The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [135]
There are also choices to be made about how stringent policies will be in each category. A smaller company located in a single facility where most employees know one another does not need to be much concerned about an attacker calling on the phone and pretending to be an employee (although of course an imposter may masquerade as a vendor). Also, despite the increased risks, a company framed around a casual, relaxed corporate culture may wish to adopt only a limited subset of recommended policies to meet its security objectives.
DATA CLASSIFICATION
A data classification policy is fundamental to protecting an organization’s information assets, and sets up categories for governing the release of sensitive information. This policy provides a framework for protecting corporate information by making all employees aware of the level of sensitivity of each piece of information.
Operating without a data classification policy—the status quo in almost all companies today—leaves most of these decisions in the hands of individual workers. Naturally, employee decisions are largely based on subjective factors, rather than on the sensitivity, criticality, and value of information. Information is also released because employees are ignorant , of the possibility that in responding to a request for the information, they may be putting it into the hands of an attacker.
The data classification policy sets forth guidelines for classifying valuable information into one of several levels. With each item assigned a classification, employees can follow a set of data-handling procedures that protect the company from inadvertent or careless release of sensitive information. These procedures mitigate the possibility that employees will be duped into revealing sensitive information to unauthorized persons.
Every employee must be trained on the corporate data classification policy, including those who do not typically use computers or corporate communications systems. Because every member of the corporate workforce—including the cleaning crew, building guards, and copy-room staff, as well as consultants, contractors, and even interns—may have access to sensitive information, anyone could be the target of an attack.
Management must assign an Information Owner to be responsible for any information that is currently in use at the company. Among other things, the Information Owner is responsible for the protection of the information assets. Ordinarily, the Owner decides what level of classification to assign based on the need to protect the information, periodically reassesses the classification level assigned, and decides if any changes are needed. The Information Owner may also delegate the responsibility of protecting the data to a Custodian or Designee.
Classification Categories and Definitions
Information should be separated into varying levels of classification based on its sensitivity. Once a particular classification system is set up, it’s an expensive and time-consuming process to reclassify information into new categories. In our example policy I chose four classification levels, which is appropriate for most medium-to-large businesses. Depending on the number and types of sensitive information, business may choose to add more categories to further control specific types of information. In smaller businesses, a three-level classification scheme may be sufficient. Remember—the more complex the classification scheme, the more expense to the organization in training employees and enforcing the system.
Confidential. This category of information is the most sensitive. Confidential information is intended for use only within the organization. In most cases, it should only be shared with a very limited number of people with an absolute need to know. The nature of Confidential information is such that any unauthorized