Data Sensitivity

In the context of the CISSP exam, Data Sensitivity refers to the level of importance or confidentiality assigned to information based on its potential impact if it were disclosed, altered, or destroyed without authorization. Understanding data classification and data sensitivity is critical to implementing proper security controls and policies to protect information.

Here’s a breakdown of Data Sensitivity concepts relevant to the CISSP exam:

1. Data Classification

Data classification involves categorizing data based on its level of sensitivity, which helps in determining how the data should be handled, stored, and protected. The goal is to ensure that sensitive information is treated with the appropriate level of security.

Common Classification Levels:

  • Top Secret / Highly Sensitive: This data is highly confidential and would cause severe damage to an organization or national security if disclosed. In a corporate setting, it could be strategic plans, intellectual property, or proprietary data.
  • Secret / Confidential: This classification is for information that, if disclosed, would cause serious harm to the organization or individual. Examples include internal financial records, personal information, and trade secrets.
  • Sensitive but Unclassified (SBU) / Private: Data at this level could cause moderate harm if exposed. It may include personal data (PII) or company details not intended for public release.
  • Public: This data is intended for public distribution and poses minimal risk if disclosed. Public-facing information like marketing materials or public reports would fall into this category.

Classification in Government and Military:

  • Top Secret: Data that requires the highest level of protection due to its potential to cause grave damage to national security.
  • Secret: Data that could cause serious damage to national security if compromised.
  • Confidential: Data that could cause damage to national security.
  • Unclassified: Data that requires no specific protections, though it may still have some restrictions.

2. Data Sensitivity and Risk

Data sensitivity is tied to the risk of unauthorized access, disclosure, or alteration of data. The risk to an organization increases with the sensitivity of the data, making appropriate security measures critical for highly sensitive data.

The C-I-A Triad is often used to define how sensitive data should be protected:

  • Confidentiality: Preventing unauthorized disclosure of sensitive information.
  • Integrity: Ensuring that data has not been tampered with or altered without authorization.
  • Availability: Ensuring that authorized users can access data when needed.

3. Handling Sensitive Data

Handling data based on its sensitivity level involves implementing specific controls to protect its confidentiality, integrity, and availability. The controls include:

  • Encryption: Ensuring that sensitive data is encrypted both at rest and in transit to protect it from unauthorized access.
  • Access Controls: Restricting access to sensitive data to only those individuals or systems that require it. This is typically achieved through role-based access controls (RBAC) or attribute-based access controls (ABAC).
  • Data Masking and Tokenization: These techniques help protect sensitive data by obscuring or replacing sensitive parts with placeholder tokens. This is especially useful in development and testing environments.
  • Auditing and Monitoring: Continuously monitoring access to sensitive data and keeping audit logs can help detect and respond to unauthorized access attempts.
  • Data Loss Prevention (DLP): Systems designed to detect potential data breaches and prevent sensitive data from leaving an organization.

4. Data Sensitivity Lifecycle

Data sensitivity should be considered throughout the entire data lifecycle, which consists of the following phases:

  1. Creation or Collection: Data is created or collected, and it is classified according to its sensitivity level.
  2. Storage: Data is stored securely using encryption, access controls, and backups based on its sensitivity.
  3. Usage: Data is accessed, modified, or used in daily operations, ensuring that access is controlled and monitored.
  4. Sharing: Sensitive data should be shared only with authorized individuals and systems, using secure communication methods like encrypted email or file transfer.
  5. Archiving: Old or infrequently accessed data is archived securely but may still require access controls and encryption based on its sensitivity.
  6. Destruction: Sensitive data that is no longer needed should be destroyed securely, using methods like data wiping or physical destruction of storage devices.

5. Legal and Regulatory Requirements

Many industries have legal or regulatory requirements for handling sensitive data. For example:

  • GDPR (General Data Protection Regulation): Mandates the protection of personal data for individuals in the EU.
  • HIPAA (Health Insurance Portability and Accountability Act): Requires the protection of personal health information (PHI) in healthcare.
  • PCI DSS (Payment Card Industry Data Security Standard): Requires the protection of payment card information.

6. Marking and Labeling

Data that is classified based on sensitivity must be properly marked and labeled to ensure that those handling the data know its sensitivity level. Labels typically include:

  • Classified Information Labels: Such as “Confidential” or “Top Secret.”
  • Handling Instructions: For example, “Encrypt before transmission” or “Do not share without clearance.”

7. Data Sensitivity and CISSP Domains

Data sensitivity spans multiple CISSP domains, particularly:

  • Domain 2: Asset Security: Emphasizes the need to protect organizational data based on its sensitivity and criticality.
  • Domain 5: Identity and Access Management (IAM): Focuses on controlling access to sensitive information through authentication, authorization, and accountability.
  • Domain 7: Security Operations: Includes logging, monitoring, and incident response procedures for detecting and responding to unauthorized access to sensitive data.

8. Data Sensitivity Policies

Organizations should develop and enforce policies that dictate how sensitive data is handled. Policies should cover:

  • Data Classification: Defining how to classify data based on its sensitivity.
  • Data Access: Who can access specific classifications of data.
  • Data Sharing: How and under what conditions data can be shared with third parties.
  • Data Retention and Destruction: Defining how long sensitive data is retained and how it is securely destroyed.

Summary

For the CISSP exam, understanding data sensitivity is crucial for managing and protecting data according to its level of importance. This includes knowing how to classify data, handle it securely throughout its lifecycle, and apply appropriate security controls based on risk.

Data sensitivity links to various CISSP domains, making it a foundational concept in ensuring confidentiality, integrity, and availability (C-I-A) of sensitive information.