CompTIA CYSA+ CS0-002 – Non-technical Data and Privacy Controls Part 1

1. Data Classification (OBJ 5.1)

Data classification. In this lesson, we’re going to explore the world of data classification. And this all comes as part of data governance. When we talk about data governance, this is the process of managing information over its life cycle, from creation to destruction. So as we start thinking about a piece of data, if I wanted to create, let’s say, a new video, that’s a piece of data in my world, well, first I have to create that video. Now, when I create that video, I’m going to classify it and I’m going to say what level this thing is, and that’s going to determine how it needs to be protected. Then we have to store that thing that I just created. And in that storage, we have to also think about security. Are we going to encrypt it or not? Are we going to use access controls or not? How are we going to do backup and recovery operations?

All of that stuff is things that we have to think about as part of storage. Then we start thinking about distribution. How am I going to take that piece of data in my case of video? And I’m going to make sure it gets out to the data consumers who want to watch that or use that. That is what we’re talking about with distribution. And then finally we talk about retention or destruction. And this is the end of the life cycle because we’re done with this piece of data, we no longer need it. For instance, this video is for a particular version of the CYSA Plus exam. If CYSA Plus is no longer a certification or they move to a newer version, I would end up destroying this video because we don’t need it anymore. There’s no reason to keep data infinitely. Instead, you should have a retention period and then delete it when you’re done.

So this is what we’re talking about when we talk about data governance, and a large part of that is data classification. As I said, data classification is going to occur during the creation stage. And when I talk about data classification, this is the process of applying confidentiality and privacy labels to that information. Now, the best way to think about this is if you think about any kind of military movie you might have seen, or a spy movie you might have seen, somebody has a folder and on the outside it’s labeled Top Secret. This tells you this tag is Top Secret. This data needs to be protected a certain way because it’s top secret information. That’s what that tag or label is signifying. Well, the same thing happens in our networks, and there’s lots of different classifications we can use.

Now, the most common scheme is the military classification scheme, which is unclassified, classified, confidential, secret, and Top Secret. Now, when we talk about unclassified, this is a label that says there are no restrictions on viewing that data. This also presents no risk to our organization if the information is disclosed to the public at large. For instance, if you go to the US. Army’s website, there is information on that site that is unclassified data. It’s something that they said, we’re okay with everyone in the world knowing what this is. A lot of the army publications, like their field manuals, those are unclassified, and anyone around the world can download it, read it, and learn about how the army does what it does. Now, the next classification we have is classified, and this is really our first controlled characteristic.

When we talk about classified, this is viewing that is restricted to authorized persons within the owner’s organization or third parties under a nondisclosure agreement. Now, as I said, we started with Unclassified where everybody can see it. Now we’re in classified, which means one of several categories in the military construct. This is going to be confidential secret, or top secret. Now, as we go into confidential, this is the lowest of the classified forms. When we deal with confidential data, this is highly sensitive data that is for viewing only by approved persons within the organization and possibly those who are trusted under an NDA. Again, this is the lowest level of classification inside the classified realm of the military system. Then we go up to secret. This is information or data that is valuable, and therefore it has to be protected by severely restricting its viewing.

So for instance, if you work with the military, they have certain buildings where you can go and view this secret information. They have certain networks that will store this information, and those networks don’t connect to the internet because the internet is unclassified and so it has more protections and therefore more cost, and that data is more valuable. And then we have the highest level in the military system, and this is known as top secret. Now, top secret information or data is stuff that could have grave danger if it was inadvertently disclosed. So for example, when you’re thinking in the military context, if we knew where some bad guy was and we were going up operation to go after that bad guy, the location that bad guy is at would be top secret information.

Only a few people would know it and only those who need it for their job to be able to go do that mission to go get that bad guy. We want to keep that information as highly classified as possible. Another thing might be if we had a list of all the CIA agents around the world and their locations, well, that would be a top secret piece of information, because if that got out, somebody could go target all those agents and take them out, right?And we wouldn’t want that to happen as the American government. So therefore, we would want to make sure that is protected in our top secret enclaves. Usually in the military system, they’ll have a separate network for the top secret stuff as well. So they have the unclassed network, the secret network and the top secret network, and this way they can protect that data at the different levels.

The higher the classification level of that data, the more restrictions are going to be placed on it and the fewer people who can access it. Now a lot of organizations, they don’t use this military system. Though if you work in the commercial sector, you might see things with a different classification scheme like public, private, or internal and restricted. This is a lot simpler. And again, all of these would be on the same network in most organizations, unlike the military, which actually breaks it apart into those three networks. When you have them all in the same network, it’s just a matter of what kind of protections each of those is going to have. Maybe it’s a different encryption scheme, maybe it’s different access control rights. Those are the kind of things you can do now as far as protecting this information, that is up to your organization.

But some organizations actually have the power of law behind them. For instance, I use the example of the military, which is part of the US government. The US government actually has as part of our US laws that you cannot disclose classified information. So if you work for the government or the military and you have access to the secret or top secret information and you tell somebody about it and you give them access to information and they’re not supposed to have access, they can actually have different things happen to you, like fines,imprisonment, or even the death penalty. In some really bad cases, if you happen to be a spy and collecting information about the US. And getting that information, they can actually try you for treason and they can actually put you to death under this law.

