CCT 144: Data Classification and Protection for the CISSP Exam (Domain 2.1.1)
May 27, 2024As we honor the memory of those who have served and sacrificed, we also acknowledge the ever-present battlefield of cybersecurity. Today, we dissect the essentials of data classification, an integral aspect of Domain 2 in the CISSP exam, while paying tribute to Memorial Day. Join me, Sean Gerber, for a candid conversation where we unwrap the layers of Microsoft Copilot's recall feature and its privacy concerns, and we address how these advanced AI technologies intersect with the need for robust data protection strategies.
The safeguarding of sensitive information, particularly PHI and PII, is not just a compliance matter but a moral imperative. This episode offers an in-depth look at the administrative, technical, and physical controls that form the backbone of HIPAA regulations. We navigate through the critical elements of data security, from compliance training to incident response plans, and reveal why regular risk assessments are not just a checkbox on an auditor's list but a rehearsal for the unforeseen, ensuring your organization is primed for any eventuality.
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go.
Speaker 2:
Let's go. Cybersecurity knowledge. All right, let's get started. Hey y'all, sean Gerber, with CISSP Cyber Training, and hope you all are having a great day today. Today is Memorial Day. Here in the great country United States we have Memorial Day to honor those that have fallen in the past previous wars for this country, so it's a little bit especially true to me. I've had some really great friends that have passed on that were part of many different conflicts, from World War II all the way up to the present day, so it's kind of a little bit of a bittersweet time, but it's actually also a time when in the United States, we have a little bit of a respite and so there is some break between having to work so hard. But not today. We have the CISSP Cyber Training going on for you today, so that is a positive right. So today we're gonna be getting into Domain 2. This is 2.1.1 and we're gonna be dealing with sensitive data and data classification.
Speaker 2:
But before we get started I wanted one small article that came up. I saw today as I was searching through the web on some see what's new in the news, and Microsoft Copilot has a recall feature that I was not aware of, that they have this and I don't know if it's thing it's instilling. It's going out in limited resources to people, but an interesting part around that is it has the ability to recall everything you did on your pc, which in of itself is a bit creepy, uh. So it has, and from a data privacy standpoint I think it's got challenges. I get why they're doing it, but, yeah, it will be interesting to see how this plays out and how many lawsuits will come of this. But basically what it does is there's an article that's on shared security and I guess there's a podcast that these folks have kind of put together as it relates to this overall recall feature. Now, this is you can watch the podcast and see what they have to say about it.
Speaker 2:
But let's just kind of get into it from a CISSP standpoint, what this thing does. And there's actually an X feed that you can go watch that will talk about kind of the synopsis of how it works. But more or less it is taking screenshots of everything you do inside your computer, so it's local on your system and it's allowing that the co-pilot product to then scan it all, and both from a text-based and from a visual jpeg type base and then it able to categorize that, and so then when you do a search on your pc, you'll be able to pull up in. In this case, the young lady on the video talks about a brown leather bag, and she just types in brown leather bag and it finds all that search content that she had on her device, all of the content period that is tied to a brown leather bag. So what it'll more or less do is it categorizes everything on your system.
Speaker 2:
Now there's pros and cons of that right. I mean the pros are the fact that it gives you much better granularity of what's on your system. From a data protection standpoint, it actually could be very useful as it relates to the Purview product and data labels and all of that. I mean there's a lot of great benefits that could come out of that from a data protection standpoint. The downside of it is it's scanning everything. So now how can this be used against you, potentially by hackers, and that could be bad. The ability of it, now that Microsoft you are trusting Microsoft to scan everything that goes on your computer and it stays local how do we guarantee that that stuff doesn't get out to somebody else? So heaven forbid, you go watch the Fuzzy Kitten Show and all of a sudden it's taking screenshots of the Fuzzy Kitten Show and now you have to deal with that and that gets leaked, and now all of the dog activists are very upset at you because you watched the fuzzy kitten show right. So I mean, all that stuff could be very bad. It could be manipulated in a way that is super bad. So we'll see how this plays out.
