Data Classification and Management

 A variety of classification schemes are used by corporate and military organizations

 Information owners are responsible for classifying the information assets for which they are responsible

 Information owners must review information classifications periodically

 The military uses a five-level classification scheme but most organizations do not need the detailed level of classification used by the military or federal agencies

Security Clearances

 The other side of the data classification scheme is the personnel security clearance structure

 Each user of data in the organization is assigned a single level of authorization indicating the level of classification

 Before an individual is allowed access to a specific set of data, he or she must meet the need-to-know requirement

 This extra level of protection ensures that the confidentiality of information is properly maintained.

Management of Classified Data:

 Includes the storage, distribution, portability, and destruction of classified information

– Must be clearly marked as such

– When stored, it must be unavailable to unauthorized individuals

– When carried should be inconspicuous, as in a locked briefcase or portfolio

 Clean desk policies require all information to be stored in its appropriate storage container at the end of each day

 Proper care should be taken to destroy any unneeded copies

 Dumpster diving can prove embarrassing to the organization

Threat Identification

 Each of the threats identified so far has the potential to attack any of the assets protected

 This will quickly become more complex and overwhelm the ability to plan

 To make this part of the process manageable, each step in the threat identification and vulnerability identification process is managed separately, and then coordinated at the end of the process.

Identify and Prioritize Threats:

 Each threat must be further examined to assess its potential to impact organization - this is referred to as a threat assessment

 To frame the discussion of threat assessment, address each threat with a few questions:

– Which threats present a danger to this organization‘s assets in the given

environment?

– Which threats represent the most danger to the organization‘s information?

– How much would it cost to recover from a successful attack?

– Which of these threats would require the greatest expenditure to prevent? Vulnerability Identification

 We now face the challenge of reviewing each information asset for each threat it faces and creating a list of the vulnerabilities that remain viable risks to the organization

 Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset.

Vulnerability Identification:

 Examine how each of the threats that are possible or likely could be perpetrated and list

the organization‘s assets and their vulnerabilities

 The process works best when groups of people with diverse backgrounds within the organization work iteratively in a series of brainstorming sessions

 At the end of the process, an information asset / vulnerability list has been developed.