of the entire organization. As such, the office of the ISO is the central repository of security information. The ISO publishes the classification criteria, maintains the information system inventories, and implements broad strategic and tactical security initiatives.
In Practice
Information Ownership Policy Statement
Synopsis: A data owner is responsible for the protection of assigned information and systems. Inclusive in this responsibility are decisions about classification of information, protection of information and information systems, and access to information and information systems.
Policy Statement:
All information assets and systems must have an assigned owner.
The Office of Information Security will maintain an inventory of information ownership.
Owners are required to classify information and information systems in accordance with the organizational classification guidelines.
Owners are responsible for determining the required level of protection.
Owners must authorize internal information and information system access rights and permissions. Access rights and permissions must be reviewed and approved annually.
Owners must authorize third-party access to information or information systems. This includes information provided to a third party.
Implementation and maintenance of controls is the responsibility of the Office of Information Security; however, accountability will remain with the owner of the asset.
Information Classification
As discussed in the previous section, the information or data owner is responsible for classifying information using the criteria established by the ISO. The objective of an information classification system is to differentiate data types to enable organizations to safeguard CIA based on content. The natural outcome of the classification process is instructions on who can access the asset, how the asset is to be used, what security measures need to be in place, and ultimately the method in which the asset should be destroyed or disposed of. Classification systems have their genesis in two seminal security models designed in the 1970s for the U.S. military: Bell-Lapadula and Biba. Both models are based on the assumption that an information system may contain information that requires different levels of security and that users of various clearance levels would be accessing the information system. The objective of the Bell-Lapadula model is to ensure confidentiality by restricting read access to data above what a user has permission to read and to restrict write access to data at a level below to minimize potential exposure. This is generally expressed as “no read up, no write down.” The objective of the Biba model is to ensure data integrity. The Biba model restricts users from reading data at a lower level and writing information to a higher level. The theory is that data at a lower level may be incomplete and/or inaccurate and if read could unduly influence what is written at a higher level. This is generally expressed as “no read down, no write up.” The implementation of Bell-Lapadula, Biba, and subsequent models required that a structured data classification system be developed.
When using Bell-LaPadula, users can create content only at or above their own security level. On the other hand, users can view content only at or below their own security level. You can use the Biba model to address the concerns of integrity, but it addresses only the first goal of integrity—protecting the system from access by unauthorized users. Availability and confidentiality are not examined. The Biba model also expects that internal threats are being protected by good coding practices, and this is why it focuses on external threats.
Classification systems are now used in the private sector, the government, and the military. A financial institution will allow a teller to view general account information and cash checks of reasonable amounts. That same teller is not allowed to view information about internal bank assets and most definitely cannot access systems that would allow her to transfer millions of dollars. A hospital will allow a lab technician to access patient demographics and physician instructions but will not allow him to read or edit the complete patient record. The military, based on national security concerns, makes decisions about to whom and how to make information accessible. They certainly do not want battle plans shared with the enemy. In fact, the military is a vivid example of an organization that relies extensively on a well-defined classification system. They classify not only information systems but people as well. Military and supporting civilian personnel are assigned clearance levels. The clearance level of the individual must match the classification of the data in order to be granted access. In this section, we examine different approaches to information classification.
In Practice
Information Classification Life Cycle Process
An information classification life cycle begins with the assignment of classification and ends with declassification. The information owner is responsible for managing this process, which is as follows:
Document the information asset and the supporting information systems.
Assign a classification level.
Apply the appropriate labeling.
Document “special” handling procedures (if different from organizational standards).
Conduct periodic classification reviews.
Declassify information when (and if) appropriate.
FYI: Freedom of Information Act
The Freedom of Information Act (FOIA) provides a powerful tool to advocates for access to information. Under the FOIA, anyone may request and receive any records from federal agencies, unless the documents can be officially declared exempt based on specific categories, such as Top Secret, Secret, and Classified. There are hundreds of thousands of FOIA requests per year! To learn more about FOIA, explore FOIA data, or make a FOIA request, visit FOIA.gov.
How Does the Federal Government Classify Data?
Let’s start with looking at how federal agencies categorize information and systems and then compare how the private sector classifies information. The United States government has enormous amounts of data and has a vested responsibility in protecting the CIA of the information and information systems. To this end, federal guidelines require that federal agencies categorize information and information systems. Federal Information Processing Standard 199 (FIPS-199) requires that information owners classify information and information systems as low, moderate, or high security based on CIA criteria. The generalized format for expressing the security category (SC) of an information type is as follows: The SC of information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are low, moderate, high, or not applicable:
Low potential impact means the loss of CIA could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
Moderate potential impact means the loss of CIA could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
High potential impact means the loss of CIA could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Confidentiality Factors
Information is evaluated for confidentiality with respect to the impact of unauthorized disclosure as well as the use of the information. Federal guidelines suggest that agencies consider the following:
How can a malicious adversary use the unauthorized disclosure of information to do limited/serious/severe harm to agency operations, agency assets, or individuals?
How can a malicious adversary use the unauthorized disclosure of information to gain control of agency assets that might result in unauthorized modification of information, destruction of information, or denial of system services that would result in limited/serious/severe harm to agency operations, agency assets, or individuals?
Would unauthorized disclosure/dissemination of elements of the information type violate laws, executive orders (EOs), or agency regulations?
Integrity Factors
Information is evaluated for integrity with respect to the impact associated with unauthorized modification or destruction. Federal guidelines suggest that agencies consider the following:
How does unauthorized or unintentional modification of information harm agency operations, agency assets, or individuals?
What is the impact of actions taken, decisions made based on modified information, or if the modified information is disseminated to other organizations or the public?
Does modification/destruction of elements of the information type violate laws, EOs, or agency regulations?
Availability Factors
Information is evaluated for availability with respect to the impact of disruption of access to or use of the information. Federal guidelines suggest that agencies consider the following:
How does the disruption of access to or use of information do harm to agency operations, agency assets, or individuals?
What is the impact of destruction and/or permanent loss of information?
