Chapter 1: Asset Security – Asset and Information Classification

Introduction (Objective/Intended Learning Outcome):

Asset always require protection based on various security, compliance and policies. Accidental or
intentional changes and disclosure of Assets can compromise security in different levels.

At the end of the chapter, students are expected to:

1. Establish a process of knowing Assets, Asset and Information Security and their
classifications types based on its level of sensitivity, value and criticality.
2. Recognize schemes to protect privacy.
3. Warrant suitable data retention.

Motivation:

I bet you have your own Social Media account! Who can view your Facebook Profile? Is it just your
Facebook friends or is it open for everyone to see? Do you know why Privacy Settings exist in
Facebook? We need to understand that not all data are equal. Information can be sensitive and
should not be available to everyone.

Watch This:

https://www.youtube.com/watch?v=ytvnN6xI4cc

Let’s get to know more about Asset and Information Classification and understand why they
matter.

Lesson Proper
Topic 1: Understanding Asset
What is Asset?

Asset is generally defined as anything useful or valuable, a person or a quality. But in the
realm of Information Security and Information Technology, asset is anything important to the
organization, such as partners, employees, facilities, devices, properties, sensitive data and
information.i In other words, anything that has value and supports the operation of a business can
be considered an asset.

1|Page
 In this perspective, assets can also include sensitive data, the hardware being used to
process it, and the media which are used to hold it.

Define Sensitive Data:

Sensitive data is any information that isn’t public or unclassified. It can include confidential,
proprietary, protected, or any other type of data that an organization needs to protect due to its
value to the organization, or to comply with existing laws and regulations.

That means to say, that anything classified as Sensitive Data must be protected from
unauthorized access because the misuse, modification or loss of an organization’s most sensitive
data can damage a business, ruin customer trust, breach of customer’s privacy, affect security and
in an extreme case, international relations of nations.ii

Personal Identifiable Information

Personally Identifiable Information (PII) is any information that can be used for the purpose
of identifying, locating or contacting any specific individual, either combined with other easily
accessible sources or by it.iii PII includes an individual’s medical, employment, financial or
educational records, a name, email address, biometric data, telephone number, fingerprints or
social security number.iv

One simple example is that, all the information you share in your Social Media Account
such as your complete name, birthday, address, the name of the company that you work for, and
any other personal details about you is considered as PII. If this information is compromised, they
can be used against you. It’s a good thing that many laws require organizations to notify
individuals if a data breach of PII occurs.

Protected Health Information

Protected Health Information (PHI) is any information related to the health status, health
care provision or health care payment that can further be linked to any specific individual.v
PHI involves history, the current condition, or the future health of an individual, either in
physical or mental terms. In general, PHI can be utilized for the identification of any specific
individual and the disclosure of one’s PHI without consent is definitely prohibited.
Proprietary Data

The term Proprietary Data (Troy Holmes, 2020) is used to describe data that is owned by
an individual or organization, which is deemed important enough that it gives competitive
advantage that individual or organization. This data can be protected under copyright laws, or
patents.
To add, proprietary data could be a software code, intellectual property, trade secrets or
processes. If competitors or criminals are able to access the proprietary data, it can seriously affect
the primary mission of an organization.

Summary:

Asset is anything tangible or intangible and of great importance. Information that is tagged
as sensitive should be protected and must be made available for authorized people only. PII, PHI
and Proprietary Data are considered as Sensitive Data.

2|Page
Topic 2: Overview of Asset Security – Information and Asset Classification

What is Asset Security?

According to CISSP (Certified Information Systems Security Professional), Asset Security

always includes the structures, principles, concepts and standards targeted at monitoring and
securing assets, and those controls that enforce several levels of Confidentiality, Integrity and
Availability.
There are several steps to be taken in Asset Security and one of the initial steps is
Classifying and Labeling Assets. Most of the time, organizations include classification definitions
within a security policy and the assigned personnel label the assets appropriately based on the
security policy requirements.

Data Classification
In Information Security, data classification refers to the classification of data according to its
value, its level of sensitivity and the impact to the organization or a company should that data be
disclosed, altered or destroyed without authorization. It is a fundamental component of any
security program. It is the framework for how IT security that ensures the protection of a
business’s most sensitive information.vi The classification of data helps determine what baseline
security controls are appropriate for safeguarding the integrity and confidentiality of the data. vii

A. The Government/Military Classification:viii

Top Secret – It is the highest level in this classification scheme. The unauthorized disclosure of such
information can be expected to cause exceptionally grave damage to the national security.
Example is the disclosure of spy satellite information.