Speaker 2:
But this is more of the generative AI pieces that are coming in. I will admit I love AI. In some respects it's very helpful. It's very useful. I've had plenty of meetings where I would record the conversation in the meeting. Everybody knows they're being recorded and it would give you a detailed list of what's actually occurred and it'll give you tasks. I mean, it's awesome, very good productive tool, but on the flip side, you throw it in this direction. Yeah, it could get ugly really quick. So something for you all as CISSP people that want to understand the future from a senior leadership standpoint. Those are some concepts you're going to have to be aware of. You're going to have to work with your legal and compliance folks to make sure they're aligned, and you're going to have to probably do a lot of education with them on what are the controls you have in place to minimize some of the risks that are being encountered by this product? So great, it has options, looks cool, but we'll see how it plays out.
Speaker 2:
Okay, let us roll into our podcast today around defining sensitive data and data classification. Okay, so we're going to be getting into data classification concepts that are associated with the CISSP and asset security domain, which is domain two. So as we get into this, we'll start off. There's some terms that you all have probably been dealt with. There's also some terms that will come up that you haven't probably encountered during your time, as in security. So we're going to kind of go through all of those and then go with the assumption that some of this may be a little bit more basic for others, but others it may be introductory, they may learn it, and so let's just kind of hang on and see what we come up with.
Speaker 2:
So we're going to talk about defining sensitive data. When you're dealing with asset security, as it relates to domains domain two you are going to have to ensure that you have some level of defining and understanding what is considered sensitive within your company, and that will vary from company to company. If you're in a banking industry, that's financial data. If you're dealing with the medical industry, obviously it would be data tied to the individual, plus maybe health records. If you're dealing in the manufacturing space, it could be intellectual property that is sensitive to that company. So it varies from company to company.
Speaker 2:
But in the end of the day, there's some basic broke breaking broke down. I can't, I can't even speak. Some broke yeah, that it's real, let's break it down. Let's break it down, let's do a little bebop. No, sorry, sorry, my ADD kicked in. So we're dealing with PII. So PII is any information that can be used to identify an individual, either alone or when combined with other data. And PII I've talked to some compliance folks and they say well, that's an older term, pii, and it is, but it could just be PI. Some people go just personal information. Bottom line is PII. Pi it's anything that's tied to you, such as social security numbers, driver's license, passport numbers, credit card numbers, etc. Medical records. You got it. That's all tied to you.
Speaker 2:
Now there's regulations that help pull all this together and they're globally. So I'm just giving you two, but there's all kinds. You pretty much go to any country. They're going to have some level of regulation against this, or about understanding and protecting of what PII data is, and that would be the GDPR. Obviously, we talk about that because that's one of the big big dogs on the block, because one of the reasons is it's been around for so long, and also, two, the fact that the charges or the expense if you don't maintain those systems or don't protect that data, you can be fined substantially, especially if you're a global organization. It's like 4% of your GDP or your global, not GDP, your global gross profit or not gross profit, your global gross income would be 4%. So if you make a billion dollars, obviously 4% of a billion is 4% of a gob. So it's a lot. It's a lot. Then there's the California Consumer Privacy Act, ccpa. Obviously, look in the United States. Ccpa is probably one of the more restrictive laws around that and that does have some control over personal information In the United States.
Speaker 2:
Just to kind of put it in perspective, if you are studying for your CISSP and you get hired by a company many law firms and what you should consider as a CISSP or a CISO is to consider that if you look at the most restrictive state that has the most restrictive around PII or any other type of data and then emulate what they do, you'll probably be pretty safe, especially if there is a data breach and you have been trying to follow the controls. Based on that, you're usually at a much better position. That doesn't mean you're going to walk off scot-free, but you're in a much better position as it relates to the legal counsel or the legal position that you have with your company. Now, again, I'm not a lawyer, nor do I play one on TV. However, I would say that those are some key things for you to consider as a CISSP.
