Data Classification

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> When we're talking about the data security lifecycle,
00:00
and in just a few minutes we'll talk
00:00
about the various states of data,
00:00
what's important is consistency.
00:00
Once we determine the value of the data
00:00
and we've decided to secure it a certain way,
00:00
we want to make sure that we consistently and
00:00
uniformly protect the data
00:00
according to those requirements.
00:00
One of the best ways to do that is to have
00:00
a formal classification strategy
00:00
and classification policies and documents in place.
00:00
When we talk about classification almost
00:00
immediately people think about
00:00
the government, the military.
00:00
I do want to stress that classification is
00:00
used by many industries,
00:00
many private sector companies, again,
00:00
just as a way of ensuring
00:00
the consistency of the protection on data.
00:00
If you think about classification of data,
00:00
I want you to remember the three C's;
00:00
cost, classify, control.
00:00
Cost. Start with the value of the data.
00:00
I know I've said that a million times and I may
00:00
even say it a million more before this class is up,
00:00
but it really requires
00:00
an understanding of the value of what's being protected.
00:00
What am I protecting and what's it worth?
00:00
Is this my grocery list or is
00:00
it the movement of troops in a foreign country?
00:00
Night and day, the difference in that data,
00:00
but I have to determine its value.
00:00
I should have a documentation
00:00
that would help me frame the value of
00:00
my data and categorize the data based
00:00
on confidentiality, integrity, and availability.
00:00
[inaudible] documents we've already
00:00
talked about that will
00:00
help with that if you're in a federal environment.
00:00
But whatever the context
00:00
is of risk management and information security,
00:00
we've got to frame the data,
00:00
think about its cost,
00:00
think about its value so that we
00:00
can classify it accordingly.
00:00
Now, we will have criteria also
00:00
that based on the security categorization of the data,
00:00
we will have the classification that's appropriate.
00:00
Based on the cost we classify,
00:00
and the criteria for classification is predetermined.
00:00
It's published through policy,
00:00
through documentation so that
00:00
when I determine the value of my data,
00:00
it's very easy to figure out what the classification is.
00:00
Then last, but not least,
00:00
we control the data based on its classification.
00:00
Meaning each level of classification
00:00
has its own security configuration,
00:00
and I'll point out baseline security configuration,
00:00
meaning the minimum acceptable standard for security.
00:00
For instance,
00:00
not all top secret data is protected the same way,
00:00
but all top secret data should have
00:00
the same baseline configuration.
00:00
We have the cost of the asset,
00:00
then we classify based on predetermined criteria,
00:00
and then we control, meaning protect it.
00:00
Now, when it comes to who determines
00:00
the value of the data and
00:00
its classification, the data owner.
00:00
Now, sometimes that's senior leadership,
00:00
sometimes it's department heads, lines of business,
00:00
but whoever is the owner of the data is the
00:00
one ultimately accountable for
00:00
the protection of that data.
00:00
Therefore, they're the ones
00:00
who determine the classification.
00:00
They determine its value.
00:00
This could come up as being presented in multiple ways.
00:00
Who determines the the security of the data?
00:00
The owner. Who determines access for the data? The owner.
00:00
Who determines the security
00:00
needed to protect the data? The owner.
00:00
They're the ones determining the value,
00:00
therefore, the classification,
00:00
and then usually it's the custodian,
00:00
which is often the IT department or
00:00
some technical element that maintains the data.
00:00
The custodian may implement
00:00
the security that the owner has chosen.
00:00
Now, the thing about classifying
00:00
data or having a classification strategy in
00:00
our organization is those controls
00:00
apply to the data regardless of state,
00:00
regardless of phase of the lifecycle,
00:00
so we can do our best to ensure consistency.
00:00
If data is classified as top secret,
00:00
there's a long list of protections that go
00:00
with data to keep it protected at the appropriate levels,
00:00
regardless of whether it's in transit
00:00
or in storage or in archival,
00:00
wherever it is,
00:00
a classification strategy really
00:00
aims to provide consistent protection.
Up Next