Based upon the results of a just completed IT Audit of your organization’s IT department, operations and infrastructure, it has been noted by the Auditor that there exists no current, implemented data classification scheme for your IT environment.
In response to the Audit Report, your management has tasked you with the responsibility of designing a comprehensive data classification scheme for enterprise-wide IT.
Realizing that this is a huge assignment and will require many hours of work to complete, you decide to break down the job into definable sub-tasks and identify individual IT functions in which you will create appropriate data classification schemes.
Given the risk assessment you performed and the associated high priority within the organization, you determine that your first data classification scheme will address online communications and social media data.
Using the documents below, the textbook for this chapter and any additional materials you may identify, research and have authorized access to, develop a data classification scheme for your organization’s online communications and social media data.
Be certain that your classification scheme is complete, comprehensive, and addresses the essential elements of such a scheme as outlined at minimum, leveraging the materials which you have access to. It is important that your proposed classification scheme include examples of data to be included at each level of protection/classification.
Please use the following documents, to assist you in completing this assignment question:
- Data Classification – CNRN
- Data Classification – GWU
- Data Classification – NYC
- DoD Marking Classified Documents – DoD
- Department Of Defense Trusted Computer System Evaluation Criteria (The Orange Book) – ORANGE BOOK
The City of New York CITYWIDE INFORMATION SECURITY POLICY Updated August 1 7, 2012 Version 1.4 Data Classification Policy PUBLIC Use pu rsuant to Ci ty of New York gu ide lines Page 1 of 3 Data Classification Policy The Policy The Agency head or designee has responsibility for ensuring agency information assets are appropriately categorized and the appropriate degree of protection is applied based on its valuation. Background To ensure tha t business information assets receive an appropriate level of protection, the value of the information must be assessed to determine the requirements for security protection.
Business information assets are those that affect and are integral to the City’s ability to provide business services with integrity, comply with laws and regu lations, and meet public trust. Scope This policy applies to all information. Information is defined as anything spoken, overheard, written, stored electronically, copied, transm itted or held intellectually concerning the City of New York general business, information systems, employees, b usiness partners, or customers. Information Classification All information at the City of New York and corresponding agencies will be classified at one of four levels; public, s ensi tive, private, or c onfidential. • Public — This information might not need to be disclosed, but if it is, it shouldn’t cause any damage. • Sensitive — This information requires a greater level of protection to prevent lo ss of inappropriate disclosure. • Private — This information is for agency use only, and its disclosure would damage the pub lic trust placed in the agency. • Confidential — This is the highest level of sensitivity, and disclosure could cause extreme damage to the agency’ s ability to perform its primary business function. Datasets containing information whose disclosure could lead directly to massive financial loss, danger to public safety, or lead to loss of life is classified a s confidential . Information Valuation and Ca tegorization 1) Ensure that business information assets receive an appropriate level of protection.
The value of the information must be assessed to determine the requir ements for security protection. 2) All information assets must be valued and categorized. 3) Inf ormation assets must be evaluated, valued and categorized by the D ata Steward on a regular basis. 4) To ensure that appropriate protection is provided, the value of information should be determined before transmission o ver any communications network. The City of New York CITYWIDE INFORMATION SECURITY POLICY Updated August 1 7, 2012 Version 1.4 Data Classification Policy PUBLIC Use pu rsuant to Ci ty of New York gu ide lines Page 2 of 3 Data Ste ward 5) The Data Steward is normally someone who is responsible for or dependent on the business process associated with the information asset, and who is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise process ed . 6) The Data Steward is responsible for determining the appropriate value and categorization of the information genera ted by the owner or the Agency. 7) The Data Steward must communicate the information value and categorization when the information is release d or provided to another entity. 8) The Data Steward is responsible for controlling access to his/her information and must be consulted when other entities w ish to extend access authority. Information Labeling 9) Information within systems or processes must be m arked appropriately to ensure that users will be aware of the sensitivity of the information and how it should be protected and controlled. Appropriate marking of mission critical info rmation includes marking it as public, sensi tive, private, or confidenti al. 10) All copies or reproductions maintain the same level of classification as the original. 11) Aggregation of data with different classification levels require reevaluation to determine if a new level o f classification is needed. 12) All personally identifiable in formation should be clas sified at a minimum as private. Information Protection 13) Protective measures must take into account the value associated with unauthorized access or loss of informat ion assets. 14) Private or confidential data sent across any network conn ection must be encrypted in accordance with the Citywide Encryption Standard. 15) Private or confidential data stored in a database or file system must be encrypted in accordance with the Citywide Encryption Standard. Alternatively, approved database securit y gateway technology may be used in lieu of encryption to protect private data at rest. The City of New York CITYWIDE INFORMATION SECURITY POLICY Updated August 1 7, 2012 Version 1.4 Data Classification Policy PUBLIC Use pu rsuant to Ci ty of New York gu ide lines Page 3 of 3 Document Revision History Date Description July 28, 2008 Version 1.2 Issued. June 16, 2011 Version 1.3 Updated header with new NYC logo and added this revision history table to the document . Aug 17 , 2012 • Version 1.4 Update description of confidential data on page 1 (added “Datasets containing information whose disclosure could lead directly to massive financial loss, danger to public safety, or lead to loss o f life is classified as CONFIDENTAL.” • Added bullets 14 and 15 to match the language used in Encryption Policy.