Speaker 2:
As it relates to public information, again, the terms PII will be synonymous with PI and also with personal identifiable data or PID. So PII, pi, pid yes, like follow the yellow brick road, okay. So region-specific terms. Obviously, in the EU you have GDPR. They consider personal data pii, so you're gonna have to. One thing you have to do as a ciso or as a security professional is you are going to have to translate what that means and in some cases, you're gonna have to translate that to some of your compliance and legal folks. Again, it depends on the size of your organization. You may have a very large organization and your folks are on top of it, you don't need to worry about it a whole lot. But if you get hired on by a smaller company, you may have to be the person who is acting like the compliance person as well as the security person. So just keep that in the back of your mind.
Speaker 2:
Canada, it's PIPEDA, which is very similar to PII, which is personal information electronics documents. That's a PIPA. And then in China, obviously, there's a PIPI. Yeah, it's the PIPA. Pipa has that and they also have PISS, which is your personal information security specification. That's an interesting acronym. I don't know if I'd say that one out loud, but anyway, that one is they have all kinds of stuff and it's the personal identifiable protection act that they also have in china. Bottom line is you just need to understand it. You probably won't see many of these other countries that are on the cissp. I'm saying probably doesn't mean you won't, but but they'll probably focus to be more US-based specific when it relates to those. So just keep that in the back of your mind. Government-specific classifications Some governments have additional classifications as it relates to, like. In the United States, the Social Security Administration has specific classification for Social Security numbers due to their high risk and identity theft. So, like I mentioned before, you're going to have to keep in mind that they will differ from country to country. Just know, if you understand the whole PI concept the personal identifiable information, then our personal information then that puts you off in a good position.
Speaker 2:
Now, in the United States, we have a thing called protected health information, or PHI. Now this ties into what we call HIPAA, h-i-p-a-a. Now, if you've seen some of my courses and you go, oh, you didn't spell that right. Yeah, you're right. A couple of people called me out on it. They're like yeah, dude, it's not a HIPAA. I'm like I get it. Okay, all right, I made a mistake. It's not two P's and it's just two A's, so it's HIPAA, not HIPPA. See, I goofed that up. So the Health Insurance Portability Accountability Act, and that is what came in place to help protect health records, and there are fines associated with the PHIs.
Speaker 2:
There's so many acronyms you can't keep them straight, and so the point of it is, though, is when you're dealing with any sort of PHI data, you need to make sure you protect it. If you treat all the data the same, as it relates to PHI, pii, all of that, you're going to be in a much, you're going to be in a really good place. You really are. There's also some frameworks that will help you with the HIPAA legislation, that kind of help, the controls that you want to put in place to protect PHI data. Now, the types of data would be medical history, treatment plans, billing information, genetic information, you name it. Anything that ties you back to the health records of an individual is considered protected data, and so, therefore, you have to put in controls enough to protect this health data.
Speaker 2:
Now, this is where, also, auditors will come in and they will check you to make sure you're doing it correctly, and I will tell you that the better you, the better knowledge you have on this and how the controls you have in place to protect the specific regulation, regulated data. When the auditors come in and I've been audited multiple times and they will start asking you questions. It's like in any test. It's like when you take the CISSP, that CAT test. You know it's the computer aided testing situation. If you are on top of your game and you can knock out the questions when they come up, you'll be done in a hundred questions. You're done. You walk home, bada boom, bada bing, you're out of there. However, if you flounder and you have some challenges with those tests, the CISSP is going to keep digging deeper and deeper and deeper to figure out what you don't know. Well, same thing with the auditors If you can't answer their questions, well, they're going to start digging deeper and then they realize wait a minute, you don't have this in place. Why are you not doing this? So it's imperative that you understand the regulations as well as the controls that you are putting in place to manage the risk of these regulations.
