Assuming the Environment is Compromised
Begin Blog: 2:44pm EST, Shutting down Windows Server 2008, R2
I was asked today, “How can Data Classification help?”; hmm, this is such a broad question so I decided to approach how this program can help with the incident response processes. I began by saying:
There is an ultimate approach: discovering and protecting the data. The best approach for organizations is to stop trying to secure and harden every end-point and device but to assume every end-point and device, and your data, is already compromised. The premise, therefore, should be to find your data and secure it, or validate it’s even needed, and tailor your resources and monitoring efforts to focus on ensuring sensitive and valuable data is safe. The bottom line: Stop running around trying to secure and contain systems and networks that should not even have valuable data on them. The solution should be to get rid of data where it is not needed and reduce the scope of data.
Is this even obtainable? This will involve philosophy and policy acceptance and most likely a huge cultural change. Additionally, this is a process and a program, not a technology solution. This is tough stuff, but the question was asked so I know it’s on people’s minds…
Begin to Make Sense of Your Data
Start to organize and understand your data; a simple data analysis flow chart can help you get started:
Introduce Impact and Categorization
The severity of an information security incident is based on the potential negative impact it has for the Company. The criticality of a resource is based primarily on what data it stores or transmits; as well as its services, users, trust relationships, and interdependencies with other resources that may be critical.
The Company should adopt a common set of terms and relationships between those terms in order to clearly communicate and begin to classify data types that will be integrated into the response plan. By classifying data, the Company can prepare generally to identify the risk and impact of an incident based upon what type of data is involved.
Therefore, the incident classifications give a basis for determining the impact based upon the level and type of access to data – this is important to understand. Together, data classification and the level of access to data sets drive the business impact; the business impact will THEN determine the response, escalation and notifications of incidents. Let us recap: begin to incorporate data classification into your Incident Response Plan in order to define incident impact and how/when to notify and escalate incidents. The first figure displays how level of access by data classification can help you determine the impact of an incident:
The next figure displays how the impact of an incident can help determine how notification and escalation processes will be handled:
Yes, these are basic examples to help you understand the process and integration, but we have seen this is simply not implemented within many organizations. So, I was asked today, “How can Data Classification help?”; hopefully I also answered, “Why is Data Classification important?”.
End Blog: 02:52pm EST: Time elapsed, 8 minutes, Winner: Windows by a noZzzze