To improve security, you need to identify both your data and your physical assets and classify them according to their importance or sensitivity, so you can specify procedures for handling them appropriately based on their classification.
- Data classification. Organizations classify their data using labels. You might be familiar with two government classification labels, Secret and Top Secret. Non-government organizations generally use classification labels such as Public, Internal Use Only, Partner Use Only, or Company Confidential. However, data classification can be more granular; for example, you might label certain information as HR Only.
- Asset classification. You also need to identify and classify physical assets, such as computers, smartphones, desks and company cars. Unlike data, assets are typically identified and classified by asset type. Often, asset classification is used for accounting purposes, but it can also be tied to information security. For example, an organization might designate a set of special laptops with particular software installed, and assign them to employees when they travel to high-risk destinations, so their day-to-day assets can remain safely at home.
Classification labels help users disseminate data and assets properly. For example, if Sue has a document classified as Partner Use Only, she knows that it can be distributed only to partners; any further distribution is a violation of security policy. In addition, some data loss prevention solutions can use classification data to help protect company data automatically. For example, an email server can prevent documents classified as Internal Use Only from being sent outside of the organization. People with the right clearance can view certain classifications of data or check out certain types of company equipment (such as a company truck). While clearance is often associated with governments or the military, it is also useful for organizations. Some organizations use it routinely throughout their environments, while other organizations use it for special scenarios, such as a merger or acquisition. When studying for this section, concentrate on understanding the following concepts.
- Clearance. Clearance dictates who has access to what. Generally, a certain clearance provides access to a certain classification of data or certain types of equipment. For example, Secret clearance gives access to Secret documents, and a law enforcement organization might require a particular clearance level for use of heavy weaponry.
- Formal access approval. Whenever a user needs to gain access to data or assets that they don’t currently have access to, there should be a formal approval process. The process should involve approval from the data owner, who should be provided with details about the access being requested. Before a user is granted access to the data, they should be told the rules and limits of working with it. For example, they should be aware that they must not send documents outside the organization if they are classified as Internal Only.
- Need to know. Suppose your company is acquiring another company but it hasn’t been announced yet. The CIO, who is aware of the acquisition, needs to have IT staff review some redacted network diagrams as part of the due diligence process. In such a scenario, the IT staff is given only the information they need to know (for example, that it is a network layout and the company is interested in its compatibility with its own network). The IT staff do not need to know about the acquisition at that time. This is “need to know.”