Speaker 2:
Okay, so I'm going to go into a couple of controls as it relates to HIPAA data, just to kind of put it in some perspective of what you're dealing with. And these HIPAA the safeguards are designed to protect your PHI data, which again access controls, encryption, audit trails and so forth. So I'm going to get into administrative, physical and technical controls, and these are just a broad brush. I'm not going to go into all the gory details of all of them, I'm just going to kind of touch the highlights so you understand this. So, when you're dealing with administrative controls, what are some administrative controls you have in place as it relates to your PHI? One of the things is do you have a compliance training program in place that you're educating your workforce based on the regulations and the proper handling of PHI? Again, are you following through and teaching your people how to protect it? Now, if your people do bonehead things and they send protected information outbound to someplace else but you've trained them, you've taught them, they've signed off on it it now gets to a position where you have some sort of protection against fines and so forth. Again, not legal advice, I'm just saying giving you some guidance around this.
Speaker 2:
The other one is data access controls. Do you have a need to know principle based on your data and the fact that, okay, sean, I work for a company right now as a contractor, do I have need to know to look at X, y and Z data? No, I don't. So they have a policy in place that says Sean should not look at that data. That's great. You now meet the needs of what the auditors are asking, and you've put in place controls to help protect the data.
Speaker 2:
The bottom line, though, is even have a piece of paper. Are you actually following through and doing that as well? So just that's an important fact. Now you'll have risk assessments and management plans. Are you regularly identifying potential risks and PHI to implement plans to mitigate those risks. So, are you doing an assessment? Are you checking things out to make sure that you're doing it right?
Speaker 2:
I would recommend you may have, depending on your auditors, an annual assessment. That has to occur. Do you have a mitigation and management plan when you find things? Those are just again, basics, right, but if you do the basics well, you'll be in a much better position, especially when you're dealing with one protecting your people's data as well as making sure that the auditors are happy with you. The other one is incident response plan. So do you have an incident response plan in place to help with security breaches and the like?
Speaker 2:
Again, that's an important part too, because so often I see it where people will give this lip service and say, yeah, yeah, we're good, something happens, we're good. Well, but if you don't have a plan and you haven't exercised your plan, you are not good. Don't fool yourself. You are not good and you will get burned and you will wish you had done the plan. Because it's a pain. I guarantee it and I give it. I get it to you, man. It is a pain in the butt to do an assessment and to turn around and do an exercise. It's not easy, and if you hire somebody from the outside like myself, because I'm happy to come help you, if you come, do that, you are going to end up. It takes money, but, boy, if you don't do it, you will wish you did and it'll be the best money you ever spent in the event that there's a bad thing happening. So just keep that in mind.
Speaker 2:
Media disposal do you have? Okay, now we'll get into physical controls. You have secure facilities. You've got to maintain physical security measures to protect your PHI data, as well as important factors around that. It could involve access control systems, security cameras and locked storage cabinets. I've done multiple tests and multiple assessments of facilities and I've had to go through and go. Why is that sitting out? We have a clean desk policy, but yet you're not following it. Those are pieces that you would do from a secure facility standpoint and you'll have your security cameras. Are they on a separate network? Can I gain access to this network? Who has access to this network? All of those factors are an important piece when you're dealing with physical controls. Media disposal you have a secure disposal method for your PHI-containing media, such as shredding paper documents, securely wiping electronic storage devices, etc. Etc. Do you have that built in? Is that something that's available for your people? And again, it's an important factor when you're dealing with physical controls is that all of this stuff is documented and you're following through Technical controls. What are some things of that? And again, these are just a broad brush, just a small smattering of what you need to know. Technical controls you have.
Speaker 2:
Encryption you have. Do you have encryption on the databases where the data is stored? Is you have it encrypted while it's in transit? Now, one thing to consider. Again, this is something you have to consider as a security professional Do you encrypt the traffic from point A to point B? Now, ideally, the book answer says well, yes, you should do that, always. Encrypt all your traffic, all your data and on that side. That's an important factor and I highly recommend that you do that on some very key systems.
Speaker 2:
However, you need to really think hard about when you do this, because the moment that you encrypt data from point A to point B, you now make it invisible for your own people to see if there's data that's leaving the organization. So you want to have a really good architectural plan on how you're going to monitor the data leaving your organization to see if there's any sort of data that could be potentially being exposed. And the moment you encrypt everything, you now have to figure out okay, now I have to decrypt it to be able to see what's inside it. So there's a lot of stuff that goes into that. That's really important. So, again, I think it's something to consider that internal network traffic I'm not a big fan of encrypting at all because I would like to have visibility. There might be some areas where you would want it all encrypted so that no one could ever sniff it again. You need to think about that and know the pros and the cons before you do that.
