WEBVTT

1
00:00:00.000 --> 00:00:01.230
In this lesson,

2
00:00:01.230 --> 00:00:04.200
we will learn about data classification.

3
00:00:04.200 --> 00:00:08.070
Data classification is the process of organizing data

4
00:00:08.070 --> 00:00:12.450
into categories based on its sensitivity, value,

5
00:00:12.450 --> 00:00:15.900
or in response to regulatory requirements.

6
00:00:15.900 --> 00:00:18.690
A data classification determines the level

7
00:00:18.690 --> 00:00:22.050
of security controls and handling procedures

8
00:00:22.050 --> 00:00:24.270
that will be applied to it.

9
00:00:24.270 --> 00:00:27.210
Data classification models are frameworks

10
00:00:27.210 --> 00:00:30.360
or methodologies used to categorize data

11
00:00:30.360 --> 00:00:34.800
into levels or types based on sensitivity.

12
00:00:34.800 --> 00:00:38.880
Classification models used categories such as public,

13
00:00:38.880 --> 00:00:42.000
internal, confidential, or restricted.

14
00:00:42.000 --> 00:00:45.150
Each level dictates the security measures required

15
00:00:45.150 --> 00:00:47.580
to protect that level of data.

16
00:00:47.580 --> 00:00:51.390
Data classification occurs during the data creation stage

17
00:00:51.390 --> 00:00:53.010
of the data lifecycle,

18
00:00:53.010 --> 00:00:56.400
and is the process of a applying confidentiality

19
00:00:56.400 --> 00:01:00.420
and privacy labels to a given piece of information.

20
00:01:00.420 --> 00:01:04.530
I personally find that the best way to think about this

21
00:01:04.530 --> 00:01:07.440
is if you think of any kind of military movie

22
00:01:07.440 --> 00:01:11.010
or spy movie that you might have watched in the past.

23
00:01:11.010 --> 00:01:14.550
In a movie, somebody might have a folder,

24
00:01:14.550 --> 00:01:16.920
and on the outside of that folder

25
00:01:16.920 --> 00:01:19.800
you might see a label such as top secret.

26
00:01:19.800 --> 00:01:21.330
This classification level

27
00:01:21.330 --> 00:01:24.150
indicates the contents of that folder

28
00:01:24.150 --> 00:01:26.370
contain top secret information,

29
00:01:26.370 --> 00:01:28.800
and therefore it needs to be protected

30
00:01:28.800 --> 00:01:31.050
using certain types of controls

31
00:01:31.050 --> 00:01:33.810
to keep it safe from prying eyes.

32
00:01:33.810 --> 00:01:37.920
Now, within our networks, the same thing happens,

33
00:01:37.920 --> 00:01:41.070
but our networks use electronic mechanisms

34
00:01:41.070 --> 00:01:43.350
to classify and label data.

35
00:01:43.350 --> 00:01:46.830
Different classification models can be used to do this

36
00:01:46.830 --> 00:01:48.990
depending on the type of network

37
00:01:48.990 --> 00:01:52.110
and the way in which the network is organized.

38
00:01:52.110 --> 00:01:53.880
The most common model used

39
00:01:53.880 --> 00:01:57.090
is the government or military classification model.

40
00:01:57.090 --> 00:01:59.610
It utilizes the classification labels

41
00:01:59.610 --> 00:02:03.330
of unclassified, confidential, secret,

42
00:02:03.330 --> 00:02:05.370
and top secret.

43
00:02:05.370 --> 00:02:06.990
The unclassified label

44
00:02:06.990 --> 00:02:09.360
indicates that there are no restrictions

45
00:02:09.360 --> 00:02:11.070
on viewing that data,

46
00:02:11.070 --> 00:02:14.460
and it presents no risk to our organization

47
00:02:14.460 --> 00:02:16.980
if the information is disclosed.

48
00:02:16.980 --> 00:02:20.130
For example, many army field manuals

49
00:02:20.130 --> 00:02:23.250
are categorized as unclassified information.

50
00:02:23.250 --> 00:02:27.150
This means that anyone can go to the website, download it,

51
00:02:27.150 --> 00:02:31.170
and read and learn about how the army does its business.

52
00:02:31.170 --> 00:02:33.930
The lowest level of classified and protected data

53
00:02:33.930 --> 00:02:38.010
in the military model is confidential classification.

54
00:02:38.010 --> 00:02:40.410
Confidential data should only be viewed

55
00:02:40.410 --> 00:02:43.530
by authorized people within the organization,

56
00:02:43.530 --> 00:02:47.400
or possibly those who are trusted under an NDA,

57
00:02:47.400 --> 00:02:49.620
or non-disclosure agreement.

58
00:02:49.620 --> 00:02:53.370
For example, the position of a navy ship in the ocean

59
00:02:53.370 --> 00:02:55.890
may be classified as confidential,

60
00:02:55.890 --> 00:02:58.350
meaning only certain people can be told

61
00:02:58.350 --> 00:03:00.390
where that ship located.