Does disruption of access to or use of elements of the information type violate laws, EOs, or agency regulations?
FYI: Examples of FIPS-199 Classification
Example 1: An organization managing public information on its web server determines that there is no potential impact from a loss of confidentiality (that is, confidentiality requirements are not applicable), a moderate potential impact from a loss of integrity, and a moderate potential impact from a loss of availability. The resulting SC of this information type is expressed as follows:
SC public information = {(confidentiality, n/a), (integrity, moderate), (availability, moderate)}.
Example 2: A law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is moderate. The resulting SC for this type of information is expressed as follows:
SC investigative information = {(confidentiality, high), (integrity, moderate), (availability, moderate)}.
Example 3: A power plant contains an SCADA (supervisory control and data acquisition) system controlling the distribution of electric power for a large military installation. The SCADA system contains both real-time sensor data and routine administrative information. The management at the power plant determines that: (i) for the sensor data being acquired by the SCADA system, there is moderate impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a high potential impact from a loss of availability; and (ii) for the administrative information being processed by the system, there is a low potential impact from a loss of confidentiality, a low potential impact from a loss of integrity, and a low potential impact from a loss of availability. The resulting SCs of these information types are expressed as follows:
SC sensor data = {(confidentiality, moderate), (integrity, high), (availability, high)}, and
SC administrative information = {(confidentiality, low), (integrity, low), (availability, low)}.
The resulting SC of the information system is expressed as
SC SCADA system = {(confidentiality, moderate), (integrity, high), (availability, high)},
thus representing the high-water mark or maximum potential impact values for each security objective from the information types resident on the SCADA system.
Why Is National Security Information Classified Differently?
The Unites States government and the military process, store, and transmit information directly related to national security. It is important that everyone who interacts with these data recognize the significance. The first EO specifically defining and classifying government information was issued by President Harry S. Truman in 1952. Subsequent EOs were issued by Presidents Eisenhower, Nixon, Carter, Reagan, Clinton, and Bush. In December 2009, President Barack Obama issued Executive Order 13526 (Classified National Security Information), which revoked and replaced previous EOs:
“This order prescribes a uniform system for classifying, safeguarding, and declassifying national security information, including information relating to defense against transnational terrorism. Our democratic principles require that the American people be informed of the activities of their Government. Also, our Nation’s progress depends on the free flow of information. Nevertheless, throughout our history, the national defense has required that certain information be maintained in confidence in order to protect our citizens, our democratic institutions, our homeland security, and our interactions with foreign nations. Protecting information critical to our Nation’s security and demonstrating our commitment to open Government through accurate and accountable application of classification standards and routine, secure, and effective declassification are equally important priorities.” (President Barack Obama, December 29, 2009)
The following three special classifications defined in Executive Order 13526 denote special access and handling requirements. Information extraneous to the classification system is considered unclassified. Sensitive But Unclassified (SBU) is a Department of Defense–specific classification category. Authorization to assign classification level is restricted to specific U.S. Government officials:
Top Secret (TS): Any information or material the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security. Examples of exceptionally grave damage include armed hostilities against the United States or its allies; disruption of foreign relations vitally affecting the national security; the compromise of vital national defense plans or complex cryptology and communications intelligence systems; the revelation of sensitive intelligence operations; and the disclosure of scientific or technological developments vital to national security.
Secret (S): Any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security. Examples of serious damage include disruption of foreign relations significantly affecting the national security; significant impairment of a program or policy directly related to the national security; revelation of significant military plans or intelligence operations; compromise of significant military plans or intelligence operations; and compromise of significant scientific or technological developments relating to national security.
Confidential (C): Any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security. Examples of damage include the compromise of information that indicates strength of ground, air, and naval forces in the United States and overseas areas; disclosure of technical information used for training, maintenance, and inspection of classified munitions of war; and revelation of performance characteristics, test data, design, and production data on munitions of war.
Unclassified (U): Any information that can generally be distributed to the public without any threat to national interest. Note: This category is not specifically defined in EO 13526.
Sensitive But Unclassified (SBU): This classification is a Department of Defense subcategory and is applied to “any information of which the loss, misuse or unauthorized access to, or modification of might adversely affect U.S. National Interests, the conduct of the Department of Defense (DoD) programs or the privacy of DoD personnel.” Labeling in this category includes “For Official Use Only,” “Not for Public Release,” and “For Internal Use Only.” Note that this category is not specifically defined in EO 13526.
Who Decides How National Security Data Is Classified?
National security data is classified in one of two ways:
Original classification is the initial determination that information requires protection. Only specific U.S. Government officials who have been trained in classification requirements have the authority to make the classification decisions. Original classification authorities issue security classification guides that others use in making derivative classification decisions. Most government employees and contractors make derivative classification decisions.
Derivative classification is the act of classifying a specific item of information or material based on an original classification decision already made by an authorized original classification authority. The source of authority for derivative classification ordinarily consists of a previously classified document or a classification guide issued by an original classification authority. There are two primary sources of policy guidance for derivative classification. Within the Department of Defense, DoD Manual 5200.01, Volumes 1-4, the Information Security Program, provides the basic guidance and regulatory requirements for the DoD Information Security Program. Volume 1, Enclosure 4, discusses derivative classifier responsibilities. For the private sector the DoD 5220.22-M, the National Industrial Security Program Operating Manual, or NISPOM, details the derivative classification responsibilities.
How Does the Private Sector Classify Data?
There are no legally mandated private sector data classifications, so organizations are free to develop a classification system appropriate to their organization. Commonly used classifications include Legally Protected, Confidential, Internal Use, and Public. Information owners are responsible for classifying data and systems. Based on the classification, information custodians can apply the appropriate controls and, importantly, users know how to interact with the data.
Protected: Data that is protected by law, regulation, memorandum of agreement, contractual obligation, or management discretion. Examples include nonpublic personal information (NPPI), such as social security number, driver’s license or state-issued identification number, bank account or financial account numbers, payment card information (PCI), which is credit or debit cardholder information, and personal health information (PHI).