Speaker 2:
Audit trails you need to have a system of trails and audit trails in place that understand your log access, to include PHI for monitoring and accountability purposes. Now, when you're dealing with the auditing, you need to consider how long do you keep this logs for your auditing methods? Which logs should you keep? That has a whole bunch of hair on it because you're going to have to deal with how. The logs are not cheap, they're very expensive, they're not inexpensive, and so therefore, for you to store them for any significant period of time, it will cost you a lot of money. So you really got to be very judicious on which logs you want to protect, which logs you want to keep, which logs you're required to keep, based on potential regulatory requirements.
Speaker 2:
You may have Firewalls, intrusion detection prevention systems obviously you want to have those in place. Firewalls, intrusion detection prevention systems obviously you want to have those in place. Depending upon if they're virtual or physical boxes. You just need to decide which one is best for you. A lot of times this stuff is built into these new, really Gucci firewalls, so you'll have to decide what is the best architectural layout for your company. But those are things you'll need to consider.
Speaker 2:
And then DLP having some sort of data loss prevention program in place. This would include sharing of PHI data via email, usb drives and other methods. Again, that is also a hairy beast. There's a lot that goes into that. I also provide DLP services for companies if they are listening and they want that. I have to throw out advertisements for me, because I don't put any ads on this thing for anybody else. So if you are interested in a security professional, please come, stop by and visit my website and I will be happy to help you. So sorry, I'm in a different space now I have to kind of do that.
Speaker 2:
So data loss prevention important factor you need to really consider that for your company and, again, depends on your data. You may not if you're just a manufacturing company I said just, I don't mean it that way but if you're just manufacturing widgets and you may not need a lot of this stuff as it relates to that, except for the PHI data and understanding employee data and customer data. The other thing you got to think about is reputational. If, for some reason, you have a small business and your business gets hacked, well now if all your data gets out, how does that affect your reputation? That could be expensive, especially since people are very watched. They've watched very closely to Google type stuff, so there's something really to understand there. Additional considerations you need to think about is your business associate agreements, baas. These are required covered entities such as healthcare providers and health plans. They will have to have BAAs in place that people that handle PHI on their behalf. And then patient rights. You need to have a patient rights specifically to understanding PHI right, medical records and so forth.
Speaker 2:
We talk about proprietary data a lot. I've got a really long history in proprietary data and protecting it, but understand it's the same concept. When you're dealing with PHI, what data is sensitive, what data needs to be protected, and you need to consider that for your organization. Some examples obviously proprietary data. You've got your financial information, mergers and acquisitions, customer lists, marketing plans, r&d All of those things need to be considered as your sensitive data. But you can basically transpose PHI and IP as the same type of product. You want to protect them in many of the similar ways. There may be a few more that you have to do with PHI type data than you would with IP, because when you're dealing with PHI as such a large group of people, such a large group of data, because everybody has some sort of health information, whereas IP data is usually a much smaller subset and not everybody should have access to it at all. So you just need to kind of work through that and figure out what's best for you and your company.
Speaker 2:
Some other protection mechanisms and I will say this really isn't a protection mechanism and people that I've talked to that are in this world have made this comment to me that an NDA, a nondisclosure agreement, yeah, those are only as good as the paper they're written on. Now I say that against some legal people who come back and beat me over the head with a wet noodle and say no, that's not true. And it's true. I mean, yes, you can use the NDA as a way to put fear in people's mind that you're going to come after them, and if you're a corporation that has deep pockets, especially, you can go after them, no doubt about it. But the bottom line is, if the data is already left, the NDA doesn't stop the data from leaving. It just is a mechanism to be able to basically scare them and come back after them. And so I'm saying that, as I've signed NDAs and I will honor them, right, but that doesn't stop the data from leaving. It's more or less an administrative control. Now you also have your DLP solutions that are in place that can block data from leaving. They can also put timers on the data so that when it gets sent out, it's going to get deleted. Just know that data is going to leave your organization. You just have to decide which data do you want to leave, or which data are you willing to let leave, and which data are you not wanting to leave at all? Now we're dealing with data classification schemes.
