Data Classification White Paper

STATE OF OHIO DATA CLASSIFICATION White Paper IT Security Series June 2007DATA CLASSIFICATION White Paper Page i IT Security Series Contents Purpose and Scope.................................................................................................................. 1 Introduction............................................................................................................................. 1 Technical Discussion .............................................................................................................. 1 Data Classification Labels................................................................................................... 1 Labels Required by Law ..................................................................................................... 3 Classification Methodology ................................................................................................. 3 Data Ownership .................................................................................................................. 4 Education and Awareness .................................................................................................. 5 Legal Review...................................................................................................................... 5 List of Tables Table B.11-1. Confidentiality Labels ......................................................................................... 2 Table B.11-2. Criticality Levels .................................................................................................. 2 DATA CLASSIFICATION White Paper IT Security Series Page 1 Purpose and Scope This white paper is intended to be an accompaniment to Ohio IT Policy ITP-B.11, “Data Classification.” Ohio IT Policy ITP-B.11 provides overall guidance and standards for the classification of data and information at the agency level. This IT white paper is designed to provide a deeper understanding of Ohio IT Policy ITP-B.11 and provide strategies that may assist state of Ohio personnel who may be responsible for developing, implementing, or reviewing information security policies related to data classification. Introduction The information technology we use, administer, maintain and manage on a daily basis is an investment by Ohio to facilitate the gathering, processing, storing and brokering of data or information. Some of the information we deal with is publicly accessible and there are few or no restrictions on who may have access to it. A good example of this would be information regarding state tourist attractions that is available on the Ohio Web site. On the other hand, some of the information we deal with is not and should not be publicly available because if disclosed it would bring about adverse or negative consequences. For this reason, the state mandates that agencies classify or label all of their data and develop internal programs and practices to govern the appropriate access levels and protections for the data. Technical Discussion As we have said, the process of assigning an appropriate level of sensitivity to data is called data classification. The state of Ohio mandates that each agency develop policies and practices to classify the data it is responsible for and at the same time function as the classification authority for this data and information. The term classification authority refers to the individual or group within an organization responsible for determining, within the context of their specific agency classification policy, appropriate levels of classification for their data and appropriate access associated with this data or information. Data Classification Labels The various levels of classification that classification authorities apply to data are referred to as classification labels. The level of classification that is applied to a particular set of data or item of information should be dependent upon the results of the agency’s risk assessment as outlined in Ohio IT Policy ITP-B.1, “Information Security Framework.” Additional information on the risk management process can also be found in the IT white paper, Information Security Framework. The risk assessment process will develop relative values and loss-impacts that allow the classification authority to determine the appropriate classification label and level of security to apply to a specific data element. Classification labels can be divided into two categories – confidentiality and criticality. Confidentiality refers to the sensitivity of data or information as it relates to its inappropriate disclosure. The State of Ohio has three levels of classification related to confidentiality: Public, Limited Access and Restricted. Criticality refers to the relative importance, as determined by risk DATA CLASSIFICATION White Paper IT Security Series Page 2 assessment, for a given set of data or information to maintain integrity and availability. Ohio uses four levels of criticality for the classification of data: Low, Medium, High and Very High. Tables B.11-1 and B.11-2 summarize the confidentiality labels as well as criticality levels. The definitions are taken directly from Ohio IT Policy ITP-B.11, “Data Classification.” Confidentiality Public Includes information that must be released under Ohio public records law or instances where an agency unconditionally waives an exception to the public records law. Limited Access Applies to information that an agency may release if it chooses to waive an exception to the public records law and places conditions or limitations on such a release. Restricted Applies to information, the release of which is prohibited by state or federal law. This label also applies to records that an agency has discretion to release under public records law exceptions but has chosen to treat the information as highly confidential. Table B.11-1. Confidentiality Labels (1) Criticality Low The loss of data integrity or availability would result in insignificant or no financial loss, legal liability, public distrust or harm to public health and welfare. Medium The loss of data integrity or availability would result in limited financial loss, legal liability, public distrust or harm to public health and welfare. High The loss of data integrity or availability would result in significant financial loss, legal liability, public distrust or harm to public health and welfare. Very High The loss of data integrity or availability would result in catastrophic financial loss, legal liability, public distrust or harm to public health and welfare. Table B.11-2. Criticality Levels (1) (1) Definitions of confidentiality and criticality are taken directly from Ohio IT Policy ITP-B.11, “Data Classification.” DATA CLASSIFICATION White Paper IT Security Series Page 3 Referring to the definitions associated with criticality as provided in Table B.11-2, note the common consequences that exist among the criticality labels: “Financial Loss,” “Legal Liability,” “Public Distrust,” or “Harm to Public Health or Welfare.” The criticality label is assigned based upon the consequences associated with the inappropriate disclosure or loss of the data in question. Labels Required by Law Beyond the classification labels outlined in Table B.11-1, there may be instances where data or information that we are responsible for may also be subject to other Ohio classification requirements or perhaps even federal security and classification requirements. A hypothetical example concerns data that may be stored and processed by the Ohio Department of Health (ODH). The ODH must deal with privacy issues related to Title II of the Health Insurance Portability and Accountability Act (HIPAA), which among other things levies requirements on health care providers to protect the privacy of individuals’ health-related information. Specifically, the “Security Rule” portion of HIPAA addresses electronically protected health information (EPHI) and carries monetary penalties for breaches of privacy in the electronic transmission of health care information. In this case, the ODH classification authority would apply internal labels as appropriate and then apply the