Confidential: Data that is essential to the mission of an organization. Loss, corruption, or unauthorized disclosure would cause significant financial or legal damage to the organization and its reputation. Examples include business strategies, financial positions, employee records, upcoming sales or advertising campaigns, laboratory research, and product schematics.
Internal Use: Data that is necessary for conducting ordinary company business. Loss, corruption, or unauthorized disclosure may impair the business or result in business, financial, or legal loss. Examples include policy documents, procedure manuals, nonsensitive client or vendor information, employee lists, or organizational announcements.
Public: Information that is specifically intended for the public at large. Public information requires discretionary treatment and should be cleared for release prior to public distribution. This category includes annual reports, product documentation, list of upcoming trade shows, and published white papers.
If the appropriate classification is not inherently obvious, a conservative approach is generally used and the data is classified in the more restrictive category.
FYI: What Is NPPI and Why Protect It?
Nonpublic personal information (NPPI) is data or information considered to be personal in nature, subject to public availability, and if disclosed is an invasion of privacy. Compromise of NPPI is often a precursor to identity theft. NPPI is protected from disclosure and/or requires notification of disclosure by a variety of federal and state laws and regulations.
NPPI in the private sector is also referred to as personally identifiable information (PII), or sensitive personal information (SPI).
NPPI is defined as an individual’s first name (or first initial) and last name linked with any one or more of the following data elements:
Social security number
Driver’s license number
Date of birth
Credit or debit card numbers
State identification card number
Financial account number, in combination with any required security code, access code, or password that would permit access to the account
In Practice
Information Classification Policy
Synopsis: An information classification system will be used to categorize information and information systems. The classification will be used to design and communicate baseline security controls.
Policy Statement:
The company will use a four-tiered data classification schema consisting of protected, confidential, restricted, and public.
The company will publish definitions for each classification.
The criteria for each level will be maintained by and be available from the Office of Information Security.
All information will be associated with one of the four data classifications. It is the responsibility of information owners to classify data.
Information systems containing information from multiple classification levels will be secured in accordance with the requirements of the highest classification level.
Data classification will remain in force regardless of the location or state of the data at any given time. This includes backup and archive mediums and locations.
The classification system will allow that classifications of information assets may change over time.
Each classification will have handling and protection rules. The Office of Information Security is responsible for the development and enforcement of the handling and protection rules.
Can Information Be Reclassified or Even Declassified?
Over a period of time, the need to protect information may change. An example of this can be found in the auto industry. Prior to a new car introduction, the design information is considered confidential. Disclosure would have serious ramifications to the automaker. After introduction, the same information is considered public and is published in the automotive manual. The process of downgrading sensitivity levels is known as declassification.
Conversely, organizations may choose to strengthen the classification level if they believe that doing so is for the benefit of the organization or required by evolving regulations. For example, in 2013, HIPAA regulations were extended to cover data maintained by business associates. In this case, business associates need to revisit the classification of data they access, store, process, or transmit. The process of upgrading a classification is known as reclassification. If the information owner knows ahead of time when the information should be reclassified, then that date should be noted on the original classification label (for example, “Confidential until [date]”). At the time an organization is establishing the criteria for classification levels, it should also include a mechanism for reclassifying and declassifying information. This responsibility may be assigned to the information owner or be subject to an internal review process.
Labeling and Handling Standards
Information owners classify information to identify the level of protection necessary. As we defined in Chapter 2, “Cybersecurity Policy Organization, Format and Styles,” standards serve as specifications for the implementation of policy and dictate mandatory requirements. Handling standards dictate by classification level how information must be stored, transmitted, communicated, accessed, retained, and destroyed. Labeling is the vehicle for communicating the assigned classification to information custodians and users.
Why Label?
Labels make it easy to identify the data classification. Labels can take many forms: electronic, print, audio, and visual. Information may need to be labeled in many ways, depending on the audience. The labels you are probably most familiar with are safety labels. You recognize poison from the skull-and-crossbones symbol. You instinctively know to stop when you see a red stop sign. You know to pull over when you hear a police siren. To protect information, classification level labels need to be as clear and universally understood as a skull-and-crossbones symbol or a stop sign. Labels transcend institutional knowledge and provide stability in environments that experience personnel turnover.
In electronic form, the classification should be a part of the document name (for example, “Customer Transaction History–PROTECTED”). On written or printed documents, the classification label should be clearly marked on the outside of the document, as well as in either the document header or footer. Media, such as backup tapes, should be clearly labeled with words and (where appropriate) symbols.
Why Handling Standards?
Information needs to be handled in accordance with its classification. Handling standards inform custodians and users how to treat the information they use and the systems they interact with. Handling standards generally include storage, transmission, communication, access, retention, destruction, and disposal, and may extend to incident management and breach notification.
As illustrated in Table 5-1, it is important that handling standards be succinctly documented in usable format. The handling standards should be introduced during the orientation period and reintroduced as part of an Acceptable Use Policy and Agreement.