Speaker 2:
This is where there's various ones that are in place. You have a government side and you have a private sector side. Now, the governmental side I'm just going to use this from a US-based focus. Each country has their own, but from a US-based, you have top secret, secret, confidential, sensitive, but classified and unclassified. Now, each of these has a different bucket, different genre.
Speaker 2:
Top secret obviously everybody knows that's where you have the two keys and the nuclear weapons. That's top secret. Lived in that world. They do not play games. You say something you shouldn't say, you get. Potentially you get let go if you're lucky. If not, you get sent to Leavenworth and break big rocks into little rocks. So you don't mess with top secret. I mean you don't mess with any of them. But secret and top secret you definitely don't mess with. They have bad ramifications that go with it. They're very, very serious about that.
Speaker 2:
So what top secret comes into is it is exceptionally grave damage to national security. Secret is where it's serious damage to national security. So understand those terms. You're going to have to know that for the CISSP it's grave and serious. Those are key terms that you'll see. Confidential, it could cause serious damage to national security. And then you have sensitive but unclassified data. This is where it's sensitive, but it's not formally classified as a secret, top secret or confidential. And then you have unclassified, which basically is no harm. Now, as I break that down, grave, serious, um, what a sensitive data is all right, we lost it. See, I'm reading all this and I can forget. Yeah, so you have serious damage and security, serious damage and security with diplomatic means.
Speaker 2:
Each of these different areas that are broken out. You need to understand what they're asking for in the question for the CISSP. Also, know that each country that you talk about has something very similar. Some will have the language will be very ideal, will be identical, almost in some cases, grave, serious, but they may change it just a little bit. I know China changes it a little bit, but it's very similar wording. Just know that.
Speaker 2:
That is the government classifications. When you're dealing with common classifications in the private sector, that is where you deal with confidential, private, sensitive and public. Now, this does not mean that they're all going to be this way. Your company may come up with A, b, c and D and you go A is our confidential, b is our private, c is our sensitive and D is public. You may do that. You may get this very complicated lettering system. I wouldn't recommend it at all. It'll confuse the dickens out of people. But if you're going to have some sort of common classification you need to make sure that that's defined, people are trained and that people are held to that standard.
Speaker 2:
So confidential obviously is sensitive data critical to the organization's success right, financial loss, reputation, legal issues. That's confidential. Private is basically for internal only use and it could be impacted if disclosed publicly. I personally would not use private for anything. I would either keep it simple. Okay, if you guys are going to make this for your CISO, make this as simple as possible for your people, because the more complex you make it they will goof it up, they'll mess it up and it will go sideways.
Speaker 2:
So if you're going to do all this, you just say confidential and public two things. If you know if it's confidential, it fits in this bucket. If it's public, it can be anything else. If you're going to do this piece Again, you will have to figure that out for your company, what your CEO or your owner wants to do. But know that. Keep it as simple as possible. Sensitive is it's classified compared to public. Data requires some level of protection, ie marketing campaigns, internal training materials, etc. Public is freely available. Minimal harm from disclosure basically emails and so forth that you would consider, eh, not a big deal. Again, I would recommend if you're going to do data classification in a private sector, keep it simple, common, confidential and public. Okay. So now we're just going to do data classification in the private sector. Keep it simple, common, confidential and public. Okay. So now we're just going to quickly roll into this one last thing as it comes down to classification impact under the class system.
Speaker 2:
I know air quotes class. If you go to CISSP Cyber Training, I'll have this video out there. You can watch the video YouTube. It'll be on YouTube as well. You also can go to reducecyberriskcom and check out my consulting website. And if you're ever interested in some training or need some sort of consulting done from a cybersecurity standpoint, I can help you. I can. I've done pretty much most all, not all, not all, definitely not all, but I've done a lot in the cybersecurity space that can provide you a lot of value for you and your company.
