Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecSANS Security Essentials
GSEC Practical Assignment
Version 1.2b
Margaret Flierman
s.
April 2001
ht
rig
Data Classification
full
“The inherent limitations of paper-based systems provide a certain level of privacy
ns
protection. The migration of records of personal information to IT systems has made
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
possible a far greater range of uses of personal information and has made it easy to
transfer information…. “
re
Information technology and the internet, Australian Privacy Commissioner, 2001
or
Introduction
th
Data classification a nd allocation of responsibilities for its ownership are important to
Au
ensure that the value of information is properly recognised. It is the first step towards
ensuring that the most valuable information assets have the highest level of protection.
2,
Information varies in its degrees of sensitivity and criticality. Some items may require
00
an additional level of protection or special handling. The information classification
-2
scheme should be used to define an appropriate set of protection levels, and
communicate the need for specialising handling measures.
00
20
What is data (or information)?
The terms 'information' and 'data' are used interchangeably throughout this document.
te
tu
Information can be defined as … any communication or information such as facts, data,
sti
or opinion, whether true or not, whether recorded in a material form or not, whether
numerical, graphic or narrative, and whether maintained in any medium, including
In
computerised databases, paper, microform, optical disk or magnetic tape.
NS
Examples…
Customer information – payment history, personal history, pricing information for
SA
particular customers
©
Financial Information – performance history, projections, strong and weak points
Other Confidential Business Information – business allies, specific projects, employee-
related problems, management-problems, marketing information, expansion,
contraction,
Key target
fingerprint markets,
= AF19 FA27 hiring, takeover
2F94 998D FDB5targets,
DE3Dnew
F8B5products/services,
06E4 A169 4E46inventions
and discoveries.
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Why do we (or must we) care?
We have a duty to protect the security of, access to, correction of, use of, and disclosure
of data – often because it is a matter of law. A growing number of legislative mandates
are appearing in the area of information security. Although these cover a variety of
issues (computer misuse, etc) the area attracting most attention is that of Data
s.
Protection.
ht
We are by law required to protect our customer data. It must be …
rig
- Processed fairly and lawfully
- Obtained and used only for specified and lawful purposes
ull
- Adequate, relevant and not excessive
f
- Accurate, and where necessary, kept up to date
ns
- Kept for no longer than necessary
Key fingerprint =
- Processed AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
in accordance with the individuals rights (as defined)
tai
- Kept secure
re
- Transferred only to countries that offer adequate data protection
or
Classification Levels
th
By classifying information, the correct level of protection will be defined and
Au
implemented. Information identification should be done at a high level and identify
broad categories of information.
2,
Here are four classification levels that identify the level of protection that should be
00
given:
-2
• Public (Class 1) - Non-sensitive information available for external release
00
• Internal (Class 2) - information that is generally available to employees and
approved non-employees
20
• Confidential (Class 3) - information that is sensitive within the company and
te
is intended for use only by specified groups of employees
• Restricted (Class 4) - information that is extremely sensitive and is intended
tu
for use only by named individuals within the company
sti
In
Responsibilities
The security administrator does not ‘own’ company data. This should be the
NS
responsibility of the head of functional areas, eg Finance, HR, Systems.
SA
The information owner is responsible for classification based on the value and
sensitivity of the information, for approving access, and communicating additional risk-
©
based requirements. The security administrator is responsible for ensuring the policy is
controlled and complied with. All staff (and this is taken to include anybody with access
to data, including contractors, consultants etc) are responsible for ensuring they comply,
by marking and treating all computer media and printed information with the appropriate
classification and following established processes. Each and every one of us has a
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
responsibility for escalating any issues or breaches.
The information owner must identify and classify the information he/she is responsible
for, and the classification must be based on the business requirements for:
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.• Confidentiality of the information (it must be protected from unauthorised
disclosure)
• Integrity of the information (it must be protected from unauthorised alteration
or destruction, whether accidental or deliberate)
s.
• Availability of the information (it must be available when required by the
ht
users)
rig
Separate procedures and standards must be established to protect client and customer
data, including clear responsibilities and liabilities. You must also determine legislative
ull
requirements for information when it is transferred to another country.
f
ns
Building the Standard
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
The standard must clearly identify required actions relating to …
re
§ The protection and disclosure of information
§ What are your company’s protection requirements?
or
§ Do your client/third parties have special protection requirements?
th
§ What is the required authorisation procedure for disclosure of information
belonging to internal or external parties? Au
§ Are there legislative requirements to consider when disclosing information?
2,
§ The handling of information
00
§ What are the physical storage requirements?
