Security Disciplines for Objective 2: Prevention
2-4. Data Classification
Description
One of the key steps in securing electronic information is to determine what data needs protection. Information varies in its degrees of sensitivity, need for integrity, and its criticality. Therefore, the required protection measures to secure the data vary also. An information classification scheme should be developed to designate classes of information and their associated protection measures.
Purpose
Data classification describes methods to categorize information for different levels of security protection. Alternatives vary in rigor (i.e., the degree of protection that they provide) and cost. Cost can be in dollars or in manual effort. In general, rigor and cost are directly proportional—the more rigorous a method, the more it costs. The justice information system owner should select methods that provide as high a level of assurance as possible within cost constraints.
Principles
The level of assurance of the classification method employed should be balanced against the cost and the risk associated with unauthorized disclosure, uncontrolled modification, or the inability to access the data by authorized users. Information is classified based on its need for:
- Confidentiality or sensitivity (i.e., its need to be protected from unauthorized disclosure).
- Integrity or accuracy (i.e., its need to be protected from unauthorized alteration or destruction).
- Availability or criticality (i.e., its need to be available to the users).
An owner should be designated for each set of information. Generally, this should be the person in charge of the unit that produced the data. It is the responsibility of the information owner to determine to which class the information belongs and to whom the information may be disclosed. The security administrator ensures the proper classification measures, as determined by the information owner, are enforced according to the security policy. There should be mechanisms in place to allow audits and reviews of the classifications assigned and associated security measures implemented. All data should be classified, regardless of the media on which it resides.
To achieve increased granularity when securing data, use data classification in conjunction with Role-Based Access Control (see Section 2-2, RBAC).
Policies
Once an organization decides on an approach for classification, it should document the policies, providing a consistent and comprehensive application of classification throughout the enterprise. The policy should identify scope, methods, standards, and organizational and individual responsibilities. The reader may refer to the following documents for examples of classification policy statements:
- The Missouri OSCA Data Security Guidelines, Information Sensitivity Levels.
- The University of Massachusetts, Data Classification section, http://www.umassp.edu/policy/data/itcdatasec.html.
- Institute for Intergovernmental Research, Sample Operating Policies and Procedures, http://www.iir.com/28cfr/sample_operating_Policies_procedures.htm.
Best Practices
The following tables represent sample data classification schemes under the categories of confidentiality, integrity, and availability, respectively. Under the confidentiality category, Table 2-3 suggests five levels in order of increasing sensitivity: public, internal, confidential, restricted, and sealed. Under the integrity and availability categories, Tables 2-4 and 2-5 suggest four levels: very low, low, medium, and high.
| Public | Internal | Confidential | Restricted | Sealed | |
|---|---|---|---|---|---|
| Description | Not sensitive; available to anyone | Slightly sensitive; not intended for external entities | Sensitive; required to be controlled | Very sensitive | Extremely sensitive |
| Impact of Unauthorized Disclosure | N/A | Adversely affect the organization | Adversely impact the entire system, individual persons, and the public; incur financial or legal liabilities; and undermine confidence in and the reputation of the organization | Seriously impact the entire system, individual persons, and the public; incur serious financial and legal liabilities; and damage confidence in and impair reputation of the organization |
Severely impact the entire system, individual persons, and the public; may cause loss of life; organization may be disbanded; and irreparable destruction of confidence in and reputation of the organization |
| Possible Examples | Criminal convictions; published phone numbers | Internal phone numbers; organization charts | Criminal cases with “not guilty” verdicts, open paternity cases, and ongoing investigation documentation |
Personnel information, court documents on juveniles and adoptions |
Sealed or expunged court cases |
| Access | All | Available to employees and approved nonemployees | Available to employees and authorized nonemployees with a nondisclosure agreement |
Available to select employees and authorized nonemployees with a nondisclosure agreement, granted on a need-to-know basis, and an access list must be maintained |
Available to specific individuals and only in exceptional cases, granted on a need-to-know basis, and an access control list must be maintained |
| Very Low | Low | Medium | High | |
|---|---|---|---|---|
| Definition | 80 - 90% |
90 - 95% |
96 - 99% |
100% |
| Impact of Unauthorized Modification |
Adversely affect the local organization |
Adversely impact the entire system, individual persons, and the public; incur financial or legal liabilities; or undermine confidence in and reputation of the organization |
Seriously impact the entire system, individual persons, and the public; incur serious financial or legal liabilities; or damage confidence in and impair reputation of the organization |
Severely impact the entire system, individual persons, and the public; may cause loss of life; organization may be disbanded; or irreparable destruction of confidence in and reputation of the organization |
| Possible Examples | Public Web page displaying information on elected officials |
Court schedules | Public access to records of conviction or court judgments |
Records of conviction for law enforcement use, fingerprint and other identification records for law enforcement use, emergency contact information for the public, warrants and orders of protection |
| Very Low | Low | Medium | High | |
|---|---|---|---|---|
| Definition | No interruption of access beyond 30 days |
No interruption of access beyond 7 days |
No interruption of access beyond 1 day |
No interruption of access |
| Impact of loss in availability |
Adversely affect the organization |
Adversely impact the entire system, individual persons, and the public; incur financial or legal liabilities; or undermine confidence in and reputation of the organization |
Seriously impact the entire system, individual persons, and the public; incur serious financial or legal liabilities; or damage confidence in and impair reputation of the organization |
Severely impact the entire system, individual persons, and the public; may cause loss of life; organization may be disbanded; or irreparable destruction of confidence in and reputation of the organization |
| Possible Examples |
Public Web page displaying information on elected officials |
Court schedule | Public access to records of conviction |
Records of conviction for law enforcement use, fingerprint and other identification records for law enforcement use, emergency contact information for the public, warrants and orders of protection |
References
- ANSI Standard A/I 11179, Information Technology – Specification and Standardization of Data Elements - Part 2: Classification for data elements.
- U.S. Department of Energy, EO12356. See Oak Ridge National Laboratory Web site, http://www.fas.org/sgp/library/quist2/chap_7.html, Classification Levels.