18 Dec

Network Security 101 – Data Classification

Ok, this really isn’t that difficult.

There are two main classification schemes for data objects; the most well-known is used by the US Government for protected national information.It uses terms, now made somewhat clichéd in popular media. The other generally used schema is for the private sector.

Common Classification Systems

Governmental Objects

  • Unclassified
  • Sensitive but Unclassified (SBU)
  • Confidential
  • Secret
  • Top Secret

Enterprise (Private Sector) Objects

  • Public
  • Sensitive
  • Private
  • Confidential

The other component of any classification scheme is the subject. There three categories of subject within a data classification system, they are as follows:

Classification Subjects

  • Data Owner
  • Data Custodian
  • Data User

In classification systems, the Data Owner is not necessarily the creator of the object, but instead the individual who will be held responsible (and perhaps liable) if an information breach of the data occurs. The Owner classifies the data. The Custodian is relied upon by the Owner to maintain a security implementation consistent with the security policy. This role is often fulfilled by a System Administrator, Security Officer, or similar title. Lastly, the Data User can be anyone authorized to consume the data.

One of the most obvious examples of how classification functions is under Mandatory Access Controls (MAC). In a MAC system, the authorized level of the Subject must be greater or equal to that of the Object for that subject to be able to consume the data. So a subject with Secret level clearance could consume a Secret level object, but not one with a Top Secret classification. Such a strict system is not needed at most private companies; I used it for illustration only.

Data Ownership

Classification and Security are not interchangeable concepts. The Information Services departments ar responsible for Security by protecting against breaches in Confidentiality, Integrity, and Availability (CIA).

Heres some definitions straight from wiki:


Confidentiality is the property of preventing disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.


In information security, integrity means that data cannot be modified without authorization. This is not the same thing as referential integrity in databases. Integrity is violated when an employee accidentally or with malicious intent deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on.


For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.

IS cannot be responsible for classifying the data of other divisions. My own long standing security axiom states:

Responsibility cannot be assigned, it can only be accepted.

Data classification is the result of the owner’s in-depth knowledge of the subject and analysis.As an example, it would be inappropriate for Human Resources to require that the Engineering department classify private employee data in such a way that prevents HIPAA violations.

However, once the data is classified, then the IS division can be entrusted to protect it at a commensurate level.

See.  Told you it wasn’t that hard.