Secret – Very restricted information. The unauthorized disclosure of such data can be expected to
cause significant damage to the national security.

Confidential – This category encompasses sensitive, private, proprietary and highly valuable data.
The unauthorized disclosure of such data can be expected to cause serious, noticeable damage to
the national security.

Note!! These three levels of data (Top Secret, Secret and Confidential) are collectively
known as ‘Classified’ data and these three are specific to government agencies.

3|Page
 Unclassified – It is the lowest level in this classification scheme. Furthermore, this data is neither
sensitive nor classified, and hence it is available to anyone through procedures identified in the
Freedom of Information Act (FOIA).

B. The private sector classification scheme:

Confidential – It is the highest level in this classification scheme. This category is reserved for
extremely sensitive data and internal data. A considerable amount of damage may occur for an
organization given this confidential data is divulged. Proprietary data, among other types of data,
falls into this category.

Private – Data for internal use only whose significance is great and its disclosure may lead to a
significant negative impact on an organization. All data and information which is being processed
inside an organization is to be handled by employees only and should not fall into the hands of
outsiders.

Sensitive – A classification label applied to data which is treated as classified in comparison to the
public data. Negative consequences may ensue if such kind of data is disclosed.

Public – The lowest level of classification whose disclosure will not cause serious negative
consequences to the organization. For example, the general public can be aware of the
organization’s upcoming projects.

To make the purpose of Classification of Data clearer, here’s a real life example:

In late November 2014, Sony Pictures Entertainment was hacked by a group calling itself the
Guardians of Peace. The hackers posted five Sony movies (four unreleased) to file-sharing
networks. They also leaked thousands of confidential documents — everything from private
correspondence among Sony executives to salary and performance data about Sony employees.
The password-protected files were sent to journalists.ix

Here is how the whole private sector classification looks like in the context of the Sony data
breach in November 2014:

“Confidential/Proprietary/” Level – unreleased movies

“Private” Level – salary information on 30,000 employees
“Sensitive” Level – lists of laid-off or dismissed employees; embarrassing emails
“Public” Level – Sony managed to protect the integrity of such information provided by them (e.g.,
on their website)

You should remember that in contrast to the strict government/military classification scheme,
companies can use any labels they desire. Also, the data classification program does not need to
be overly complex and sophisticated. Simple logic that reflects the company’s policies, goals, and
common sense would probably suffice.

Summary:

Asset Security involves securing assets by setting up guidelines and policies. Labeling and
classifying assets according to its value and level of sensitivity are some of the initial steps to be
taken. Two classifications of asset are being used today. These are Government/Military
Classification and Private Sector Classification Scheme.

4|Page
Topic 3: Data Privacy

Data Privacy - Data privacy or information privacy is a branch of data security concerned with the
proper handling of data – consent, the policies that govern the collection, storage, use of PII and
proprietary corporate information and regulatory obligations.x

Data Security - Whereas data privacy is implemented through a set of policies and procedures
designed to safeguard the privacy of data, data security involves using physical and logical
strategies to protect information from data breaches, cyberattacks, and accidental or intentional
data loss.xi

Data Ownership - The transit of information must complete its life cycle successfully.
The various entities that make the life cycle successful include the data owners, data custodian,
system owner, security administrator, supervisor, and user. Each has a unique role in protecting the
organization’s assets.

The Data Owner, or Information Owner, is an individual who is accountable for a data asset or a
manager who ensures data protection and determines the classification level.
The following are some of the responsibilities associated with the data owner:xii
a. Compliance – ensuring compliance to regulations,policies and standards.
b. Data Control – defining, implementing and governing data controls to manage risk, securr
data and ensure data quality.
c. Administration – Administration of data is often assigned to a role known as a data
custodian.
d. Access – Controlling access to the data. Example is approval and review process fro
requests to take a copy of a database.
e. Business Value – making sure that data assets serve their intended business purpose.

The Supervisor, or User Manager, is responsible for overseeing the activities of all the entities
aforementioned above. xiii

Destroying Sensitive Dataxiv

Data Remanence. is data that persists beyond noninvasive means to delete it. With many data
storage techniques, information can be recovered using specialized techniques and equipment
even after it has been overwritten. Though data remanence is sometimes used specifically to refer
to residual data that persists on magnetic storage, remanence concerns go beyond just that of
magnetic storage media.