TABLE 5-1 Sample Handling Standards Matrix
Data-Handling Standard |
Protected |
Confidential |
Internal |
|---|---|---|---|
Data Storage (Servers) |
Allowed as required for business purposes. |
Allowed as required for business purposes. |
Allowed as required for business purposes. |
Data Storage (Workstations–Internal) |
Not allowed. |
Not allowed. |
Allowed as required for business purposes. |
Data Storage (Mobile Devices and Media) |
Allowed as required for business purposes. Encryption required. |
Allowed as required for business purposes. Encryption required. |
Allowed as required for business purposes. Encryption highly recommended. |
Data Storage (Workstations–Home) |
Not allowed. |
Not allowed. |
Allowed as required for business purposes. |
Data Storage (Removable Media for Backup Purposes) |
Storage allowed as required for business purposes. Encryption required. |
Allowed as required for business purposes. Encryption required. |
Allowed as required for business purposes. |
Internal Email |
Should be avoided if possible. |
Should be avoided if possible. |
Allowed. |
Instant Message or Chat |
Not allowed. |
Not allowed. |
Allowed, but strongly discouraged. |
External Email |
Text allowed as required for business purposes. Encryption required. No attachments. Footer must indicate that the content is legally protected. |
Text allowed as required for business purposes. Encryption required. No attachments. |
Allowed. Encryption optional but strongly recommended. |
External File Transfer |
Must be pre-authorized by a SVP. Encryption required. |
Must be pre-authorized by a SVP. Encryption required. |
Allowed. Encryption optional but strongly recommended. |
Remote Access |
Multifactor authentication required. |
Multifactor authentication required. |
Multifactor authentication required. |
Data Retention |
Refer to Legal Record Retention and Destruction Guidelines. |
Refer to Company Record Retention and Destruction Guidelines. |
Refer to Departmental Record Retention and Destruction Guidelines. |
Electronic Data Disposal/Destruction |
Must be irrevocably destroyed. Destruction certification required. |
Must be irrevocably destroyed. |
Recommend irrevocable destruction. |
Paper Document Disposal |
Must be cross-shredded. Destruction certification required. |
Must be cross-shredded. |
Recommend cross-shred. |
Paper Document Storage |
Maintained in a secure storage area or locked cabinet. |
Maintained in a secure storage area or locked cabinet. |
No special requirements. |
External Mail Carriers |
Use commercial carrier or courier service. Envelope/box should be sealed in such a way that tampering would be obvious. Packages must be signed for. |
Use commercial carrier or courier service. Envelope/box should be sealed in such a way that tampering would be obvious. Packages must be signed for. |
No special requirements. |
Outgoing Fax |
Cover page should indicate the faxed information is legally protected. |
Cover page should indicate the faxed information is confidential. |
Cover page should indicate the faxed information is internal use. |
Incoming Fax |
Incoming faxes should be directed to the closest fax machine, and removed from the machine immediately. |
Incoming faxes should be directed to closest fax machine, and removed from the machine immediately. |
No special requirements. |
Suspected Breach, Unauthorized Disclosure, or Compliance Violation Should Be Reported To: |
Reported immediately to the ISO or Compliance Officer. |
Reported immediately to the ISO or Supervisor. |
Reported immediately to Supervisor. |
Data Handling Questions Should Be Directed To: |
ISO or Compliance Officer. |
ISO or Supervisor. |
Supervisor. |
In Practice
Information Classification Handling and Labeling Requirements Policy
Synopsis: The classification and handling requirements of information assets should be clearly identified.
Policy Statement:
Each classification will have labeling standards.
Data and information systems will be labeled in accordance with their classification.
Each classification of data will have documented handling standards for the following categories: storage, transmission, communication, access, logging, retention, destruction, disposal, incident management, and breach notification.
The Office of Information Security is responsible for the development and implementation of the labeling and handling standards.
All employees, contractors, and affiliates will be provided or have access to written documentation that clearly describes the labeling and handling standards.
All employees, contractors, and affiliates will be provided with a resource to whom questions can be directed.
All employees, contractors, and affiliates will be provided with a resource to whom violations can be reported.
Information Systems Inventory
As amazing as it may seem, many organizations do not have an up-to-date inventory of information systems. This happens for any number of reasons. The most prevalent is a lack of centralized management and control. Departments within organizations are given the autonomy to make individual decisions, bring in systems, and create information independent of the rest of the organization. Corporate cultures that encourage entrepreneurial behavior are particularly vulnerable to this lack of structure. Another reason is the growth of corporations through acquisitions and mergers. Sometimes companies change so rapidly it becomes nearly impossible to manage information effectively. Generally, the plan is to consolidate or merge information and systems, but in reality, they often end up cohabitating.
Why an Inventory Is Necessary and What Should Be Inventoried
An information systems inventory is necessary because without it, it will be very challenging to efficiently and accurately keep track of all the items that need to be secured, and also the elements that can introduce risk to the organization.
Putting together and maintaining a comprehensive physical inventory of information systems is a major task. The critical decision is choosing what attributes and characteristics of the information asset you want to record. The more specific and detailed the inventory, the more useful the inventory will be. Bear in mind that over time your inventory may have multiple purposes, including being used for criticality and risk analysis, business impact, disaster recovery planning insurance coverage, and business valuation.
Hardware Assets
Hardware assets are visible and tangible pieces of equipment and media, such as the following:
Computer equipment: Mainframe computers, servers, desktops, laptops, tablets, and smartphones
Printers: Printers, copiers, scanners, fax machines, and multifunction devices
Communication and networking equipment: IDS/IPSs, firewalls, modems, routers, access points, cabling, DSU/CSUs, and transmission lines
Storage media: Magnetic tapes, disks, CDs, DVDs, and USB thumb drives
Infrastructure equipment: Power supplies, air conditioners, and access control devices
Software Assets
Software assets are programs or code that provide the interface between the hardware, the users, and the data. Software assets generally fall into three categories:
Operating system software: Operating systems are responsible for providing the interface between the hardware, the user, and the application. Examples include Microsoft Windows, Apple iOS, Linux, UNIX, and FreeBSD.
Productivity software: The objective of productivity software is to provide basic business functionality and tools. Examples include mobile apps, the Microsoft Office Suite (Word, Excel, Publisher, and PowerPoint), Adobe Reader, Intuit Quick Books, and TurboTax.
Application software: Application software is designed to implement the business rules of the organization and is often custom-developed. Examples include programs that run complex machinery, process bank transactions, or manage lab equipment.
Asset Inventory Characteristics and Attributes
Each asset should have a unique identifier. The most significant identifier is the device or program name. Although you may assume that the name is obvious, you’ll often find that different users, departments, and audiences refer to the same information, system, or device differently. Best practices dictate that the organization chooses a naming convention for its assets and apply the standard consistently. The naming convention may include the location, vendor, instance, and date of service. For example, a Microsoft Exchange server located in New York City and connected to the Internet may be named MS_EX_NYC_1. A SQL database containing inventory records of women’s shoes might be named SQL_SHOES_W. The name should also be clearly labeled on the device. The key is to be consistent so that the names themselves become pieces of information. This is, however, a double-edged sword. We risk exposing asset information to the public if our devices are accessible or advertise them in any way. We need to protect this information consistent with all other valuable information assets.