Speaker 2:
If you're listening to this, okay, now impact levels. You got class zero to class three. What exactly are those? So these are. It's basically a conceptual understanding of this. I mean, you'll see this in the book, the ISEE Square book, and they've got like this pyramid and they are class zero to class three.
Speaker 2:
Now class zero starts at the bottom. It's the biggest bucket and you can really break this down into the same thing as class zero would be public information. But class zero is data with minimal disruption if compromised, publicly available marketing materials, et cetera. So this is class zero. This is open to the public. Class one this is data that could cause moderate disruption to business or business processes. This would also be something similar to your sensitive data. So you got class zero is your base. That's public. Class one is sensitive. Class two is data with a high impact on mission or business processes if compromised, ie customer financial data, which would be very similar to your private data if you had that. And then class three would be data with severe impact potential to organizational failure if compromised. Now this would be very similar to what you deal with your confidential data. So, again, all we're doing is just modifying words, but realistically, you want it.
Speaker 2:
If you're going to deal with data classification within your organization or you see it on the CISSP exam, there's different types. The class zero, like I said, is your public, class one is your sensitive, class three is your private or class two is your private. Class three is your most secure or most sensitive and that's your confidential. You can flip that into being the same thing, for when you're dealing with the classified aspect of this. You could go sensitive but unclassified is your class zero, your confidential is class one, your secret is class two and then your top secret is class three. They're just doing the different classes so that it gives you different options to understand for your company and as a security professional, which one would be best for you and your organization, because you're going to have to figure out, related to your company, what will your employees understand and deal with this? Actually, I lied to you. I lied. I have a couple other little things I'm just going to quickly go over as we have just a little bit more time.
Speaker 2:
So, some additional considerations as you're dealing with the data. One thing to deal with as it relates to the data is your data ownership and responsibility. Now, this is an important factor is what you need to understand what happens to the data, who owns the data and who is responsible for the data. Now, if you don't define who these people are at the beginning. You need to really put this in the back of your mind, that it has to be done at some point, and I would highly recommend, as you're going through all these classifications, you'd also start picking out owners to ensure that the data is protected, and then you have a very strict, very defined rules, responsibilities and expectations for that management of the data. I mean this in the fact that, if it's a I was at Coke Industries, you know Charles and David Coke. They have some really good principles, some really good stuff. Actually, I took out of that, which was awesome.
Speaker 2:
One of the things that came out of it that was important is that it's called tragedy of the commons. If you don't have an owner for, like, let's just say, your watering hole where everybody goes to get coffee and so forth, your watering hole where everybody goes to get coffee and so forth If there's nobody that owns it, no one will take care of it. The same thing goes with your data. If no one owns the data, if no one's actually defined hey, sean, you own X, it's your baby, you protect it and that way I am responsible for it. If you don't do that, then nobody owns it, and so then it's very easy for the data to just start getting pilfered and sent everywhere. So it's important that you do define ownership and the responsibility. This could be department heads, it personnel, project management whoever doesn't matter. All that matters is that you pick the right person who will manage and protect the data, and I would also recommend you pick a rabid dog, someone who is very on top of things, to own the data, because they'll make sure that you need to understand.
Speaker 2:
When you're creating this, the data, you need to have kind of a path in place. When you're dealing with the security controls, you need to start from creation, storage, use and disposal. That is the life cycle. So, the moment it's created, you now classify the data. Then it's stored. You know that, hey, it's been classified as X, I need to store it as this way. How it's used. You need to decide okay, if I know I classified it as X, I need to store it as this way. How it's used. You need to decide okay, if I know I classified it as X as it's being used, these are the people that can use it. This is the data in transit needs to be protected or not, depending upon your situation and then disposal. What happens at the end of this? Do you do data wiping? Do you physical destruct the devices, the hard drives, whatever that is. So those are different security controls. You physically destruct the devices, the hard drives, whatever that is. So those are different security controls you have from creation, storage, use and disposal.
