Join the 40,000+ candidates in over 58 countries that have found a faster, better way to pass their certification exam.
Comprehensive practice exam engine!
All features in the FREE plan, plus:
Welcome to our Data Classification module. It is very important that we manage our data throughout its entire life cycle, from the time it is created until it is properly destroyed at the end of its life. We can manage our data by classifying it, categorizing it, and assigning an owner.
We need to make sure that we have a data classification scheme in place to ensure that our employees are handling our sensitive material appropriately. The first step is to develop a security classification guide, where we define the levels of sensitivity and the labels that we will assign to our data.
It is important that we keep our data secure during all phases of its life. And once we categorize the information or information system it resides on we can then implement appropriate levels of security controls based on the value of the data and the risk level associated with that data.
It is important our data policy defines the labels that will be used for our data, how we will store the data, and how we will dispose of data at the end of its life. And the protocols will usually be different for each level of data. For example, we will be much more careful with confidential data than we would be with public data.
Our management staff will define the controls that we will use with each level of data and some sample labels for a corporate environment are public, internal use only, confidential and restricted. We should make sure that we have resources in place to provide the correct level of protection or controls on our different assets.
And we can group our assets either by their value to our organization, their sensitivity label such as secret or top secret or their criticality or importance to our organization. By appropriately grouping our data we can then determine the threats to that data and risks we should be worried about.
In the United States, we are required by law to protect personally identifiable information, or PII, about our employees and our customers. It is important to make sure that we are continuously auditing access to sensitive data to verify that only authorized individuals are accessing the data. We want to avoid what is known as creep where an individual is able to elevate their pledges over time to a point where they have more privileges than they should have access to.
And this can happen if they are friends with a system administrator, who gives them privileges. Or can also happen as an individual changes jobs, they are assigned additional privileges, but the privileges that they no longer need from their old job role are not revoked. Here we have some sample labels that we can use to classify our data. In the private sector, we can use confidential for our most sensitive data then private, then sensitive, and our lowest classification would be public, data that we release to the public or maybe post on our website. In the military our highest classification level is top secret, then we have secret, then confidential, then sensitive but unclassified, and finally, unclassified for our data that needs the least amount of security.
Depending on the type of data that you are trying to protect, you may require a high level of integrity and availability, but you may not need any confidentiality. An example would be an online store where the prices of items are not confidential in any way, because anyone who visits the store can view the prices.
However it is important to make sure that the price database is always available so that customers can purchase items. And it is important to make sure that that data has integrity. Because we do not want someone going in and modifying the prices of items and then purchasing things for less then we are willing to sell them for.
It is very important to make sure that all data is classified so that you can protect it appropriately. It should be classified either by its secrecy, sensitivity or confidentiality. It is important to have categories designed so that you can identify a base line for the minimum set of security for the information and the information systems that that data resides on.
Data classification will help you to determine how much effort, money, and resources to spend to protect the data and to determine how to control access to it. For example, you will spend much more time and effort to protect data that is top secret compared to data that is unclassified.
Because some data is very sensitive, and other data is not It is not efficient to treat all data the same when designing your security systems. If you secure everything at a low level, then people will be able to easily access sensitive data. And if you secure everything you have at the highest security level, you will spend a lot of money and a lot of resources to restrict data that is not critical.
NIST provide a special publication 800-60 which describe government classification. In this document, they state that the identification of information processed on an information system is essential to the proper selection of security controls and ensuring confidentiality, integrity, and availability of the system and its information. The FIPS or Federal Information Processing Standard 199 establishes three potential layers of impact.
Low impact, moderate impact and high impact on your confidentiality, integrity, and availability or CIA. This system determines that the impact is low if the loss would have a limited adverse effect on your organization. The impact would be considered moderate if the loss of your CIA would have a serious adverse effect on your organization.
And the impact is considered high if the loss would have a severe or catastrophic adverse effect on your organization. For the CISSP examination, you should remember that all data must be properly classified. And that it is important to place controls appropriately based on the sensitivity or the criticality of the data in order to secure data that is sensitive and not waste valuable resources on securing non-sensitive data.
This concludes our Data Classification module. Thank you for watching.
Classified by skill and ranked by difficulty. Choose to answer questions in STUDY MODE to review and you go.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.
Don’t forget what you’ve just studied! Use the intelligent reinforcement questions to stay fresh.
THANK YOU! Just bloody thank you! I’m doing the CEH minor at my college and well...I’ve learned more from this site in a few hours than I’ve learned from my school in 9 weeks about the subject. Keep up the good work!
Skillset’s Exam Engine continuously assesses your knowledge and determines when you are ready take and pass your exam. When Skillset learns that there is a gap between your knowledge and what you need to know to pass, we present you with a focused training module that gets you up to speed quickly. No fluff! Find your knowledge gaps and fill them.
Skillset is confident that we can help anyone pass their exam. If you reach 100% readiness, and you do not pass your exam, we will refund you plus pay for a replacement exam voucher. That’s how powerful our learning system is, we can offer this guarantee and stand behind our products with this no risk to you guarantee. See terms and conditions.
Don’t waste time studying concepts you have already mastered. Focus on what you need to know to pass. The Skillset Competency Diagnostic aligns our Exam Engine and Learning Plan to your baseline knowledge. This saves an average of 31% of the time required to prep for a professional certification exam.
More PRO benefits are being built all the time!