An asset description should indicate what the asset is used for. For example, devices may be identified as computers, connectivity, or infrastructure. Categories can (and should) be subdivided. Computers can be broken down into domain controllers, application servers, database servers, web servers, proxy servers’ workstations, laptops, tablets, smartphones, and smart devices. Connectivity equipment might include IDS/IPSs, firewalls, routers, satellites, and switches. Infrastructure might include HVAC, utility, and physical security equipment.
For hardware devices, the manufacturer name, model number, part number, serial number, and host name or alias should be recorded. The physical and logical addresses should also be documented. The physical address refers to the geographic location of the device itself or the device that houses the information. This should be as specific as possible. For example, APPS1_NYC is located at the East 21st Street office’s second floor data center. The logical address is where the asset can be found on the organization’s network. The logical address should reference the host name, the Internet Protocol (IP) address, and, if applicable, the Media Access Control (MAC) address. Host names are “friendly names” given to systems. The host name may be the actual name of the system or an alias used for easy reference. The IP address is the unique network address location assigned to this system. Last, the MAC address is a unique identifier assigned to network connectivity devices by the manufacturer of the device.
FYI: Logical Addresses
Every device connected to a network or the Internet must be uniquely identified. The MAC address, the IP address, and the domain name are all used to identify a device. These addresses are known as “logical” rather than “physical” because they have little or no relationship to the geographic location of the device.
MAC Address: A Media Access Control (MAC) address is a hardware identification number that uniquely identifies a device. The MAC address is manufactured into every network card, such as an Ethernet card or Wi-Fi card. MAC addresses are made up of six two-digit hexadecimal numbers, separated by colon. Example: 9c:d3:6d:b9:ff:5e.
IPv4 Address: A numeric label that uniquely identifies a device on the Internet and/or on an internal network. The label consists of four groups of numbers between 0 and 255, separated by periods (dots). Example: 195.112.56.75.
IPv6 Address: Similar in function to IPv4, IPv6 is a 128-bit identifier. An IPv6 address is represented as eight groups of four hexadecimal digits. Example: FE80:0000:0000:0000: 0202:B3FF:FE1E:8329.
IP Domain Name: Domain names serve as humanly memorable names for Internet connected devices (for example, www.yourschool.edu). The “yourschool.edu” section of the name is assigned by an Internet registrar and uniquely describes a set of devices. The “www” is an alias for a specific device. When you access a website, the full domain name is actually translated to an IP address, which defines the server where the website is located. This translation is performed dynamically by a service called a domain name system (DNS).
Software should be recorded by publisher or developer, version number, revision, the department or business that purchased or paid for the asset number, and, if applicable, patch level. Software vendors often assign a serial number or “software key,” which should be included in the record.
Last but not least, the controlling entity should be recorded. The controlling entity is the department or business that purchased or paid for the asset and/or is responsible for the ongoing maintenance and upkeep expense. The controlling entity’s capital expenditures and expenses are reflected in its budgets, balance sheets, and profit and loss statements.
There are many tools in the market that can accelerate and automate asset inventory. Some of these tools and solutions can be cloud-based or installed on-premise. Asset management software and solutions help you to monitor the complete asset life cycle from procurement to disposal. Some of these solutions support the automated discovery and management of all hardware and software inventory deployed in your network. Some also allow you to categorize and group your assets so that you can understand the context easily. These asset management solutions can also help you keep track of all your software assets and licenses so you can remain compliant. The following are a few examples of asset management solutions:
ServiceNOW
SolarWinds Web Help Desk
InvGate Assets
ManageEngine AssetExplorer
Removing, Disposing Of, or Destroying Company Property
Company assets should be accounted for at all times. If company property needs to move from its assigned location or be destroyed, there should be an asset management procedure. Documentation should be maintained so that at any time an audit will account for the location and possession of every piece of equipment or information. Asset disposal and destruction is discussed in Chapter 7, “Physical and Environmental Security.”
In Practice
Inventory of Information System Assets Policy
Synopsis: All information systems should be inventoried and tracked.
Policy Statement:
All information system assets will be identified and documented with their classification, owner, location, and other details according to standards published by the Office of Information Security.
Company assets must be accounted for at all times.
The Office of Information Security will maintain the inventory documentation.
Copies of all inventory documentation will be included in the Business Continuity Plan.
FYI: Small Business Note
Is it necessary for small businesses to classify data? Emphatically, yes! It is very likely that a small business stores, processes, or transmits legally protected financial or medical data and/or is contractually obligated to protect debit and credit card information. At the very least, the company has information that for reasons related to either privacy or competition should not become public knowledge. Table 5-2 shows a combination three-tier data classification description and data-handling instructions for small businesses.