-2
§ Must information be retained for specific periods of time?
§ How should information be disposed of?
00
20
§ The distribution (removal and exchange) of information
§ What is the authorisation process?
te
§ How should information be dispatched (electronic and postal)?
tu
§ Should the information be returned?
sti
§ Sign-off by all parties
In
The Tables below provide more detailed information.
NS
Summary
SA
Whatever form the information takes, it should always be appropriately protected to
preserve Confidentiality, Integrity and Availability of your company’s key asset.
©
Will implementation of a data classification standard ensure users dispose of sensitive
items correctly? Will it stop users from sending attachments unprotected across the
internet? Not immediately and you may need to implement further controls, but now you
havefingerprint
Key a clear guideline
= AF19 which
FA27 you
2F94can incorporate
998D into your
FDB5 DE3D F8B5user awareness
06E4 campaign.
A169 4E46
References:
1. GE GCF Data Classification Standards, 2000
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.2. British Standards Institute. Information Security Management. Part 1: Code of
practice for information security management, February 1998
3. KPMG. Information Security Survey 1998
s.
ht
4. Glenn S. Bacal. “What are Trade Secrets?”
http://www.azlink.com/lawyers/charts/whatare.htm
rig
5. The Australian Privacy Commissioner’s Website. “Privacy and the Public Sector”
ull
and “National Principles for the Fair Handling of Personal Information"
f
URL: http://www.privacy.gov.au/
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
6. SANS Institute: Consensus Information Security Awareness Draft Papers
URL: http://www.sans.org/newlook/projects/cap_draft.htm
re
7. Roger Clarke, “Introduction to Dataveillance and Information Privacy, and Definition
or
of Terms”
th
URL: http://www.anu.edu.au/people/Roger.Clarke/DV/Intro.html
Au
8. Computer Crime and Intellectual Property Section (CCIPS). “Computer Intrusion
Cases”
2,
http://www.usdoj.gov/criminal/cybercrime/cccases.html for a list of cases relating to
00
Confidentiality, Integrity and Availability
-2
9. Computer Crime and Intellectual Property Section (CCIPS). “Privacy Issues in the
00
High-Tech Concept”
20
URL: http://www.usdoj.gov/criminal/cybercrime/privacy.html
te
10. Baltimore Technologies. “Content Security Issues”.
tu
URL: http://www.mimesweeper.com/products/cs/datatheft.asp
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.f ull
ins
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
eta
TABLE A: INFORMATION CLASSIFICATION RULES
rr
ho
Confidentiality Classifications
PUBLIC (CLASS 1) INTERNAL (CLASS 2) CONFIDENTIAL (CLASS 3) RESTRICTED (CLASS 4)
ut
Description Non-sensitive information available Information that is only sensitive Information that is sensitive within the Information that is extremely
,A
for external release. outside the company. Generally company, and is intended for sensitive, of highest value to the
available to employees and approved business use only by specific groups company and intended for use by
non-employees. of employees. named individual(s) only.
02
Examples Company advertising literature once § Company Telephone Directory § Customer and Client information § Strategic plans
20
issued. § Company Organisation charts § Personnel information § Financial results prior to release
Impact of No adverse impact Limited adverse impact Significant adverse impact: Severe adverse impact:
0-
Unauthorised § May incur financial or legal § May cause severe financial or
Disclosure liabilities legal damage to the company
00 § May adve rsely affect the
company, its employees, its
§ May prejudice the actual financial
existence of the company, its
e2
clients or customers employees, its clients and its
§ May assist a competitor customers
ut
§ May undermine confidence in the § May destroy confidence in the
tit
company company
§ May damage the company's
ns
reputation
Access Accessible to all employees Access normally restricted to § Access must only be granted on § Access must be limited to
I
Restrictions employees and approved non- a business need to know named authorised individuals
NS
employees for business purposes § Access by external parties must § Access lists must be maintained
only be subject to a non-disclosure § Information must not be shown to
SA
agreement as well as a business or discussed with anyone not
need to know authorised
§ Access by external parties must
©
be subject to a non-disclosure
agreement as well as a business
need to know
Integrity Classifications
INTEGRITY Key fingerprint = AF19 FA27 2F94 998D FDB5
DEFINITION DE3D F8B5 06E4
EXAMPLES/IMPACT A169 4E46 MODIFICATION
OF UNAUTHORISED
High 100% error free Same as Confidentiality classification for Restricted information
Medium 96-99% error free Same as Confidentiality classification for Confidential information
Low 90-95% error free Same as Confidentiality classification for Internal information
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.f ull
ins
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
eta
Availability Classifications
rr
AVAILABILITY DEFINITION IMPACT
ho
High No interruption of access beyond 0.5 day Severe adverse impact
Medium No interruption of access beyond 1 day Significant adverse impact
ut
Low No interruption of access beyond 7 days Limited adverse impact
,A
02
TABLE B: INFORMATION PROTECTION RULES