Speaker 2:
Then there's an emphasis on securing the data at rest. Again, we kind of talked about how data at rest in transit and in use. Now I'll be honest. Well, I'm not being honest. I'm being honest. You know what I really hate it when I say that because it's really being honest. I'm being honest Because if I say I hate it, you know what I really. I hate it when I say that Because it's really not true. So if you say I'm being honest, Well, that means there's times in my life when I'm not being honest. I'm sure there probably are. But anyway, to digress, when you're talking about data at rest, it's very rarely is it ever at rest. I there and wait for someone to touch it. It's usually getting pulled and pinged by somebody, some application, at some point in time. So you really want to have data. Encryption is important, but you're really putting the data encryption on that data specifically, as if somebody actually stole it. That's the real piece, with data at rest, but it's never really truly at rest. Data in transit, obviously, where it's going back and forth across the wire, and then data in use, when it's being implemented and used in the application itself. So those are key pieces of information.
Speaker 2:
Okay, last thing is best practices for data classification. Again, these are just kind of a synopsis of what we've talked about today. Today I went through very fast, very quick, but there's a lot of great information in here, especially one for the CISSP. If you think about it, it again you want to think about the test as a security professional who's been around for a while that understands security. So this is what this is designed for. Second thing you also want to understand is, if you follow what I've just said, you're going to be in a much better position for data security within your organization, wherever that is. And again, I recommend, go to the watch, to CISSP Cyber Training, get the videos, check them out. They will give you a wealth of information outside of the CISSP. Just because I've been there, done that, got the t-shirt trying to pass on some information to you, and you just need to keep that in mind.
Speaker 2:
So best practices develop a data classification policy that aligns with your organizational needs and compliance requirements. Again, what does your company want? What do the governments require? Provides clear and concise data classification guidelines for employees. Again, you got to teach your people, and if you don't teach them right, they will do it wrong. I guarantee you, even if you do teach them right, they'll still do it wrong, but you have a less chance of them doing it more wrong.
Speaker 2:
That's a lot of double negatives in there. You need to train employees on data classification and procedures, as well as their role in data protection. Again, it's everybody's responsibility for data protection. Pass that on to them, make that into your culture. Conduct regular classification reviews. Ensure accuracy and effectiveness. The bottom line on that is just you need to do assessments and make sure that people are doing what you tell them to do, and then make changes based on what you find and then implement automated data classification tools to assist in the process, if possible. Obviously, I'm talking about Microsoft Purview. It has a way to auto-classify, and auto-classification is a really good way to classify the data itself. That works really well, especially if an organization has a lot of moving parts. I'll give you an example where, if you haven't had a data classification plan forever and you have data sprawl that's in all locations within your company an automated data classification process will work really, really well for you. Again, back to the comment we talked about with the generative AI and the recall piece of Microsoft Teams or Copilot. I should say that could really be awesome for data protection, but it also is very creepy and could be scanning everything under the sun, so you want to keep that in the back of your mind as you are going down this path of data protection. Okay, that is all I've got for you today. Again, go to CISSP's cyber training. Go check that out. Go see what's out there and available for you. Also, go to Reduce Cyber Risk.
Speaker 2:
Again, sean Gerber, here I'm offering cybersecurity professional services for companies. I've been doing this for 20 plus years. I've done a lot, from being a red team commander and doing penetration tests all over the globe to being a CISO in a very large multinational that has got intellectual property and you name it. I've dealt with it. So I would say that it's important to protect your company. I can provide those services for you, and so I've got to put a plug out there for me. Sorry, just got to. Anyway, have a wonderful day and you know what? We will catch you on the flip side, see ya.
In reflecting on my own two-decade journey through the trenches of cybersecurity, from orchestrating red team operations to my tenure as a CISO, I share a treasure trove of stories and insights. I delve into the services I offer, all aimed at fortifying your company against the relentless onslaught of digital threats. For aspiring CISSP candidates or seasoned professionals looking to reinforce their cybersecurity posture, this discussion is an opportunity to glean from my experiences and chart a course for a more secure digital horizon.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!