TABLE 5-2 Small Business Data Classification and Handling Instructions
Data Classification and Data Handling Instructions |
|||
|---|---|---|---|
I. Data Classification Definitions |
|||
Protected |
Data that is protected by law, regulation, contractual obligation, or management discretion. |
||
Confidential |
Data that should not be publicly disclosed. |
||
Public |
Data that is specifically intended for the public at large. |
||
II. Data Handling Instructions |
|||
|
Protected |
Confidential |
Public |
Data Storage Servers |
Allowed as required for business purposes. |
Allowed as required for business purposes. |
Allowed as required for business purposes. |
Data Storage Workstations |
Not allowed. |
Not allowed. |
Allowed as required for business purposes. |
Data Storage Mobile Devices |
Allowed as required for business purposes. Encryption required. |
Allowed as required for business purposes. Encryption required. |
Allowed as required for business purposes. |
Data Storage Home Workstations |
Not allowed. |
Not allowed. |
Allowed as required for business purposes. |
Internal Email |
Should be avoided if possible. |
Allowed. |
Allowed. |
External Email |
Must be sent using secure email. |
Allowed. |
Allowed. |
External File Transfer |
Must be sent using a secure file transfer program. |
Must be sent using a secure file transfer program. |
Allowed. |
Remote Access |
Requires multifactor authentication. |
Requires multifactor authentication. |
N/A |
Disposal/Destruction |
Must be irrevocably destroyed. |
Must be irrevocably destroyed. |
N/A |
Paper Documents |
Maintained in a secure storage area or in a locked cabinet. |
Maintained in a secure storage area or in a locked cabinet. |
N/A |
Questions and Concerns |
Please direct all questions or concerns to your direct supervisor. |
||
Understanding Data Loss Prevention Technologies
Data loss prevention (DLP) is the capability to detect any sensitive emails, documents, or information leaving your organization. These solutions typically protect the following data types:
Personally Identifiable Information (PII): Date of birth, employee numbers, social security numbers, national and local government identification numbers, credit card information, personal health information, and so on
Intellectual Property (IP): Patent applications, product design documents, the source code of software, research information, and customer data
Nonpublic Information (NPI): Financial information, acquisitions-related information, corporate policies, legal and regulatory matters, executive communication, and so on
Figure 5-2 lists the three states in which data can exist and the related protections.
FIGURE 5-2 Data States and Related Protections
What is data exfiltration? This is often referred to as data extrusion. Data exfiltration is the unauthorized transfer of data from a system or network manually (carried out by someone with physical access to such system), or it may be automated and carried out through malware or system compromise over a network.
Several products in the industry inspect for traffic to prevent data loss in an organization. Several industry security products integrate with third-party products to provide this type of solution.
For example, the Cisco ESA and the Cisco WSA integrate RSA email DLP for outbound email and web traffic. These DLP solutions allow network security administrators to remain compliant and to maintain advanced control with encryption, DLP, and onsite identity-based integration. These solutions also allow deep content inspection for regulatory compliance and data exfiltration protection. It enables an administrator to inspect web content by title, metadata, and size, and even to prevent users from storing files to cloud services such as Dropbox, Box, and Google Drive.
CloudLock is also another DLP solution. CloudLock is designed to protect organizations of any type against data breaches in any type of cloud environment or application (app) through a highly configurable cloud-based DLP architecture.
Several of these solutions provide application programming interfaces (APIs) that provide a deep level of integration with monitored SaaS, IaaS, PaaS, and IDaaS solutions. They provide advanced cloud DLP functionality that includes out-of-the-box policies designed to help administrators maintain compliance.
An important benefit of cloud-based DLP solutions is that they allow you to monitor data at rest within platforms via APIs and provide a comprehensive picture of user activity through retroactive monitoring capabilities. Security administrators can mitigate risk efficiently using configurable, automated response actions, including encryption, quarantine, and end-user notification.
Data loss doesn’t always take place because of a complex attack carried out by an external attacker; many data loss incidents have been carried out by internal (insider) attacks. Data loss can also happen because of human negligence or ignorance—for example, an internal employee sending sensitive corporate email to a personal email account, or uploading sensitive information to an unapproved cloud provider. This is why maintaining visibility into what’s coming as well as leaving the organization is so important.
Data loss prevention (DLP) tools are designed to detect and prevent data exfiltration (unauthorized release or removal of data). DLP technologies locate and catalogue sensitive data (based on a predetermined set of rules or criteria), and DLP tools monitor target data while in use, in motion, and at rest. Table 5-3 summarizes some DLP tools and where they are placed in the network.
TABLE 5-3 DLP Location/Placement
DLP Tool |
Description/Placement |
|---|---|
Network-based (on premise) |
Network-based (hardware or virtual appliance) deals with data in motion and is usually located on the network perimeter. |
Storage-based |
Storage-based (software) operates on long-term storage (archive). |
End-point based |
End-point based (software) operates on a local device and focuses on data-in-use. |
Cloud-based (off premise) |
Cloud-based operates in the cloud, with data in use, motion, and at rest. |
DLP solutions can be used to identify and control end-point ports as well as block access to removable media.
Identify removable devices / media connected to your network by type (for example, USB thumb drive, CD burner, smart phone), manufacturer, model number, and MAC address.
Control and manage removable devices through endpoint ports, including USB, FireWire, Wi-Fi, Modem / Network NIC, and Bluetooth.
Require encryption, limit file types, limit file size.
Provide detailed forensics on device usage and data transfer by person, time, file type, and amount.
Summary
You may have heard the phrase “security through obscurity.” This phrase implies that there is a proportional relationship between keeping an asset hidden and its safety. The problem with this concept is that it is not practical, or even desirable, to keep our information and systems locked up. Information assets have value to the organization and are often used in day-to-day operations to accomplish its mission. The inverse to “security through obscurity” is “security through classification and labeling.” The best way to protect an information asset or system is to identify the confidentiality, integrity, and availability (CIA) requirements, and then apply the appropriate safeguards and handling standards. The process of identification and differentiation is known as classification. Information owners are responsible for properly identifying and classifying the information for which they are responsible. Information custodians are tasked with implementing security controls.
FISMA requires that federal agency information owners classify their information and information systems as low, moderate, or high security based on criteria outlined in the FIPS-199. Information is evaluated for confidentiality with respect to the impact of unauthorized disclosure as well as the use of the information, integrity with respect to the impact associated with unauthorized modification or destruction, and availability with respect to the impact of disruption of access to or use of the information. Five special classifications are reserved for national security–related information that denotes special access and handling requirements: Top Secret, Secret, Confidential, Unclassified, and Sensitive But Unclassified (SBU). The process of downgrading a classification is known as declassification. The process of upgrading a classification is known as reclassification.
There are no comparable classification requirements for the private sector. However, multiple state and federal statutes require all organizations to protect specific categories of information. The broadest category is nonpublic personal information (NPPI). NPPI is information considered to be personal in nature, subject to public availability, and if disclosed is an invasion of privacy. It is common for private sector organizations to adopt a three- or four-tier classification system that takes into account legal, privacy, and business confidentiality requirements. Labeling is the vehicle for communicating the assigned classification to information custodians and users. Handling standards inform custodians and users how to treat the information they use and the systems they interact with.
