Information of different types need to be secured in different ways. Therefore a classification system is needed, whereby information is classified, a policy is laid down on how to handle information according to it's class and security mechanisms are enforced on systems handling information accordingly.
In the coming sections, classes for information availability and sensitivity are proposed, requirements for systems based on these classes are proposed in chapter 5.
Here a classification system is proposed which has four availability classes. It is based on the author's experience, as no equivalent standards are available for reference.
To improve availability, preventative measures reduce the probability of downtime and recovery measures reduce the downtime after an incident.
Class | ||||
Maximum allowed Server downtime, per event | 1 Week | 1 Day | 1 Hour | 1 Hour |
On which Days? | Mon-Fri | Mon-Fri | Mon-Fri | 7 Days |
During what hours? | 07:00-18:00 | 24h | ||
Expected availability percentage | 80% | 95% | 99.5% | 99.9% |
==> expected max. downtime | = 1 day/week | = 2 hours/Week | = 20min./Week |
= 12min./month |
A classification system is proposed which classes information / processes into four levels. The lowest is the least sensitive and the highest is for the most important information / processes.
Once the data on a system has been classified to one of the following levels, then that system should be installed to conform to all directives for that class and classes below. Each level is a superset of the previous level. For example, if a system is classified as class , then the system must follow the directives of class , and .
If a system contains data or more than one sensitivity class, it must be classified according that needed for the most confidential data on the system.
Data on these systems could be made public without any implications for the company (i.e. the data is not confidential). Data integrity is not vital. Loss of service due to malicious attacks is an acceptable danger.
Examples: Test services without confidential data, certain public information services, product brochures widely distributed, data available in the public domain anyway.
External access to this data is to be prevented, but should this data become public, the consequences are not critical (e.g. the company may be publicly embarrassed). Internal access is selective. Data integrity is important but not vital.
Examples of this type of data are found in development groups (where no live data is present), certain production public services, certain Customer Data, "normal" working documents and project/meeting protocols, Telephone books.
Data in this class is confidential within the company and protected from external access. If such data were to be accessed by unauthorised persons, it could influence the company's operational effectiveness, cause an important financial loss, provide a significant gain to a competitor or cause a major drop in customer confidence. Data integrity is vital.
Examples: Datacenters normally maintain this level of security. Salaries, Personnel data, Accounting data, passwords, information on corporate security weaknesses, very confidential customer data and confidential contracts.
Unauthorised external or internal access to this data would be critical to the company. Data integrity is vital. The number of people with access to this data should be very small. Very strict rules must be adhered to in the usage of this data.
Examples: Military data, secret contracts.