62
00:03:00.390 --> 00:03:03.870
The next level of classified data is secret.

63
00:03:03.870 --> 00:03:07.380
Secret information or data is valuable.

64
00:03:07.380 --> 00:03:09.870
The restrictions on this data are stricter

65
00:03:09.870 --> 00:03:11.880
than for confidential data.

66
00:03:11.880 --> 00:03:14.220
In the U.S. military, for example,

67
00:03:14.220 --> 00:03:16.620
secret information can only be viewed

68
00:03:16.620 --> 00:03:19.320
by people who are authorized to view it,

69
00:03:19.320 --> 00:03:22.260
and they can only view it in certain buildings

70
00:03:22.260 --> 00:03:24.810
or by using a specific network

71
00:03:24.810 --> 00:03:28.470
known as the Secret Internet Protocol Router Network,

72
00:03:28.470 --> 00:03:29.940
or SIPRNet.

73
00:03:29.940 --> 00:03:32.790
SIPRNet is used to view, process,

74
00:03:32.790 --> 00:03:35.010
and store secret information,

75
00:03:35.010 --> 00:03:38.190
and it's not even connected to the regular internet.

76
00:03:38.190 --> 00:03:39.900
This is because the internet

77
00:03:39.900 --> 00:03:43.350
is considered to be unclassified and untrusted,

78
00:03:43.350 --> 00:03:47.100
and we don't want secret data to get onto the internet.

79
00:03:47.100 --> 00:03:51.270
Therefore, the secret network has more protections in place,

80
00:03:51.270 --> 00:03:53.880
such as higher levels of encryption.

81
00:03:53.880 --> 00:03:55.980
And while it costs more to build

82
00:03:55.980 --> 00:03:58.110
and operate the secret networks,

83
00:03:58.110 --> 00:04:01.440
the data being stored on them is very valuable,

84
00:04:01.440 --> 00:04:05.520
so it's worth spending that additional money to protect it.

85
00:04:05.520 --> 00:04:07.170
The highest level of security

86
00:04:07.170 --> 00:04:11.340
in the government or military model is known as top secret.

87
00:04:11.340 --> 00:04:14.850
If top secret information or data is disclosed,

88
00:04:14.850 --> 00:04:16.530
it would cause grave danger

89
00:04:16.530 --> 00:04:19.950
or have grave consequences to the organization.

90
00:04:19.950 --> 00:04:22.290
Again, let's consider the military

91
00:04:22.290 --> 00:04:26.010
and see how different types of information might be used.

92
00:04:26.010 --> 00:04:30.180
Let's imagine we work for a top secret military organization

93
00:04:30.180 --> 00:04:33.120
that's responsible for finding a malicious hacker

94
00:04:33.120 --> 00:04:35.340
located somewhere in the world.

95
00:04:35.340 --> 00:04:38.880
The sources and methods used to find that hacker

96
00:04:38.880 --> 00:04:41.640
would likely be considered top secret.

97
00:04:41.640 --> 00:04:45.090
If hackers knew about the sources or methods being used,

98
00:04:45.090 --> 00:04:48.030
it would be easier for them to evade detection.

99
00:04:48.030 --> 00:04:49.680
This would allow a hacker

100
00:04:49.680 --> 00:04:52.320
to continue attacking military systems,

101
00:04:52.320 --> 00:04:55.230
which poses a grave danger to the military

102
00:04:55.230 --> 00:04:56.580
and to the country.

103
00:04:56.580 --> 00:04:59.700
But once we find out where that hacker is,

104
00:04:59.700 --> 00:05:01.860
we need to get the location to soldiers

105
00:05:01.860 --> 00:05:03.630
who can go and capture them.

106
00:05:03.630 --> 00:05:04.710
At this point,

107
00:05:04.710 --> 00:05:08.160
the soldiers have a need to know where the hacker is,

108
00:05:08.160 --> 00:05:10.500
but they don't necessarily need to know

109
00:05:10.500 --> 00:05:14.400
the sources and methods that were used to find that hacker.

110
00:05:14.400 --> 00:05:16.740
So while the sources and methods

111
00:05:16.740 --> 00:05:19.860
used to find the hacker might remain top secret,

112
00:05:19.860 --> 00:05:22.530
the hacker's actual GPS location

113
00:05:22.530 --> 00:05:24.990
may only be classified as secret.

114
00:05:24.990 --> 00:05:27.210
This lower classification level

115
00:05:27.210 --> 00:05:29.910
allows us to give the location to the soldiers

116
00:05:29.910 --> 00:05:32.760
who are going to go and perform the mission.

117
00:05:32.760 --> 00:05:35.280
So different pieces of information

118
00:05:35.280 --> 00:05:39.180
can be protected in different ways and at different times.

119
00:05:39.180 --> 00:05:42.030
Usually, in the government or military system,

120
00:05:42.030 --> 00:05:45.600
there will be separate networks for classification levels.

121
00:05:45.600 --> 00:05:47.550
So it's typical for people

122
00:05:47.550 --> 00:05:50.070
to have multiple computers at their desk,

123
00:05:50.070 --> 00:05:52.694
one for each level of classification they need access to.