The following list includes some of the common terms associated with destroying data:

Erasing – Erasing media is simply performing a delete operation against a file, a selection of files, or
the entire media. In most cases, the deletion or removal process removes only the directory or
catalog link to the data. The actual data remains on the drive. As new files are written to the media,
the system eventually overwrites the erased data, but depending on the size of the drive, how
much free space it has, and several other factors, the data may not be overwritten for months.

Wiping – Wiping, also called overwriting or shredding, writes new data over each bit or block of file
data. One of the shortcomings of wiping is when hard disks become physically damaged,
preventing the successful overwriting of all data.

5|Page
Sanitization – Sanitization is a combination of processes that removes data from a system or from
media. It ensures that data cannot be recovered by any means. Sanitization can refer to the
destruction of media or using a trusted method to purge classified data from the media without
destroying it.

Degaussing – A degausser creates a strong magnetic field that erases data on some media in a
process called degaussing. Technicians commonly use degaussing methods to remove data from
magnetic tapes with the goal of returning the tape to its original state. It is possible to degauss
hard disks, but we don’t recommend it. Degaussing a hard disk will normally destroy the
electronics used to access the data. However, you won’t have any assurance that all of the data on
the disk has actually been destroyed. Someone could open the drive in a clean room and install the
platters on a different drive to read the data. In contrast, solid state drives (SSDs) use integrated
circuitry instead of magnetic flux on spinning platters. Because of this, SSDs do not have data
remanence and degaussing them won’t remove data. Due to these risks, the best method of
sanitizing SSDs is destruction.

Destruction – Destruction is the final stage in the life cycle of media and is the most secure method
of sanitizing media. When destroying media it’s important to ensure that the media cannot be
reused or repaired and that data cannot be extracted from the destroyed media. Methods of
destruction include incineration, crushing, shredding, disintegration, and dissolving using caustic or
acidic chemicals. Some organizations remove the platters in highly classified disk drives and
destroy them separately.

Summary:

Data security and privacy remain the up-to-the-minute topics because of the persistent
threats from cyber-attacks. Thus, the need of cyber security is growing exponentially. Data
Ownership should always be determined as Data Owners are the ones accountable for the security
and protection of data. Destroying sensitive data is as important as securing them and there are
several ways to do it.

6|Page
Topic 4: Data Retention

What is Data Retention?

Data retention, also called records retention, is the continued storage of an organization's
data for compliance or business reasons. It involves retaining and maintaining important
information as long as it is needed and destroying it when it is no longer needed. An organization’s
security policy or data policy typically identifies retention timeframes. Some laws and regulations
dictate the length of time that an organization should retain data, such as three years, seven years,
or even indefinitely. However, even in the absence of external requirements, an organization
should still identify how long to retain data.

Retention Policies

To ensure that all necessary data is stored properly, an organization's IT administrators can
work with the organization's legal team and departmental business owners to create a data
retention policy - an organization's established protocol for retaining information for operational or
regulatory compliance needs. This policy includes a set of guidelines that describes which data will
be archived and how long it will be kept. Establishing a policy can reduce the organization's
storage costs by allowing documents that are no longer needed to be deleted or moving files that
aren't accessed as frequently to a lower-level storage tier in an archive.

Summary:

Data Retention is the process of keeping and maintaining important information of a

company or an organization. How long to retain data and to ensure its safe-keeping, Retention
Policies are necessary.

7|Page
i
https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/asset-security/#gref
ii
https://www.upguard.com/blog/sensitive-data
iii
https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf
iv
https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf
v
https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/asset-security/protecting-
privacy/#gref
vi
https://www.packetlabs.net/data-classification/
vii
https://www.cmu.edu/iso/governance/guidelines/data-classification.html
viii
https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/asset-
security/information-and-asset-classification/#gref
ix
https://www.vox.com/2015/1/20/18089084/sony-hack-north-korea
x
https://www.varonis.com/blog/data-privacy/
xi
https://blog.netwrix.com/2019/06/25/data-privacy-vs-data-security-what-is-the-real-difference/
xii
https://simplicable.com/new/data-owner
xiii
https://link.springer.com/referenceworkentry/10.1007%2F0-387-23483-7_95
xiv
https://www.pdfdrive.com/cissp-7thpdf-d33415633.html

8|Page