Domain 2: Classifying Data Flashcards
Unauthorized disclosure could cause exceptionally grave damage to national security
Classification label
Top Secret
Unauthorized disclosure could cause serious damage to national security
Secret
Unauthorized disclosure could cause damage to national security
Confidential
A formal determination of whether a user can be trusted with a specific level of information
Clearance
A document approved from the data owner that outlines all the rules and requirements for accessing data, as well as the consequences should the data become lost, destroyed or compromised.
Formal Access Approval
Sensitive info should not persist beyond a certain period or legal requirement, as this needlessly exposes the data to threats of disclosure when in fact the data is no longer needed.
Retention
AKA senior management creates the InfoSec program and ensures it is properly staffed and funded
Business or Mission Owners
- Manager who is ultimately responsible for the data of an organization i.e. CEO, president, dept. head
- They determine data sensitivity labels and frequency of data backup
Data Owners
- Manager responsible for the actual computer that houses the data.
- Typically the same person as the data owner, but this can be delegated to someone else
Asset Owner or (System Owner)
Responsible for granting appropriate access to personnel.
Administrators
- Personal that provides day-to-day tasks relating to the handling the data
- i.e. perform data backups, patch systems, configure antivirus, etc.
- i.e. personal in the IT dept. or the security admin.
Custodian
- Users that create and manage sensitive data within an organization
- i.e. Human Resources
Data Controllers
- Manages data on behalf of data controllers
- i.e. outsource payroll company (Paycom)
Data Processors
- Created in 1980’s by the DoD to impose security standards for computers the gov purchased and used
- Orange book of the rainbow series
- Replaced by International Common Criteria
Trusted Computer System Evaluation Criteria (TCSEC)
What are TCSEC categories?
Category A Verified protection (Highest level of protection)
Category B Mandatory protection
Category C Discretionary protection
Category D Minimal protection
- Trusted Computer System Evaluation Criteria (TCSEC) category
- In the development cycle for systems each phase is documented, evaluated, and verified before moving to the next step
Category A Verified protection (Highest level of protection)
- Trusted Computer System Evaluation Criteria (TCSEC) category
- More granularity of control is mandated
- Used to allow very limited sets of subjects/objects
Category B Mandatory protection
- Trusted Computer System Evaluation Criteria (TCSEC) category
- Systems in this category do provide some security controls but are lacking more sophisticated and stringent controls that address specific needs for secure systems
Category C Discretionary protection
- Trusted Computer System Evaluation Criteria (TCSEC) category
- Reserved for systems that have been evaluated but do not meet requirements to belong to any other category
Category D Minimal protection
- Part of the rainbow series
- Gov standards relating to networking
- Now outdated
Red Book
- Part of the rainbow series
- Gov standards relating to password creation and management
- Now outdated
Green Book
- Users must have a security clearance and access approval that permits all info processed by the system
- A valid need to know only for the info they will access on the system
System high mode
- Users must have a security clearance, access approval, and a valid need to know for all info processed by the system
- All users on the system can access all the data on the system
- Enforced by admin personnel who physically limit access to the system
Dedicated mode
- Users must have a security clearance for all info processed by the system
- Access approval and a valid need to know only for info they will access on the system, (not for all the info processed by the system)
Compartmented mode
