Information and asset classification in the CISSP exam
This article is part of our CISSP certification prep series. For more CISSP-related resources, see our CISSP certification hub.
This article will help you answer two questions related to the CISSP certification exam:
- What types of sensitive data do I need to know for the CISSP exam?
- What types of data classifications do I need to know and how are they affected by the type of data?
These questions, along with their accompanying subsections, cover a small portion of one of the CISSP certification CBK’s domains, namely, the second domain entitled Asset Security, which consists of the following topics:
- 2.1 Identify and classify information and assets√
- 2.2 Establish information and asset handling requirements
- 2.3 Provision resources securely
- 2.4 Manage data lifecycle
- 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS))
- 2.6 Determine data security controls and compliance requirements
For the most part, this article is based on the 7th edition of CISSP Official Study Guide.
1. What types of sensitive data do I need to know for the test?
According to the 7th edition of the CISSP Official Study Guide, sensitive data is “any information that isn’t public or unclassified.” The applicable laws and regulations may also answer the question: What information is sensitive?
Sensitive data can be 4 kinds: confidential, proprietary, protected and other protected data. Also, one should learn these types of sensitive data:
Personally Identifiable Information (PII)
As the name suggests, this information can identify an individual. According to a definition by the National Institute of Standards and Technology (NIST), PII is information about an individual maintained by an agency which:
- can be used to distinguish or track an individual’s identity based on identifiers, such as name, date of birth, biometric records, social security number; and
- additional information that may identify a person – that is medical, financial, employment and educational information.
Organizations are obliged to protect PII, and there are many laws that impose requirements on companies to notify individuals whose data is compromised due to a data breach.
Protected Health Information (PHI)
PHI is any information on a health condition that can be linked to a specific person. It is a common misconception that only medical care providers, such as hospitals and doctors, are required to protect PHI. In fact, most employers collect PHI to provide or supplement healthcare policies. Thus, HIPPA compliance applies to the majority of organizations in the United States.
Proprietary information is a very valuable company asset because it represents a product that is a mixture of hard work, internal dealings, and organizational know-how. This information is often confidential, and it can be within the following range of creations: software programs, source and object code, copyright materials, engineering drawings, designs, inventions (whether or not patent protected), algorithms, formulas, schemes, flowcharts, processes of manufacturing, marketing, trade secrets, pricing and financial data, etc.
If competitors manage to work their way to your proprietary information, the consequences may be grievous, since you may lose your competitive edge because of that. The defensive mechanisms related to copyright, patents, and trade secrets are, per se, insufficient to ensure the required level of protection for proprietary data. Unfortunately, many foreign entities tend to resort to unfair practices, for example, stealing proprietary data from their international business rivals. Beware also of disgruntled (former) employees.
2. What types of data classifications do I need to know and how are they affected by the type of data?
Every organization that strives to be on the safe side needs to implement a workable data classification program. Security experts define classifying data as a process of categorizing all data assets at the disposal of a given organization by a value that takes into account data sensitivity pertinent to the different categories of assets. Furthermore, such a value should be based upon the risk of a possible unauthorized disclosure.
Therefore, while low-risk data (classified as “Private”) requires a lesser level of protection, high-risk data (often labeled “Top Secret” or “Confidential) necessitates a maximum level of protection and care.
Classifying data will also attempt to identify the risk and impact of a particular incident based on 1) the type of data and 2) the level of access to this data. In effect, these two components, along with the possible business impact, will define the most appropriate response.
Once you know that certain data is so sensitive that it seems to be indispensable, you will take necessary measures to defend it; perhaps by allocating funds and resources in that direction. In this regard, one would say, and reasonably so, that a data classification program provides decision-makers with a clearer view of what constitutes the company’s most important information assets and how to distribute the company’s resources in such a way so as to protect its most critical digital infrastructure.
Consequently, using a correct data classification program is undoubtedly cost-effective, because it enables a business to focus on those assets which face higher risks. Imagine, for instance, a company that cannot identify its most significant information assets, so it treats all of its data as highly confidential. It will put an enormous strain on everyone’s nerves, to say the least, or even lead to erroneous business practices and organizational chaos — e.g., employees may start shredding public information and recycle confidential data.
Security pundits advise each classification program to undergo the following process:
Most companies in real-life outline in detail these four steps in a document called an Information Classification Policy.
Create an information asset inventory
In the context of the CISSP exam, the term “asset” encompasses not only 1) sensitive data, but also 2) the hardware that processes it and 3) the media on which is stored.
The whole point of creating an asset inventory is to allow persons such as top executives to establish what kinds of classified information exist in the company, and who is responsible for it (or in other words, who is its owner). Classified information can reside on a wide array of media, ranging from paper documents and information transmitted verbally to electronic documents, databases, storage media (e.g., hard drives, USBs, and CDs) and email.
Classification of information
Most standardization policies— for instance, ISO 27001— do not prescribe a specific framework classification of information. This is something left at the discretion of the organizations themselves. Nevertheless, when a person is entrusted with this task, he should take into account two basic elements: 1) the size and structure of the organization and 2) what is considered common in the country or industry in which the organization operates.