20
PUBLIC (CLASS 1) INTERNAL (CLASS 2) CONFIDENTIAL (CLASS 3) RESTRICTED (CLASS 4)
Storage of No security control Site/Department storage should be Information may require encryption, where Information must be encrypted using
0-
Information requirements adequate to prevent casual it does approved methods must be used. company-approved methods
(electronic) disclosure
Storage of No sec urity control 00
Site/Department storage should be Medium must be kept in locked storage or § Medium must be kept in a locked
e2
Information requirements adequate to prevent casual a secure environment (Notes 1 and 2) drawer or equivalent, to which the
Medium disclosure addressee has sole access
ut
§ Medium must be locked away when
not physically in the presence of the
tit
originator or addressee (Note 3)
ns
Labelling of Labelling not required Must be labelled with the Each page must be marked § Each page must be marked
Information classification 'CONFIDENTIAL' 'RESTRICTED'
I
(documents § Individual copies of the document
NS
only) must contain a unique identifier
Labelling of Labelling not required Must be labelled with the Where information medium is not § The information medium must be
SA
Information classification permanently held in locked storage or a marked 'RESTRICTED'
Medium (e.g. secure environment, it must be labelled § Individual copies must contain a
diskettes) 'CONFIDENTIAL' (Note 4 ) unique identifier
©
Disposal of Removal of Directory entry for Removal of Directory entry for file In addition to removing the directory entry In addition to removing the directory entry
Information file for the file, the space used by the file for the file, the space used by the file
(electronic) must be over-written using approved must be over-written using approved
means. means.
Disposal of ALL media must be regarded ALL media must be regarded as ALL media must be regarded as § Information must be disposed of
Physical Key as CONFIDENTIAL
fingerprint = AF19 FA27 2F94 CONFIDENTIAL
998D FDB5information
DE3D F8B5 and be06E4
CONFIDENTIAL
A169 4E46information and be securely using approved methods
Medium (e.g. information and be disposed of disposed of securely using disposed of securely using approved (e.g. and based on retention strategies
paper/magnetic securely using methods approved methods (e.g. shredding) shredding) and based on retention § A record must be kept of how, when
media) approved by the Security and based on retention strategies. strategies. and by whom the information was
Officer (e.g. shredding) destroyed (To provide an audit trail)
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.f ull
ins
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
eta
N.B. Medium means any physical item that contains information e.g. tape, diskette, paper document, CD
rr
Notes:
ho
1. A secure environment is a physically secure area e.g. computer room, where written authorisation is required in order to remove any information storage medium (e.g. tape).
2. If any member of staff finds a confidential item and it is not properly secured, it is their responsibility to secure it in accordance with the classification label attached to it.
ut
3. If any member of staff finds such an item that is not being actively used and is not stored securely, it is their responsibility to secure it in accordance with the classification
,A
label attached to it.
4. Examples when labelling would be required are; a printed report containing Confidential information being circulated around a department or a PC diskette containing
02
Confidential information that is used during the day and locked in a drawer outside working hours.
20
TABLE C: INFORMATION DISTRIBUTION
0-
Distribution 00 CONFIDENTIAL (CLASS 3)
§ Distribution lists of those groups authorised to
RESTRICTED (CLASS 4)
§ Distribution is to named individual(s) only
e2
receive information must be checked regularly to § The originator of the information item must keep a
ensure currency record of the unique identifier associated with the
ut
§ Distribution must be kept to a minimium copy, and the named individual designated to receive
tit
§ The item may only be copied or distributed by the that copy
originator of this item or the addressee § The item may only be copied or distributed by the
ns
§ Items must be labelled with the classification before originator of the item
any copies may be made § Items must be labelled with the classification before
I
any copies are made
NS
Addressing § The storage medium must have two envelopes/layers § The storage of medium must have two
of packaging envelopes/layers of packaging
SA
§ The outer envelope/layer must show the recipients § The outer envelope/layer must show the recipients
name and address, be marked 'TO BE OPENED BY name and address, be marked 'TO BE OPENED BY
ADDRESSEE ONLY', and show the name and phone ADDRESSEE ONLY', and show the name and phone
©
number of the sender of the information number of the Sender of the information
Dispatch of Information (except EDI) § Packaging should ensure physical protection of the § By hand or approved courier
item. § Packaging must ensure physical protection of the
§ Normal mail service item
§ Printed information sent through internal mail,
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 external mail, or by courier must be sent by trusted
courier or registered mail. The method of mailing
must provide tracking.
