We are all aware of the need and value of Classifying our Corporate Data. We all have embedded Information Classification into our Security Policy Framework, and many of us have even gone through the exercise of tagging and classifying our data. (Read that last sentence as "a vast majority of us have either not started or not completed this daunting exercise").
One tangible outcome of performing an Information Classification exercise is being able to effectively communicate the impact of a potential Information Security Breach.
I was asked recently to provide guidance to the Executive and Audit team of one of my clients to help identify and classify severity levels related to Breach Communication. They wanted a system to "value" the outcome of any potential Data Breach, should one happen.
I was told to constrain my scope to a High, Medium, Low classification model.
Please feel free to use this or any portion thereof to assist in your own CSIRT exercises.
Information Security Breach Impact Classification
ABSTRACT:This document, based upon
Significance of Breach: - High Level Breaches
-
Medium Level Breaches
-
Low Level Breaches
A High level Breach
would be considered any breach that exposed PII, PCI, PHI, or Corporate Restricted Information pertaining to
either or it’s Partners/Clients/Vendors
RESTRICTED
The ‘RESTRICTED’ classification is assigned to data that, if
corrupted, disclosed without authority or lost, might result in a critical loss
to
Example:
‘RESTRICTED’ information
includes but is not limited to personal identifiable information (PII),
employees’ medical history, Credit Card information, Bank account information,
and encryption keys and passwords.
A Medium level Breach
would be considered any breach that exposed Corporate
Confidential Information, but not PII, PCI, PHI, or Corporate Restricted
Information pertaining to either or it’s Partners/Clients/Vendors
Confidential
The ‘CONFIDENTIAL’ classification for information is assigned to
data that, if corrupted, lost or disclosed without authority, might result in
important or significant loss to
Example:
‘CONFIDENTIAL’
information includes confidential business proposals, customer information, HR
information such as employment contracts and compensation, and general
financial data.
A Low level Breach
would be considered any breach that either exposes no data, or only Corporate Internal Information. A Low Level
Breach does not expose Corporate Restricted or Confidential Information, PII,
PCI, or PHI Information pertaining to either
Internal
The ‘INTERNAL’ classification is used to denote information that
may be shared within but is restricted from general release to the public.
Example:
‘Examples include
training manuals, procedures and communications to all employees.
Definitions:
Personally
Identifiable Information (PII), or
Sensitive Personal Information (SPI), as used in Canadian, US, and European
privacy law and information security, is information that can be used on its
own or with other information to identify, contact, or locate a single person,
or to identify an individual in context.
The Payment
Card Industry (PCI) Data Security
Standard (PCI DSS) is a proprietary information
security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express,
Discover, and JCB.
Protected
Health Information (PII), generally refers to
demographic information, medical history, test and laboratory results,
insurance information and other data that a healthcare professional collects to
identify an individual and determine appropriate care.
References:
SANS: Information Classification - Who, Why and How
CSO Online: What security leaders need to know about breach communication
iso27001security.com:Information Classification Policy template
Carnegie Mellon: Guidelines for Data Classification
FIRST: CSIRT Case Classification (Example for Enterprise CSIRT)
Carnegie Mellon: Handbook for CSIRTs.
http://www.databreachtoday.com/blogs/importance-data-classification-p-1153
GIAC: An Introduction to the Computer Security Incident Response Team
CERT: CSIRT Frequently Asked Questions (FAQ)
IAPP: Communicating a Breach: Best Practices and Examples
Your Guide for Data Breach Crisis Communication
Computer Weekly: Lack of data classification very costly to firms, says survey
DHS: Cyber Risk Management and Cybersecurity Insurance
