Domain 2 Overview and Classification Strategies

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> We have finished up with domain 1,
00:01
which was information security and risk management.
00:01
Now we're going to move into domain 2,
00:01
which is asset security.
00:01
Here in this section we're going to talk about
00:01
data classification schemes and
00:01
strategies and what those bring to our organization.
00:01
We'll look at the various states of data,
00:01
the states in which data can exist.
00:01
We'll talk about some threats to data protection.
00:01
We'll look at data security in the Cloud,
00:01
and then we'll wrap things up
00:01
by looking at data disposal.
00:01
The first piece we're going to talk about is
00:01
data classification and our strategies.
00:01
Here we'll talk about with classification,
00:01
always starting with the value of our assets,
00:01
and then how we're going to classify
00:01
data based on the value of our assets,
00:01
and then how we classifies going
00:01
to dictate how we protect.
00:01
The first section, we have to determine
00:01
what our assets are and what their value is.
00:01
Now as we go through and we're listing the assets of
00:01
our organization, hardware, software,
00:01
intellectual property,
00:01
furniture, whatever the assets
00:01
>> are, the facility itself.
00:01
>> We can't just focus on those tangibles.
00:01
We also have to think about
00:01
things like company reputation.
00:01
That's one of our greatest assets.
00:01
Anything that has a value to
00:01
the organization is going to be considered an
00:01
asset and therefore is going to
00:01
be something that we have to consider our impact,
00:01
impact of information security
00:01
on the value of that asset.
00:01
When we're figuring out the asset's value,
00:01
value is one of those all inclusive terms.
00:01
If you're talking about value in terms of
00:01
maybe harm if the assets compromised,
00:01
or harm if the assets unavailable,
00:01
or value to competitors,
00:01
or liabilities, all of that
00:01
falls under the broad category of asset value.
00:01
If you ever had to choose something
00:01
like what is classification based on?
00:01
Liability, harm if compromised,
00:01
acquisition cost, legislative drivers, value.
00:01
Value encompasses all of the others,
00:01
so that's your best choice.
00:01
Ultimately when we're determining what its value is,
00:01
we have to take into account all of these elements.
00:01
Many times, organizations make the mistake of
00:01
just looking at physical costs, tangible costs.
00:01
If I look at this laptop,
00:01
I'd sell it on Craigslist for a 100 bucks,
00:01
but that's not the true value of this laptop.
00:01
The majority of value comes from what's on there,
00:01
the data that resides on the laptop.
00:01
Maybe I've personal health care information
00:01
and I might be subjected
00:01
to a $10,000 fine if that information gets compromised.
00:01
Well, that's significantly raises the value of
00:01
this laptop because it's
00:01
tied into the potential for liability.
00:01
When we're talking about classification,
00:01
we always start just like we did with risk management,
00:01
with figuring out what we're
00:01
protecting and what it's worth.
00:01
Then that's going to lead us
00:01
into the actual classification of data.
00:01
As a matter of fact,
00:01
you might want to think of data in terms of the 3Cs,
00:01
>> cost, classify, control.
00:01
>> With cost, we figure out like we just said,
00:01
the value of the data.
00:01
Then we should have
00:01
predetermined criteria that based on its cost,
00:01
will tell us how to classify.
00:01
Now that classification could be top secret,
00:01
secret or other military classifications,
00:01
could also be classification schemes
00:01
that are there in the private sector.
00:01
It's not just the government and
00:01
military that uses classification.
00:01
They might have for internal use
00:01
only or confidential information.
00:01
Whatever our classification scheme is,
00:01
we have two different layers of
00:01
classification and we have
00:01
specific criteria that tells
00:01
us how to classify the data based on its value.
00:01
Now, for cost and classification,
00:01
there's first two of the three Cs.
00:01
We have FIPS, which
00:01
is Federal Information Processing Standards.
00:01
FIPS 199 helps us to figure out the value of our data.
00:01
Then FIPS 200 helps us determine
00:01
how to classify it based on that value.
00:01
I don't know that it's particularly testable for CISSP,
00:01
but for those of you that
00:01
>> are in the federal government,
00:01
>> you may be familiar with FIPS 199 and 200.
00:01
The idea is whichever standards we're adhering to you,
00:01
there should be written policy on how to determine
00:01
its value and how to classify
00:01
>> it according to its value.
00:01
>> Then if you're in the government needs
00:01
special publication 800 dash 53A is
00:01
going to help us figure out
00:01
>> what security controls should
00:01
>> be implemented based on the classification of the data.
00:01
Again, I don't need you to
00:01
memorize those standards that I gave you,
00:01
but just the understanding of
00:01
this should be formalized and approved
00:01
policy so that I know
00:01
exactly how to determine the value of my data.
00:01
Then based on that value,
00:01
I know how it should be classified,
00:01
and based on that classification,
00:01
I know what security controls should be implemented.
00:01
Again, it's all about
00:01
policies and procedures being in place.
00:01
Now it's the data owner that
00:01
determines the classification of data.
00:01
The data owner, these are
00:01
the folks that understand the nature of the data,
00:01
as well as its sensitivity.
00:01
Ideas like who needs to access and how
00:01
it should be protected.
00:01
The data custodian is usually
00:01
an IT related role that provides the backup,
00:01
the maintenance,
00:01
the configuration in relation to the data itself.
00:01
Now, I've got this slide in the next,
00:01
I have the military and government
00:01
>> data classifications,
00:01
>> and then the private sector data classifications.
00:01
You don't need to memorize these,
00:01
but I just included them so that you could
00:01
see just some common classification schemes.
00:01
Every organization is unique.
00:01
If you're a commercial business,
00:01
you may have a totally different
00:01
classification schemes than what's listed.
00:01
But the idea is we have
00:01
information that based on
00:01
its value falls into the classification.
00:01
But classifying data is just the first piece.
00:01
The classification will then
00:01
dictate what security controls we put in place.
00:01
Associate that with the purpose of classification
00:01
being to know how to
00:01
appropriately secure the data and protected.
00:01
Now when we talk about classification,
00:01
often we talk about sensitivity,
00:01
but we may also need to consider criticality.
00:01
Those are two words that I can see being
00:01
used interchangeably are being used incorrectly.
00:01
But sensitivity is tied to privacy.
00:01
What would the damage be if
00:01
that information were compromise,
00:01
if it became disclosed.
00:01
That's sensitivity.
00:01
But criticality revolves around availability.
00:01
What would the damage be
00:01
if the data was suddenly unavailable?
00:01
Sometimes status both sensitive and critical or
00:01
sometimes one is more important than the other.
00:01
My health care information is sensitive.
00:01
However, if I'm in
00:01
the hospital emergency room, then it's critical.
00:01
I want my doctors to have access to
00:01
the medical information that they need.
00:01
Both of those can attribute to the value of data.
00:01
All right, so we started out
00:01
just by talking about this idea of
00:01
classification that we start
00:01
with the value of the asset,
00:01
and then don't forget the 3Cs.
00:01
We determine the cost, we classify,
00:01
and then we control,
00:01
that if classifications used
00:01
in government and private sector,
00:01
I showed you there's little charts.
00:01
Don't really memorize those,
00:01
but just be aware of the idea of
00:01
different values or indicated
00:01
by different levels of classification.
00:01
Then the last thing is we just mentioned and referenced
00:01
the idea of sensitivity versus criticality.
00:01
That both of those can be
00:01
used to determine the value of assets.
Up Next