EPHI label. Classification Methodology Each agency must develop a classification process or methodology that is compatible with and addresses the needs of its’ own unique business model. The state provides guidance to agencies in developing a classification methodology in Ohio IT Policy ITP-B.11, “Data Classification,” regarding key steps to be addressed. These are: 1. When developing the agency classification methodology, it is very important for the classification authority to consider any “external” regulations or laws that may exist outside their specific agency but that may still be applicable to their internal data and impose restrictions on its use. In that context, it would be advisable to research Ohio and federal statutes that may be applicable to the agency’s internal data. 2. In order to be consistent and avoid erroneous classifications, each agency must develop as a part of the classification process, a standard “decision-making process” or approach to determining the correct labels to be applied. There are tools available that assist in maintaining the standardization of this process (e.g., Kazeon Systems, Njini, Scentric, StoredIQ, Trusted Edge, etc.), but experience has shown that a “subjective” component to the classification process is important, too. The classification authority should always review the output of the automated tools to be sure there are no external or subjective factors that were not considered in the process. 3. Ohio IT Policy ITP-B.1, “Information Security Framework,” outlines at a high level, the life cycle elements of data: creation, access, storage, modification, retention, archive, disposal, and distribution. As part of an agency data classification methodology, a process should be developed and documented to address data maintenance guidelines for every phase of the data life cycle based on the assigned classification label. 4. The agency must also ensure that the appropriateness of assigned data classifications is regularly reviewed. If necessary, data classification labels should be adjusted. Agencies DATA CLASSIFICATION White Paper IT Security Series Page 4 often face regulatory changes which could have a direct impact on assigned data classifications. Data Ownership As we noted earlier, Ohio IT Policy ITP-B.11, “Data Classification,” requires each agency to function as a classification authority for the data and information it collects or maintains. In many cases, the ultimate decision of labels rests with one person who is sometimes, the security point of contact for the agency or perhaps the chief information officer or as is the case with some businesses, it may be a designated person from within the legal or contract departments. In larger agencies the function of data classification and label assignment might be delegated to various individuals from the departments or business areas within the organization. These individuals are designated as the information owners for their respective data. As such, they are responsible for all aspects of data classification to include: • Assignment of Data Classification Labels – The data owner is responsible for assigning data classification labels using the methodologies described earlier in this document. • Data Compilation – When multiple elements of data, classified at varying levels are brought together in a data set to create information, the data owner must examine each data element and ensure that the data is classified at the level of the most secure data element in the set. For instance, if one data element is classified as limited access/low and another is classified as restricted/high, the data set must be classified as restricted/high and secured accordingly. • Coordinate Data Classification – In order to be consistent and avoid erroneous classifications, each agency must develop as a part of the classification process, a standard “decision-making process” or approach to determining the correct labels to be applied. The data owner is responsible for ensuing that this process is extended to verifying that any data or information shared with an external agency or department is classified using a similar classification methodology. This avoids unintentional disclosure due to the transfer of data or information classified at a high label to an agency using different classification criteria resulting in a lower label. • Data Classification Compliance – Data owners in conjunction with IT personnel need to ensure that confidential information or information that could be used to directly or indirectly identify a particular individual is protected. The HIPAA example is appropriate in this case as it demonstrates the need for the data owner to consider any external laws or regulations that may impose additional classification requirements on confidential data. • Downloading Data – The data owner is also responsible for establishing classification criteria that define any restrictions on the downloading of or remote access to specific data or information for which the owner is responsible. This is normally done in conjunction with the IT and/or security operations staff so that they may configure the security and other elements of the agency infrastructure to assist in preventing unauthorized access to the data or information. Additional information on remote access can be found in Ohio IT Policy ITP-B.5, “Remote Access Security,” and the IT white paper, Remote Access Security. DATA CLASSIFICATION White Paper IT Security Series Page 5 • Data Access – Data owners, as a part of their classification methodology, should work with the agency IT staff to develop access criteria and guidelines for each classification label or level. This simply means that as the labels move from public/low toward restricted/very high, the requirements for accessing the data also increase. An example of this would be that access to information classified as public/low might require no authentication at all as it may be displayed to anyone on a public Web site. Data classified as limited access/low may require a log-in/password combination for access while the limited access/medium might require a security token in addition to the logiinpassword combination. In the case of restricted/very high, a third authentication factor such as a fingerprint or retinal scan might be required in addition to the log-in/password combination and security token. Additional information on access control and multi-factor authentication can be found in the following IT white papers, Information Security Framework, Password and PIN Security, and Remote Access Security. Education and Awareness Upon completion of the classification methodology the data owners and other responsible members of the classification authority should ensure that data classification education and awareness is included in the agency security management plan as well as the internal security education and awareness program. This ensures that not only the data owners, management and IT staff are aware and understand the agency classification methodology and label structure, but all the end users as well. This helps to promote a “culture of security” throughout the organization and helps prevent unwanted disclosures. Some key elements to address for education and awareness are: • The methodology for identifying and assigning data classification labels and any additional guidelines for state and or federal data. • Guidelines related to the distribution and disclosure of written or electronic data. • Any reporting requirements for theft, disclosure, accidental disclosure, or unauthorized modification of data or information. • The specific impact or risk to the organization in the event of data loss, disclosure, release or unauthorized modification. Legal Review It is important to remember that as we develop agency methodologies and policies related to data classification and data labels that it is always appropriate and indeed necessary to have agency legal counsel review these. This helps ensure that the agency is in compliance with all internal, state and federal rules and regulations related to the collection, use, release, access, retention and disposal of state data.