Dispatch of Information (EDI) Information may require encryption (if so approved § Must be encrypted when transferred via public or
methods must be used) if transferred via public networks private networks. (Note 1)
(internet) § Electronic mail should use digital signatures for
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.f ull
ins
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
eta
sending non-public information.
rr
§ Information must not be faxed unless controls are
taken to ensure proper control at the receiving end
ho
(password protected mailboxes, or person standing
by to receive)
ut
Voice § Voice mail messages should be deleted as soon as § Information must not be discussed on speaker-
,A
possible (a written document from the sender is phones or during teleconferences unless all
preferable). participating parties first acknowledge that no
02
§ Messages must not be forwarded (in case of unauthorised persons are in close proximity, such
misdialling or unauthorised access to other that they might overhear the conversation.
20
mailboxes). § Information must never be discussed on cordless or
cellular telephones
0-
00
Note 1: Country specific legal and regulatory requirements should be reviewed concerning the use of encryption technology.
e2
ut
tit
I ns
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: January 15th, 2021
Upcoming Training
SANS Security Fundamentals 2021 , Netherlands Jan 18, 2021 - Jan 29, 2021 CyberCon
Cyber Threat Intelligence Summit & Training 2021 Virtual - US Eastern, Jan 21, 2021 - Feb 01, 2021 CyberCon
SANS Cyber Security West: Feb 2021 , Feb 01, 2021 - Feb 06, 2021 CyberCon
Open-Source Intelligence Summit & Training 2021 Virtual - US Eastern, Feb 08, 2021 - Feb 23, 2021 CyberCon
SANS London February 2021 , United Kingdom Feb 22, 2021 - Feb 27, 2021 CyberCon
SANS Secure Japan 2021 , Japan Feb 22, 2021 - Mar 13, 2021 CyberCon
SANS Scottsdale: Virtual Edition 2021 , Feb 22, 2021 - Feb 27, 2021 CyberCon
SANS Cyber Security East: March 2021 , Mar 01, 2021 - Mar 06, 2021 CyberCon
SANS Secure Asia Pacific 2021 , Singapore Mar 08, 2021 - Mar 20, 2021 CyberCon
SANS Secure Asia Pacific 2021 Singapore, Singapore Mar 08, 2021 - Mar 20, 2021 Live Event
SANS Cyber Security West: March 2021 , Mar 15, 2021 - Mar 20, 2021 CyberCon
SANS Riyadh March 2021 , Kingdom Of Saudi Mar 20, 2021 - Apr 01, 2021 CyberCon
Arabia
SANS Munich March 2021 , Germany Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS Secure Australia 2021 Live Online , Australia Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS 2021 , Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS Secure Australia 2021 Canberra, Australia Mar 22, 2021 - Mar 27, 2021 Live Event
SANS Cyber Security Mountain: April 2021 , Apr 05, 2021 - Apr 10, 2021 CyberCon
SANS London April 2021 , United Kingdom Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS Autumn Australia 2021 Sydney, Australia Apr 12, 2021 - Apr 17, 2021 Live Event
SANS Autumn Australia 2021 - Live Online , Australia Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS SEC401 (In Spanish) April 2021 , Spain Apr 12, 2021 - Apr 23, 2021 CyberCon
SANS Cyber Security East: April 2021 , Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS Secure India 2021 , Singapore Apr 19, 2021 - Apr 24, 2021 CyberCon
SANS Baltimore Spring: Virtual Edition 2021 , Apr 26, 2021 - May 01, 2021 CyberCon
SANS Cyber Security Central: May 2021 , May 03, 2021 - May 08, 2021 CyberCon
SANS Security West 2021 , May 10, 2021 - May 15, 2021 CyberCon
SANS Cyber Security East: May 2021 , May 17, 2021 - May 22, 2021 CyberCon
SANS Stockholm May 2021 , Sweden May 31, 2021 - Jun 05, 2021 CyberCon
SANS In French May 2021 , France May 31, 2021 - Jun 05, 2021 CyberCon
SANS Cyber Security Central: June 2021 , Jun 07, 2021 - Jun 12, 2021 CyberCon
SANS SOC Training 2021 , Jun 14, 2021 - Jun 19, 2021 CyberConYou can also read
