Data Classification, Frameworks and Legal Agreements in Infosec

2019.03.23

Hey! I'm aware that this post may not be for everyone. I write this in hopes that anyone reading this understands the difference between the different data classifications, and understands the severity of even losing one record, let alone thousands. I hope that if at least one person encounters it and learns, then I'll be happy.
Now I've structured this first by defining the classifications, then explaining the framework that help in structuring the proper controls are in place to safeguard this information, and then the legal agreements. Per usually, I'll TRY to keep this post brief and sweet. :)

Data Classifications


This is where people get lost. They tend to clump these all together, and while thats true that this inf
important, they're not treated equally. A good way to find out its classification is to ask the questions I've paired them with.

PII
- Personally Identifiable InformationCan a stranger find out who I am with this info?
- Can they figure out my location with this info?

PCI
-- Payment Card IndustryCould a stranger make a purchase with this information?
- Would I be out of a debit/credit card if this information got in the wrong hands?

PHI
- Personal Health InformationCan they identify my ethnicity or demographic?
- Can someone determine my illnesses or lab tests I recently had?
- Can they find out my insurance, or mental health state/condition?

HIPAA
- Health Insurance Portability and Accountability ActIf an insurance company had this info, would
incentivize them to up-charge me on my insurance plan ? - If they know I had (diabetes/cancer/chronic illness/etc) would they classify me as a higher risk o
insurance plan and charge me more? - Now this generally entails PHI being handled, and is an Act that limits the types of PHI that health
providers and insurers collect from you, and who they share that information with for the very question I posed.

FERPA
Family Educational Rights and Privacy ActCould a stranger pull records from my (school/college/university) and find out out the following:
- Student organization I am a part of
- Grades I received
- Know my class schedule and location
- This will also include PHI
This list may not be all inclusive, but you will gain a general understanding.


Frameworks


Frameworks are a tool companies/organizations are expected to use to safeguard information and minimize cyber security risk. Risk can only be reduced, and never eliminated. Similar to the risk associated in driving a car, you can be a safe driver, but the risk of having a car accident is always present, so you need to pay attention and do your best in driving.

NIST
National Institute of Standards and Technology
This framework is voluntary, and the organization safeguards its information by continuing to use use existing standards and guidelines already in place.

PCI
DSS - Payment Card Industry Data Security Standard
This framework is for PCI and is mandated by card brands and is enforced by the Payment Card Industry Security Standards Council, which consists of companies such as American Express, Discover Financial Services, JCB International, MasterCard, and Visa.

ISO 27001/27002
Information security management systems
This framework is the best-known standard in providing hard requirements for an information security management system. It helps small, medium and large businesses in any sector keep information assets secure.

CIS
Critical Security Controls
Much like the previous one, except this one priorities which changes will have the most impactful as it will reference common attacks found in reports. Also a consensus between the infoSec community and government will drive these recommendation.


Legal Agreements


MOU/MOA
Memorandum of Understanding
formal but not legally binding agreement between two companies/orgs

NDA
Non-disclosure agreement
legal contract between two companies/orgs that states that information must be restricted/not shared unless otherwise stated in the agreement

SLA Service Level Agreement
contract between a service provider and the company/org/person using the service and it states the leve
service thats expected from the service provider

ISA
Interconnected Security Agreement

an agreement established between an org that own and operate IT systems and they are expected to document
connection at a very high level as well as from a very technical level

BPA
Business Partner Agreement
pretty standard legal agreement between partners where they state their terms and conditions and expected relationship

YAY you made it to the end! You go Glen Coco! Hope you learned something. Terminology can be tedious, but its very important, and even more so if you need to convey it others.

Anyways, until next time! Peace and happy securing! :)



< >