Information systems provide a way and a place to process, store, and transmit information assets. It is important to maintain an up-to-date inventory of hardware and software assets. Hardware assets are visible and tangible pieces of equipment and media. Software assets are programs or code that provide the interface between the hardware, the users, and the data. Descriptors may include what the asset is used for, its location, the unique hardware identification number known as a MAC address, the unique network identifier known as an IP address, host name, and domain name.
Organizational Asset Management policies include Information Ownership, Information Classification, Handling and Labeling Requirements, and Information Systems Inventory.
In this chapter, you learned that DLP is the technology and capability to detect any sensitive emails, documents, or information leaving your organization. This is often referred to as data exfiltration or data extrusion. Data exfiltration is the unauthorized transfer of data from a system or network manually (carried out by someone with physical access to such system), or it may be automated and carried out through malware or system compromise over a network.
Test Your Skills
Multiple Choice Questions
1. Which of the following terms best describes a definable piece of information, stored in any manner, that is recognized as having value to the organization?
A. NPPI
B. Information asset
C. Information system
D. Classified data
2. Information systems __________, __________, and __________ information.
A. create, modify, and delete
B. classify, reclassify, and declassify
C. store, process, and transmit
D. use, label, and handle
3. Information owners are responsible for which of the following tasks?
A. Classifying information
B. Maintaining information
C. Using information
D. Registering information
4. Which of the following roles is responsible for implementing and maintaining security controls and reporting suspected incidents?
A. Information owner
B. Information vendor
C. Information user
D. Information custodian
5. FIPS-199 requires that federal government information and information systems be classified as ____________.
A. low, moderate, high security
B. moderate, critical, low security
C. high, critical, top-secret security
D. none of the above
6. Information classification systems are used in which of the following organizations?
A. Government
B. Military
C. Financial institutions
D. All of the above
7. FIPS requires that information be evaluated for _____________requirements with respect to the impact of unauthorized disclosure as well as the use of the information.
A. integrity
B. availability
C. confidentiality
D. secrecy
8. Which of the following National Security classifications requires the most protection?
A. Secret
B. Top Secret
C. Confidential
D. Unclassified
9. Which of the following National Security classifications requires the least protection?
A. Secret
B. Unclassified
C. Confidential
D. Sensitive But Unclassified (SBU)
10. The Freedom of Information Act (FOIA) allows anyone access to which of the following?
A. Access to all government information just by asking
B. Access to all classified documents
C. Access to classified documents on a “need to know” basis
D. Access to any records from federal agencies unless the documents can be officially declared exempt
11. Which of the following terms best describes the CIA attribute associated with the modification of information?
A. Classified
B. Integrity
C. Availability
D. Intelligence
12. Is it mandatory for all private businesses to classify information?
A. Yes.
B. Yes, but only if they want to pay less tax.
C. Yes, but only if they do business with the government.
D. No.
13. Which of the following is not a criterion for classifying information?
A. The information is not intended for the public domain.
B. The information has no value to the organization.
C. The information needs to be protected from those outside of the organization.
D. The information is subject to government regulations.
14. Data that is considered to be personal in nature and, if disclosed, is an invasion of privacy and a compromise of security is known as which of the following?
A. Nonpersonal public information
B. Nonprivate personal information
C. Nonpublic personal information
D. None of the above
15. Most organizations restrict access to protected, confidential, and internal-use data to which of the following roles within the organization?
A. Executives
B. Information owners
C. Users who have a “need to know”
D. Vendors
16. Labeling is the vehicle for communicating classification levels to which of the following roles within the organization?
A. Employees
B. Information custodians
C. Contractors
D. All of the above
17. Which of the following terms best describes rules for how to store, retain, and destroy data based on classification?
A. Handling standards
B. Classification procedures
C. Use policies
D. Material guidelines
18. Which of the following terms best describes the process of removing restricted classification levels?
A. Declassification
B. Classification
C. Reclassification
D. Negative classification
19. Which of the following terms best describes the process of upgrading or changing classification levels?
A. Declassification
B. Classification
C. Reclassification
D. Negative classification
20. The impact of destruction and/or permanent loss of information is used to determine which of the following safeguards?
A. Authorization
B. Availability
C. Authentication
D. Accounting
21. Which of the following terms best describes an example of a hardware asset?
A. Server
B. Database
C. Operating system
D. Radio waves
22. Which of the following statements best describes a MAC address?
A. A MAC address is a dynamic network address.
B. A MAC address is a unique host name.
C. A MAC address is a unique hardware identifier.
D. A MAC address is a unique alias.
23. 10.1.45.245 is an example of which of the following?
A. A MAC address
B. A host name
C. An IP address
D. An IP domain name
24. Source code and design documents are examples of which of the following?
A. Software assets
B. Proprietary information
C. Internal-use classification
D. Intellectual property (IP)
25. Which of the following terms best describes the act of classifying information based on an original classification decision already made by an authorized original classification authority?
A. Reclassification
B. Derivative classification
C. Declassification
D. Original classification
26. Which of the following types of information would not be considered NPPI?
A. Social security number
B. Date of birth
C. Debit card PIN
D. Car manufacturer’s name
27. In keeping with best practices and regulatory expectations, legally protected data that is stored on mobile devices should be _____.
A. masked
B. encrypted
C. labeled
D. segregated
28. Which of the following statements best describes how written documents that contain NPPI should be handled?
A. Written documents that contain NPPI should be stored in locked areas or in a locked cabinet.
B. Written documents that contain NPPI should be destroyed by cross-cut shredding.
C. Written documents that contain NPPI should be subject to company retention policies.
D. All of the above.
29. Which of the following address types represents a device location on a network?
A. A physical address
B. A MAC address
C. A logical address
D. A static address
30. What is DLP?
A. An email inspection technology used to prevent phishing attacks
B. A software or solution for making sure that corporate users do not send sensitive or critical information outside the corporate network
C. A web inspection technology used to prevent phishing attacks
D. A cloud solution used to provide dynamic layer protection
Exercises
Exercise 5.1: Assigning Ownership
Owners are responsible for the protection of assets. For each of the following assets, assign an owner and list the owner’s responsibilities in regard to protecting the asset:
The house you live in.
