Data Classification - Effective? Has it ever been or really worked?
June 2nd, 2008 Drazen Drazic Posted in Disclosure Laws, Dumb Security, Risk Management, Vulnerability Management |
I was talking to a colleague to the other day and we started on “data classification”. Yeah, must have been an interesting conversation to be sitting in on. 
Neither of us could recall ever seeing what could be termed a successful implementation, if that is the right word for it. How would you judge one anyway? That’s a big question in itself.
Amazingly, I’ve seen a heap of implementations where organisations believed they had it under control but could not understand when I asked them about their “Data: Storage, Transmission, Transport and Disposal” policy. “What do we need that for?!” Hmmm…..
Well for a start, and think about it if you’re not with me at the moment, what’s the purpose of classifying data if you don’t have these accompanying rules for “treatment” of data as part of, or as a support policy to the data classification policy?
Don’t get me wrong, end-to-end data protection (secure treatment of data) end-to-end is tough work and near impossible but don’t cloud the issue nor be lulled into some belief that that in it’s own right has been a major step towards a more secure environment. Okay, I’ve classified the data…..now what?
Nothing new and I think I’ve rambled on about this before a few times. Was just thinking about it again and wondering if things have really changed much at all in this area. As usual, keen on your thoughts? What have you seen? Am I missing something here?
June 3rd, 2008 at 2:11 pm
As with most things, if you do it properly, it will work. If you don’t, it wont work and will turn into an enormous waste of time and money.
Data Classification (when done properly) is not only effective but essential in the efficient and effective implementation of security within an enterprise.
The first part of risk management is understanding your assets - if you get this wrong, nothing else will be right. Data is a pretty important asset for most organisations.
June 3rd, 2008 at 9:01 pm
data classification isn’t that the policy org’s write to complete the policy set they can show their regs & auditors they have one.. I mean nobody actually does it… right? i’m yet to see one.. I mean they might buy a product here and there that some how relates to data security… but actually protecting it (DBMS, mail, shares, etc) nah .. can still get it all. but lock down that slow usb port never mind the 100Mb nw or disk that sends the data out the org.. data classification means you have to know what data you have… most orgs still trying to work out what users, systems and apps they have! #secured web post
June 4th, 2008 at 8:11 am
I have seen it enforced and working in many Australian Federal Government agencies.
For some good ideas around how to do it, have a look at ACSI33 from the http://www.dsd.gov.au site.
June 5th, 2008 at 7:03 am
You need to define success. I think you confuse success with perferction. In Defence it has worked in that we have a policy and process that should be followed and in the main is. There are however constant data leakages - but our awareness of this is a result of the classification policy. Data classification is a classic social engineering hack - it does have to factor in laziness and stupidity.
June 5th, 2008 at 9:57 am
Hey Duncan, thanks for the response. Good point and agreed. How often do we see things like this one:
http://blogs.zdnet.com/projectfailures/?p=603&tag=nl.e550
Where I was coming from was talk versus what’s in practice. I assume you guys don’t just have a data classification standard with no accompanying rules for how that classified data is to be treated?
June 5th, 2008 at 1:49 pm
Here’s my simple data classification idea (for non-govt orgs & orgs not bound by legislative requirements to the contrary);
ABC Inc’s Data Classification Policy:
*All* company data is confidential.
(Thats it !)
The advantages are;
* Easy to understand the policy (no confusion)
* No defence of ‘But I didn’t know it was confidential’
* Avoids the necessity to employ a full time company ‘data classifier’ = cost savings.
I await the responses
BG.
June 5th, 2008 at 3:42 pm
BG, I trust you realise - you’re proposing to kill off the data classification industry ?
Nice work.
June 5th, 2008 at 6:20 pm
Service and product classification, leads to data classification. I submit ‘Critical’ and ‘non-critical’, thus ‘confidential’ and ‘non-confidential’ is appropriate.
In this modern age the complexity of service dependencies and complexities must be addressed also. Shared services and utility services facilitate higher level services, and as such, must be attributed similar if not higher ratings/classifications by virtue of the aggregate services utilising them. Erm…. critical or non-critical will do!
Data may be at rest or in motion. (Motion may entail local processing) When does data become contextually useful ‘information’ and subsequently an intangible ‘asset’. Assigning a classification entails qualifying the requirements and as such describing an ontology and subsequent taxonomies.
“Information as a concept bears a diversity of meanings, from everyday usage to technical settings. Generally speaking, the concept of information is closely related to notions of constraint, communication, control, data, form, instruction, knowledge, meaning, mental stimulus, pattern, perception, and representation.” from:
http://en.wikipedia.org/wiki/Information
“I am referring to asset valuation—assigning values to information assets—and its stuttering, one-eyed, web-footed cousin, annualized loss expectancy (ALE).
From Chapter 2, “Defining Security Metrics,” you will recall that I do not have much use for the ALE method of risk assessment. At the risk (so to speak) of repeating myself, I think it is a total waste of time. Because neither the expected loss nor frequency can be estimated with precision or consistency, ALE quickly becomes an exercise in pointless spreadsheet engineering. The numbers that come out of any ALE analysis are guaranteed to be subjective and nonreproducible.
The same is true for most methods of asset valuation, except that there appears to be even less consensus on how one ought to estimate the value of information assets. Asset valuation is arguably the “third rail” of information security: you touch it and die. On my securitymetrics.org mailing list, we have had long, raging debates about how to put dollar figures on assets.” From Chapter 4. Security Metrics: Replacing Fear, Uncertainty, and Doubt(Andrew Jaquith)
Here’s a somewhat dated but fun crack at the infrastructure layers ‘Risk in a Box’ from yours truly: http://bsdosx.blogspot.com/2006/06/byo-rfc.html
June 5th, 2008 at 6:37 pm
There’s an industry?
June 6th, 2008 at 9:31 am
There certainly is.
Privacy Depts, Records Management Depts, Protective Security Officers, Freedom of Information (FOI) Coordinators, Agency Security Advisers, Legal Services Units….bloody toilet cleaners etc…
They’re all damn information classifiers these days.
I’m telling you Silky, its an industry, mate !
July 2nd, 2008 at 12:59 pm
Data classification is necessary. If you don’t have it - you have no sound foundation for any information security implementation. I know at least one place where it works - place where I work now.
It is neccessary, but not sufficient.