So this is actually a big deal depending on where you work. So you have to keep these things in mind as a cybersecurity analyst. So now that we’ve talked about the different levels of classification, we’ve talked about the importance of classifying things, how do we actually apply those labels to the data? Well, this can be applied either manually or automatically to the data, depending on how your systems are done. In a lot of systems it is going to be set up automatically based on certain dirty words as we call them. So as we get a document, it’s going to go through that document and say, oh, I see, the word bazooka. Bazooka is a secret word, so therefore this document is now secret. That would be an automatic way of doing things manually is where I type up the document.

And then as I’m typing up the document, I would put my classification level on it and say, this is an unclassified document, this is a secret document, this is a top secret document. And then we apply the right protections based on that. Now, when we talk about classification, we also have to think about the other side, which is declassification. Again, this is the lifecycle from cradle to grave, the cradle part. When we create something, we classify it, and when we’re ready to move this thing along, it might be in the middle of its life cycle or the end of the life cycle. We may declassify it. Now, declassification is the downgrading of a classification label over time, due to the information no longer requiring the additional security protections provided by that classification. Let me give you a great example which will explain why we need to declassify things.

For instance, let’s say you were part of the planning team who was planning the invasion at Normandy back in 1944. This is the middle of World War II. Well, this operation overlord. The invasion of Normandy is a great example of this because at the time, that plan and all of the documents and orders that went with it was a top secret mission. It was all highly classified. In fact, it was a subcategory of top secret called Bigot, which was the British invasion of German occupied territories. Now, at that time, it made a lot of sense to keep all that classified. We wanted to make sure that the Germans didn’t know the US. And the Brits were coming to go into that area, so it had to be classified. Now, once the invasion was done, didn’t need to be classified anymore. Well, maybe that’s the call that the classifiers have to make.

But at the time, probably in 1944 or 45, you may have kept it classified, but here we are 75 years later. Do you think it’s still classified? No, of course not. You can go on the Internet and read the entire thing. You can go find online all the battle plans, the different orders that were put out, all of the information of the different technologies they were going to use, all of that that used to be classified as top secret is now declassified because over time, the technology we had in World War II is ancient technology. At this point, we have much better technologies and much better tools and much better techniques. And so those are now classified. And so those older ones have now been declassified. And this allows them to now be at the unclassified level, where they can be on the public Internet and anyone around the world can publicly get them and read them.

2. Data Types (OBJ 5.1)

Data types. In this lesson we’re going to take the concept of classification and dig into the idea of data types and privacy and formats. We talk about data. Data can also be tagged not just by its classification, but also by its data type. Now what is the data type? Well, it’s a tag or a label to identify a piece of data under a subcategory of a classification. So I used the example of we had this Top secret classification and then underneath that there was Bigot, the British Invasion of German occupied Territory. That was a classification back in World War II. Now over time we have different classification types. So, for example, we have unclassified and underneath unclassified, we might have things like PII personally identifiable information or SPI sensitive personal information or Phi personal health information or even financial information.

All of these are technically unclassified, but they should be treated with a little bit more care and so they are subcategories of it. Now this is because we don’t want this type of information getting out in the wild to just anybody. For instance, if I had your medical record, that’s not necessarily Top Secret or secret or even confidential, but it should be protected and that’s why it’d be classified as Phi Personal Health Information. Now, there are lots of solutions out there that use different categories. For instance, if you’re using Microsoft’s DLP solution, they have over 70 sensitive information types including things like PII, SPI and Phi underneath the Unclassified classification category. So these are things that you have to think about of how you want to subcategorize your information.

Because just saying this is unclassified or Top Secret isn’t enough. There’s actually subcategories underneath each of those. Now in addition to that, we have to think about the format of the data. And when we talk about data format, this is the organization of the information into preset structures or specifications. Now there are two main types. We have either structured data or unstructured data. When I talk about structured data, this might be something like a comma separated value list. So if I had a list that was exported and I had Jason Comma, Dion comma, one two, three, Main Street, that would be structured data. You would know that the first thing in front of the comma was the first name, the second thing would be the last name and the third thing would be the address. That is a structured format.

Now when I talk about unstructured, this would be something like a PowerPoint slide, an email, a text file, a chat log. Any of those things are really unstructured. It’s where I can just type in things in any order I want. Different systems and different classification mechanisms have to be set up to be able to understand these different data types and data formats. And then the third thing we have to consider here is our data state. Now the data state is the location of data within a processing system. And there’s really three places it can be. It can be data at rest, which means it’s stored on a hard drive, someplace it can be data in motion, which means it’s currently moving from one computer to another over the network. And then we have data in use, which means it’s data that has now been read into memory or inside the processor that is currently being worked on. And so those are your three data states. Now, I know these three terms should be familiar to you from security. Plus, if they’re not, don’t worry, we’re going to dive a little bit deeper into them in a future lesson.

• Category: Uncategorized