The car you drive.
The computer you use.
The city you live in.
Exercise 5.2: Differentiating Between Ownership and Custodianship
A smartphone is an information system. As with any information system, data ownership and custodianship must be assigned.
If a company provides a smartphone to an employee to use for work-related communications:
Who would you consider the information system owner? Why?
Who would you consider the information system custodian? Why?
If a company allows an employee to use a personally owned device for work-related communications:
Who would you consider the information system owner? Why?
Who would you consider the information system custodian? Why?
In regard to protecting data, should there be a distinction between company data and personal data?
Exercise 5.3: Creating an Inventory
You have been tasked with creating an inventory system for the computer lab at your school.
For the hardware in the lab, list at least five characteristics you will use to identify each asset.
For the software in the lab, list at least five characteristics you will use to identify each asset.
Create an inventory template. Use either a spreadsheet or database application.
Visit a classroom or lab and inventory a minimum of three hardware and three software assets.
Exercise 5.4: Reviewing a Declassified Document
Go to either http://FOIA.gov or the CIA FOIA Electronic Reading Room at www.foia.cia.gov.
Find a document that has been recently declassified.
Write a brief report explaining why and when the document was declassified.
Exercise 5.5: Understanding Color-Coded National Security
The Department of Homeland Security uses a color-coded advisory system to communicate threat levels to the public. This is an example of labeling.
What colors are used in the Threat Advisory System?
What does each of the colors mean?
Do you think these labels are an effective way to communicate threat information to the general public? Why or why not?
Projects
Project 5.1: Developing an Email Classification System and Handling Standards
Data classification categories and handling standards are necessary to properly protect information. Email is a good example of an information system that processes, stores, and transmits many types of information.
Develop a three-level classification system for your email communications. Consider the type of emails you send and receive. Take into consideration who should be able to view, save, print, or forward your email. For each classification, decide how you will label your emails to communicate the assigned classification. For each classification, develop handling standards.
Multiple information systems are used to process, transmit, store, and back up email. Identify as many systems as possible involved in each step. For each system identified, document the person or position you would expect to be the information system owner. Is it necessary to provide them with a copy of your classification system or handling standards? Why or why not?
Sometimes information system owners have different priorities. For example, your Internet service provider (ISP) by law has the right to view/open all documents that are stored on or passed through its systems. The ISP may choose to exercise this right by scanning for viruses or checking for illegal content. Suppose you have sent emails that could cause you harm if they were disclosed or compromised. As the information owner, what are your options?
Project 5.2: Classifying Your School Records
Over time, your school has accumulated a great deal of information about you and your family, including your medical records, finances (including tax returns), transcripts, and student demographic data (name, address, date of birth, and so on). It is important that access to this information be restricted to authorized users.
Create a table listing each of these information categories. Classify each one as either Protected, Confidential, Internal Use, or Public.
Include in your table a column defining the “need to know” criteria. (Hint: This is the reason someone should be granted access to the information.)
Even though the information pertains to you, you are not the owner. Include in your table a column listing who you would expect to be the information owner.
Choose one of the categories you have listed and find out where the information is actually stored, who is responsible for it, who has access to it, and what policies are in place to protect it. Compare this information with your answers to items 1, 2, and 3 of this project.
Project 5.3: Locating and Using Special Publications
The National Institute of Standards and Technology (NIST) special publications contain a wealth of information applicable to both private and public sector organizations. In this exercise, you will familiarize yourself with locating and using special publications.
Download a copy of NIST SP 800-88, R1: Guidelines for Media Sanitization.
Read through the document.
To whom do they assign ultimate responsibility for media sanitization?
In regard to media sanitization, explain the differences between clear, purge, and destroy?
Case Study
Assessing Classification and Authorization at SouthEast Healthcare
SouthEast Healthcare was founded in 1920. It is headquartered in Atlanta, Georgia and has 15 patient care sites located throughout the state. SouthEast Healthcare provides a full range of health-care services. The organization is a leader in electronic medical records and telemedicine services delivered via the Web. Over the years, they have made significant information security investments, including advanced intrusion detection systems; programs that audit, monitor, and report access; biometric devices; and training. Although their information technology (IT) and security staff is small, they are a dedicated team of professionals. SouthEast Healthcare appeared to be a model of security and was selected to participate in a HIPAA security study. At first, the audit team was very impressed. Then they began to wonder how protection decisions were made. It appeared to them that all information assets were being treated with equal protection, which meant that some were perhaps protected too much, whereas others were under-protected. They approached the CEO and asked her to explain how the organization made protection decisions. She replied that she left it up to the IT and security team. The auditors then went to the members of the team and asked them the same question. They enthusiastically replied that the importance of the various information assets was “institutional knowledge.” They were puzzled when the auditors asked if the information owners classified the information and authorized the protection levels. No, they replied, it had always been left to them. The auditors were not happy with this answer and expressed their displeasure in their interim report. The auditors are coming back in three months to complete the study. SouthEast Healthcare’s CEO wants this problem fixed before they return.
Who should take responsibility for the classification and authorization project?
Is this one project or two separate projects?
Who should be involved in this project(s)?
Would you engage external resources? Why or why not?
How would you gain consensus?
What involvement should the Board of Directors have?
References
Regulations Cited
FIPS PUB 199 Standards for the Security Categorization of Federal Information and Information Systems, February 2004, accessed 05/2018, http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf.
Freedom of Information Act, official website of the U.S. Department of Justice, FOIA, accessed 05/2018, www.foia.gov/.
Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules 45 CFR Parts 160 and 164 Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule Federal Register, Volume 78, No. 17, January 25, 2013, accessed 05/2018, https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html.
“Instructions for Developing Security Classification Guides,” accessed 05/2018, http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/520045m.pdf.