Search This Blog

Tuesday 17 May 2016

CSIRT: Classifying the Severity of a Breach


We are all aware of the need and value of Classifying our Corporate Data. We all have embedded Information Classification into our Security Policy Framework, and many of us have even gone through the exercise of tagging and classifying our data.  (Read that last sentence as "a vast majority of us have either not started or not completed this daunting exercise").


One tangible outcome of performing an Information Classification exercise is being able to effectively communicate the impact of a potential Information Security Breach.  

I was asked recently to provide guidance to the Executive and Audit team of one of my clients to help identify and classify severity levels related to Breach Communication. They wanted a system to "value" the outcome of any potential Data Breach, should one happen.

I was told to constrain my scope to a High, Medium, Low classification model.

Using their own Information Classification Policy, I was able to quickly provide the following model, and thought it a valuable lesson for others in this situation.


Please feel free to use this or any portion thereof to assist in your own CSIRT exercises.




Information Security Breach Impact Classification

ABSTRACT: 
This document, based upon  's Information Classification Policy, provides a basic model to identify and classify the potential impact of a loss of data in the event of an Information Security Breach. This information can provide guidance in Communicating your Breach, as well as in determining requirements and constraints for acquiring CyberSecurity Insurance. 

Significance of Breach: - High Level Breaches
                                          - Medium Level Breaches
                                          - Low Level Breaches

A High level Breach would be considered any breach that exposed PII, PCI, PHI, or Corporate Restricted Information pertaining to either  or it’s Partners/Clients/Vendors
RESTRICTED  

The ‘RESTRICTED’ classification is assigned to data that, if corrupted, disclosed without authority or lost, might result in a critical loss to .
Example:
‘RESTRICTED’ information includes but is not limited to personal identifiable information (PII), employees’ medical history, Credit Card information, Bank account information, and encryption keys and passwords.

A Medium level Breach would be considered any breach that exposed Corporate Confidential Information, but not PII, PCI, PHI, or Corporate Restricted Information pertaining to either   or it’s Partners/Clients/Vendors
Confidential  

The ‘CONFIDENTIAL’ classification for information is assigned to data that, if corrupted, lost or disclosed without authority, might result in important or significant loss to  .
Example:
‘CONFIDENTIAL’ information includes confidential business proposals, customer information, HR information such as employment contracts and compensation, and general financial data.

A Low level Breach would be considered any breach that either exposes no data, or only Corporate Internal Information. A Low Level Breach does not expose Corporate Restricted or Confidential Information, PII, PCI, or PHI Information pertaining to either  or it’s Partners/Clients/Vendors. 
Internal 

The ‘INTERNAL’ classification is used to denote information that may be shared within   but is restricted from general release to the public.
Example:
‘Examples include training manuals, procedures and communications to all employees.

Definitions:
Personally Identifiable Information (PII), or Sensitive Personal Information (SPI), as used in Canadian, US, and European privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
The Payment Card Industry (PCI) Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

Protected Health Information (PII), generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.



References:

SANS: Information Classification - Who, Why and How
CSO Online: What security leaders need to know about breach communication
iso27001security.com:Information Classification Policy template
Carnegie Mellon: Guidelines for Data Classification
FIRST: CSIRT Case Classification (Example for Enterprise CSIRT)
Carnegie Mellon: Handbook for CSIRTs.
http://www.databreachtoday.com/blogs/importance-data-classification-p-1153
GIAC: An Introduction to the Computer Security Incident Response Team
CERT: CSIRT Frequently Asked Questions (FAQ)
IAPP: Communicating a Breach: Best Practices and Examples
Your Guide for Data Breach Crisis Communication
Computer Weekly: Lack of data classification very costly to firms, says survey
DHS: Cyber Risk Management and Cybersecurity Insurance