124
00:05:52.694 --> 00:05:55.894
They might have one for unclassified things,

125
00:05:55.894 --> 00:05:58.770
like email and searching the internet,

126
00:05:58.770 --> 00:06:01.530
a second one for working on secret data,

127
00:06:01.530 --> 00:06:04.680
and a third one for working on top secret data.

128
00:06:04.680 --> 00:06:07.260
This provides physical separation

129
00:06:07.260 --> 00:06:09.990
among the three data classifications

130
00:06:09.990 --> 00:06:12.690
and allows each network to be protected

131
00:06:12.690 --> 00:06:14.700
with the appropriate controls

132
00:06:14.700 --> 00:06:17.790
based on the classification of that data.

133
00:06:17.790 --> 00:06:21.120
Different industries have different classification models.

134
00:06:21.120 --> 00:06:23.460
So if you work in the commercial sector,

135
00:06:23.460 --> 00:06:26.880
at a bank, at a college, or at a hospital,

136
00:06:26.880 --> 00:06:29.910
you might see the information labeled differently.

137
00:06:29.910 --> 00:06:32.400
Commercial and business classification models

138
00:06:32.400 --> 00:06:36.960
often use labels like public, private, internal, restricted,

139
00:06:36.960 --> 00:06:38.640
and confidential.

140
00:06:38.640 --> 00:06:41.010
This system is a bit simpler to use

141
00:06:41.010 --> 00:06:43.680
because unlike the military system,

142
00:06:43.680 --> 00:06:46.650
most of these organizations are still going to rely

143
00:06:46.650 --> 00:06:50.670
on a single computer network that handles all of the data

144
00:06:50.670 --> 00:06:53.190
regardless of its classification.

145
00:06:53.190 --> 00:06:54.900
Business systems tend to rely

146
00:06:54.900 --> 00:06:57.810
on logical isolations and protections

147
00:06:57.810 --> 00:07:01.410
instead of physical separations and protections.

148
00:07:01.410 --> 00:07:04.920
For example, in the commercial or business model,

149
00:07:04.920 --> 00:07:08.340
restricted or confidential data may use different

150
00:07:08.340 --> 00:07:12.777
or higher levels of encryption for private or internal data.

151
00:07:12.777 --> 00:07:16.020
The system for restricted data may be configured

152
00:07:16.020 --> 00:07:18.690
using different types of access control rights

153
00:07:18.690 --> 00:07:20.940
than for other classification levels.

154
00:07:20.940 --> 00:07:24.360
All of this depends on how an organization wants to set up

155
00:07:24.360 --> 00:07:26.580
with their classification levels.

156
00:07:26.580 --> 00:07:27.930
For many businesses,

157
00:07:27.930 --> 00:07:31.050
there's no mandated standard of classification

158
00:07:31.050 --> 00:07:32.790
or standards of protection.

159
00:07:32.790 --> 00:07:35.910
However, there are some commercial organizations

160
00:07:35.910 --> 00:07:38.032
that are going to be directed by law

161
00:07:38.032 --> 00:07:40.590
to protect data in a certain way.

162
00:07:40.590 --> 00:07:44.070
For example, healthcare organizations in the United States,

163
00:07:44.070 --> 00:07:46.800
such as hospitals or insurance companies,

164
00:07:46.800 --> 00:07:50.100
are legally required to handle certain types of data,

165
00:07:50.100 --> 00:07:53.280
like Protected Health Information or PHA,

166
00:07:53.280 --> 00:07:57.120
in specific ways under the Health Insurance Portability

167
00:07:57.120 --> 00:07:59.580
and Accountability Act, or HIPAA.

168
00:07:59.580 --> 00:08:03.394
So remember, data classification is the process

169
00:08:03.394 --> 00:08:08.394
of categorizing information based on its sensitivity, value,

170
00:08:08.580 --> 00:08:10.800
or regulatory requirements.

171
00:08:10.800 --> 00:08:13.470
The classification level assigned to data

172
00:08:13.470 --> 00:08:16.980
determines how it should be handled and secured.

173
00:08:16.980 --> 00:08:20.910
Different organizations use various classification models,

174
00:08:20.910 --> 00:08:23.970
with the government or military and commercial

175
00:08:23.970 --> 00:08:26.880
or business models being the most common.

176
00:08:26.880 --> 00:08:29.700
The government or military model includes levels

177
00:08:29.700 --> 00:08:34.700
such as unclassified, confidential, secret, and top secret,

178
00:08:35.220 --> 00:08:38.280
with stricter controls for more sensitive data.

179
00:08:38.280 --> 00:08:40.350
In the commercial or business model,

180
00:08:40.350 --> 00:08:44.400
data is labeled as public, private, internal, restricted,

181
00:08:44.400 --> 00:08:45.720
or confidential,

182
00:08:45.720 --> 00:08:47.820
and the security measures applied here

183
00:08:47.820 --> 00:08:51.213
may vary depending upon the classification level.