Security Disciplines for Objective 2: Prevention

2-4. Data Classification

Description

One of the key steps in securing electronic information is to determine what data needs protection. Information varies in its degrees of sensitivity, need for integrity, and criticality. Therefore, the required protection measures to secure the data vary also. An information classification scheme should be developed to designate classes of information and their associated protection measures.

Purpose

Data classification describes methods to categorize information for different levels of security protection. Alternatives vary in rigor (i.e., the degree of protection that they provide) and cost. Cost can be in dollars or in manual effort. In general, rigor and cost are directly proportional—the more rigorous a method, the more it costs. The justice information system owner should select methods that provide as high a level of assurance as possible within cost constraints.

Principles

The level of assurance of the classification method employed should be balanced against the cost and the risk associated with unauthorized disclosure, uncontrolled modification, or the inability to access the data by authorized users. Information is classified based on its need for:

• Confidentiality or sensitivity (i.e., its need to be protected from unauthorized disclosure).
• Integrity or accuracy (i.e., its need to be protected from unauthorized alteration or destruction).
• Availability or criticality (i.e., its need to be available to the users).

An owner should be designated for each set of information. Generally, this should be the person in charge of the unit that produced the data. It is the responsibility of the information owner to determine to which class the information belongs and to whom the information may be disclosed. The security administrator ensures the proper classification measures, as determined by the information owner, are enforced according to the security policy. There should be mechanisms in place to allow audits and reviews of the classifications assigned and associated security measures implemented. All data should be classified, regardless of the media on which it resides.

To achieve increased granularity when securing data, use data classification in conjunction with Role-Based Access Control (see Section 2-2, RBAC).

Policies

Once an organization decides on an approach for classification, it should document the policies, providing a consistent and comprehensive application of classification throughout the enterprise. The policy should identify scope, methods, standards, and organizational and individual responsibilities. The reader may refer to the following documents for examples of classification policy statements:

• The Missouri Office of The State Courts Administrator (OSCA) Data Security Guidelines, Information Sensitivity Levels.
• The University of Massachusetts, Data Classification section, http://media.umassp.edu/massedu/policy/DataComputingStandard.pdf.

Best Practices

The following tables represent sample data classification schemes under the categories of confidentiality, integrity, and availability, respectively. Under the confidentiality category, Table 2-3: Confidentiality Classification suggests five levels in order of increasing sensitivity: public, internal, confidential, restricted, and sealed. Under the integrity and availability categories, Tables 2-4: Integrity Classification and 2-5: Availability Classification suggest four levels: very low, low, medium, and high.

Table 2-3: Confidentiality Classification

Public Internal Confidential Restricted Sealed Description Not sensitive; available to anyone Slightly sensitive; not intended for external entities Sensitive; required to be controlled Very sensitive Extremely sensitive Impact of Unauthorized Disclosure N/A Adversely affect the organization Adversely impact the entire system, individual persons, and the public; incur financial or legal liabilities; and undermine confidence in and the reputation of the organization Seriously impact the entire system, individual persons, and the public; incur serious financial and legal liabilities; and damage confidence in and impair reputation of the organization Severely impact the entire system, individual persons, and the public; may cause loss of life; organization may be disbanded; and irreparable destruction of confidence in and reputation of the organization Possible Examples Criminal convictions; published phone numbers Internal phone numbers; organization charts Criminal cases with “not guilty” verdicts, open paternity cases, and ongoing investigation documentation Personnel information, court documents on juveniles and adoptions Sealed or expunged court cases Access All Available to employees and approved nonemployees Available to employees and authorized nonemployees with a nondisclosure agreement Available to select employees and authorized nonemployees with a nondisclosure agreement, granted on a need-to-know basis, and an access list must be maintained Available to specific individuals and only in exceptional cases, granted on a need-to-know basis, and an access control list must be maintained

 

Table 2-4: Integrity Classification

	Very Low	Low	Medium	High
Definition	80% to 90% error-free	90% to 95% error-free	96% to 99% error-free	100% error-free
Impact of Unauthorized Modification	Adversely affect the local organization	Adversely impact the entire system, individual persons, and the public; incur financial or legal liabilities; or undermine confidence in and reputation of the organization	Seriously impact the entire system, individual persons, and the public; incur serious financial or legal liabilities; or damage confidence in and impair reputation of the organization	Severely impact the entire system, individual persons, and the public; may cause loss of life; organization may be disbanded; or irreparable destruction of confidence in and reputation of the organization
Possible Examples	Public Web page displaying information on elected officials	Court schedules	Public access to records of conviction or court judgments	Records of conviction for law enforcement use, fingerprint and other identification records for law enforcement use, emergency contact information for the public, warrants and orders of protection

 

Table 2-5: Availability Classification

	Very Low	Low	Medium	High
Definition	No interruption of access beyond 30 days	No interruption of access beyond 7 days	No interruption of access beyond 1 day	No interruption of access
Impact of Loss in Availability	Adversely affect the organization	Adversely impact the entire system, individual persons, and the public; incur financial or legal liabilities; or undermine confidence in and reputation of the organization	Seriously impact the entire system, individual persons, and the public; incur serious financial or legal liabilities; or damage confidence in and impair reputation of the organization	Severely impact the entire system, individual persons, and the public; may cause loss of life; organization may be disbanded; or irreparable destruction of confidence in and reputation of the organization
Possible Examples	Public Web page displaying information on elected officials	Court schedule	Public access to records of conviction	Records of conviction for law enforcement use, fingerprint and other identification records for law enforcement use, emergency contact information for the public, warrants and orders of protection

References

• ANSI Standard A/I 11179, Information Technology—Specification and Standardization of Data Elements—Part 2: Classification for data elements.
• U.S. Department of Energy, EO12356. See Oak Ridge National Laboratory Web site, http://www.fas.org/sgp/library/quist2/chap_7.html, Classification Levels.