The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [136]
• Information concerning trade secrets, proprietary source code, technical or functional specifications, or product information that could be of advantage to a competitor.
• Marketing and financial information not available to the public.
• Any other information that is vital to the operation of the company such as future business strategies.
Private. This category covers information of a personal nature that is intended for use only within the organization. Any unauthorized disclosure of Private information could seriously impact employees, or the company if obtained by any unauthorized persons (especially social engineers). Items of Private information would include employee medical history, health benefits, bank account information, salary history, or any other personal identifying information that is not of public record.
note
The Internal category of information is often termed Sensitive by security personnel. I have chosen to use Internal because the term itself explains the intended audience. I have used the term Sensitive not as a security classification but as a convenient method of referring to Confidential, Private, and Internal information; put another way, Sensitive refers to any company information that is not specifically designated as Public.
Internal. This category of information can be freely provided to any persons employed by the organization. Ordinarily, unauthorized disclosure of Internal information is not expected to cause serious harm to the company, its shareholders, its business partners, its customers, or its employees. However, persons adept in social engineering skills can use this information to masquerade as an authorized employee, contractor, or vendor to deceive unsuspecting personnel into providing more sensitive information that would result in unauthorized access to corporate computer systems.
A confidentiality agreement must be signed before Internal information may be disclosed to third parties, such as employees of vendor firms, contractor labor, partner firms, and so on. Internal information generally includes anything used in the course of daily business activity that should not be released to outsiders, such as corporate organizational charts, network dial-up numbers, internal system names, remote access procedures, cost center codes, and so on.
Public. Information that is specifically designated for release to the public. This type of information can be freely distributed to anyone, such as press releases, customer-support contact information, or product brochures. Note that any information not specifically designated as Public should be treated as Sensitive information.
Classified Data Terminology
Based on its classification, data should be distributed to certain categories of people. A number of policies in this chapter refer to information being given to an Unverified Person. For the purposes of these policies, an Unverified Person is someone whom the employee does not personally know to be an active employee or to be an employee with the proper rank to have access to information, or who has not been vouched for by a trusted third party.
For the purposes of these policies, a Trusted Person is a person you have met face-to-face who is known to you as a company employee, customer, or consultant to the company with the proper rank to have access to information. A Trusted Person might also be an employee of a company having an established relationship with your company (for example, a customer, vendor, or strategic business partner that has signed a nondisclosure agreement).
In third party vouching, a Trusted Person provides verification of a person’s employment or status, and the person’s authority to request information or an action. Note that in some instances, these policies require you to verify that the Trusted Person is still employed by the