By way of illustration, databases, tables and sequences of files carry an increased risk due to their larger size and the possibility of a single event to result in a massive data breach. Sensitive information bits in data collections are unlikely to be segregated from less sensitive ones. Therefore the classification of the sensitivity level will include the data collection as a whole.
It should be noted that the asset owner is usually responsible for classifying the company information. Under normal circumstances, this process also relies on evaluation results derived from a risk assessment – again, the higher the risk, the higher the classification level. In fact, the purpose of classifying information assets is somewhat similar: stave off a lot of troubles by defining where the most grievous risks are.
It is one thing to classify information, it is a completely different thing to label it. The latter’s goal is to develop guidelines for every type of information asset regarding how it should be classified. As was the case with the classification part, here the asset owner has the freedom to adopt whichever rules he finds suitable for his company.
Handling of assets
The majority of security experts lay stress on this part of the classification process because it develops rules that will actually protect each kind of information asset contingent on its level of sensitivity.
Kosutic provides a good example of how “Handling of assets” should work in his work “Information classification according to ISO 27001”: “[…] you can define that paper documents classified as Restricted should be locked in a cabinet, documents may be transferred within and outside the organization only in a closed envelope, and if sent outside the organization, the document must be mailed with a return receipt service.”
Types of data classifications
In the U.S., the two most widespread classification schemes are A) the government/military classification and B) the private-sector classification.
- Top Secret — It is the highest level in this classification scheme. The unauthorized disclosure of such information can be expected to cause exceptionally grievous damage to national security.
- Secret — Very restricted information. The unauthorized disclosure of such data can be expected to cause significant damage to national security.
- Confidential — A category that encompasses sensitive, private, proprietary and highly valuable data. The unauthorized disclosure of such data can be expected to cause serious, noticeable damage to national security.
These three levels of data are collectively known as ‘Classified’ data.
- Unclassified — It is the lowest level in this classification scheme. Furthermore, this data is neither sensitive nor classified, and hence it is available to anyone through procedures identified in the Freedom of Information Act (FOIA).
The private sector classification scheme is the one on which the CISSP exam is focused.
- Confidential — It is the highest level in this classification scheme. This category is reserved for extremely sensitive data and internal data. A “Confidential” level necessitates the utmost care, as this data is extremely sensitive and is intended for use by a limited group of people, such as a department or a workgroup, having a legitimate need-to-know. A considerable amount of damage may occur for an organization given this confidential data is divulged. Proprietary data, among other types of data, falls into this category.
- Private — Data for internal use only whose significance is great and its disclosure may lead to a significant negative impact on an organization. All data and information which is being processed inside an organization is to be handled by employees only and should not fall into the hands of outsiders.
- Sensitive — A classification label applied to data that is treated as classified in comparison to the public data. Negative consequences may ensue if such kind of data is disclosed.
- Public — The lowest level of classification whose disclosure will not cause serious negative consequences to the organization.
Here is what the whole private sector classification looks like in the context of the Sony data breach in November 2014:
- “Confidential/Proprietary/” Level — unreleased movies
- “Private” Level — salary information on 30,000 employees
- “Sensitive” Level — lists of laid-off or dismissed employees; embarrassing emails
- “Public” Level — Sony managed to protect the integrity of such information provided by them (e.g., on their website)
You should remember that in contrast to the strict government/military classification scheme, companies can use any labels they desire. Also, the data classification program does not need to be overly complex and sophisticated. Simple logic that reflects the company’s policies, goals, and common sense would probably suffice.
However, in an article by Hilary Tuttle, the author finds it astonishing that “only 31% of respondents say their company has a classification system that segments information assets based on value or priority to the organization (this piece of information is from a new report from the Ponemon Institute and law firm Kilpatrick Townsend & Stockton).”
- Abdallah, Z. Information Security on a Budget: Data Classification & Data Leakage Prevention. Available at http://www.takesecurityback.com/tag/data-classification/ (19/10/2016)
- All Data Types. Available at https://www.safecomputing.umich.edu/dataguide/?q=all-data (19/10/2016)
- Asset Identification & Classification. Available at http://www.itmatrix.com/index.php/procedural-services/asset-identification-classification (19/10/2016)
- Data Classification Guide. Available at https://security.illinois.edu/content/data-classification-guide (19/10/2016)
- Information Asset and Security Classification Procedure. Available at http://policy.usq.edu.au/documents/13931PL (19/10/2016)
- Kosutic, D. (2014). Information classification according to ISO 27001. Available at http://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ (19/10/2016)
- Rodgers, C. (2012). Data Classification: Why is it important for Information Security? Available at https://www.securestate.com/blog/2012/04/03/data-classification-why-is-it-important-for-information-security (19/10/2016)
- Stewart, J., Chapple, M., Gibson, D. (2015). Certified Information Systems Security Professional Study Guide (7th Edition).
- Tuttle, H. (2016). Businesses Ignore Significant Cybersecurity Risks to Proprietary Data. Available at http://www.riskmanagementmonitor.com/cybersecurity-risks-to-proprietary-data/ (19/10/2016)
- What is sensitive data, and how is it protected by law? Available at https://kb.iu.edu/d/augs (19/10/2016)
- The diagram is based on a figure in “Information classification according to ISO 27001” by Kosutic, D. Available at http://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ (19/10/2016)