cleaning up Sparks
This commit is contained in:
parent
b8d1d4e02f
commit
704e6dd07f
162 changed files with 393 additions and 1041 deletions
|
|
@ -0,0 +1,64 @@
|
|||
# Data Classification
|
||||
|
||||
**Definition:**
|
||||
"A *data classification* identifies the value of the data to the organization. Classification labels, the method by which they are assigned, and the required protection associated with the different labels, are identified in a policy."
|
||||
Source: [CISSP_OSG_Chapter_5](../../../Standards/CISSP/CISSP_OSG_Chapter_5.md#Defining%20data%20Classifications)
|
||||
|
||||
Classification criteria should be risk based, for instance on potential damage to the organization, the privacy of individuals, national security, economic interests, or other critical concerns.
|
||||
|
||||
## Examples from SANS forum
|
||||
|
||||
Source: https://sth-community.sans.org/t/y4yt81n
|
||||
Retrieved: 2 september 2024
|
||||
|
||||
Public
|
||||
Internal
|
||||
Confidential
|
||||
|
||||
1. No risk - Open
|
||||
2. Some risk - Internal
|
||||
3. Significant risk - Confidential
|
||||
|
||||
4. Unrestricted
|
||||
5. Restricted-External
|
||||
6. Restricted-Internal
|
||||
7. Confidential
|
||||
|
||||
- Public
|
||||
- Internal
|
||||
- Confidential
|
||||
- Restricted
|
||||
|
||||
Restricted, Confidential, Internal Use, and Public
|
||||
|
||||
We have Confidential Information (CI) and Personal Information (PI). Both CI and PI are categorized as Red, Orange and Yellow for sensitivity (from most to least sensitive). Then there's Green Information, which is public.
|
||||
|
||||
| | |
|
||||
|---|---|
|
||||
|General Use|Emails and documents with this label are not sensitive and can be shared both internally and externally with no risk of harm and without restriction.|
|
||||
|Confidential – Internal Use Only|This label applies to sensitive information that should not leave the organization but is not as critical as those under the "Highly Confidential" classification. Use this for information that if disclosed outside, could still cause harm but is primarily intended for internal stakeholders.|
|
||||
|Confidential – Third Party Authorized|This label applies to sensitive information that can be shared with third parties who have been vetted and authorized under specific conditions. This might include business partners or vendors who need access to certain information to provide services or support.|
|
||||
|Highly Confidential – Internal Use Only|This label applies to the most sensitive information that if disclosed, could result in severe damage to the organization. Access should be limited to a very select group of internal stakeholders, and it should not be shared outside the organization.|
|
||||
|Highly Confidential - Third Party Authorized|This label applies to extremely sensitive information that must sometimes be shared with third parties, under very strict controls and only when absolutely necessary. This could include sharing with legal counsel, auditors, or regulatory bodies who require access to fulfill their obligations to the organization.|
|
||||
|
||||
Just before I left the Bank of England, we rebuilt our classification scheme - [https://www.bankofengland.co.uk/-/media/boe/files/about/human-resources/iscs-external-guidance.pdf](https://www.bankofengland.co.uk/-/media/boe/files/about/human-resources/iscs-external-guidance.pdf) is the reference. We had used UNCLASSIFIED, BANK CONFIDENTIAL, SECRET and TOP SECRET previously, but moved to OFFICIAL-BLUE, OFFICIAL-GREEN, OFFICIAL-AMBER and OFFICIAL-RED for the non SECRET levels - we wanted labels that were not using simple language as we found that using words like confidential were difficult to track in DLP systems, causing far too many false positives.
|
||||
One of the reasons for the move was that the UK government was looking to change their scheme to a traffic light system also, so we moved to where they were heading.
|
||||
|
||||
|
||||
From a user perspective it is complex to figure out a classification. That's why some of our institutions reverse the process and start with the person and what they want to do.
|
||||
Leiden University has a tool picker that is publicly available, to help employees and students pick the correct tool (and indirectly the level of security and privacy that that tool offers).
|
||||
It does not solve the classification labeling problem if you have a single mandatory system in mind, but I can imagine that asking them about what goal they want to achieve makes it easier for employees to see classification as helpful and useful.
|
||||
[https://web.universiteitleiden.nl/assets/toolpicker/?lang=en](https://web.universiteitleiden.nl/assets/toolpicker/?lang=en)
|
||||
|
||||
|
||||
|
||||
|
||||
See also:
|
||||
[Datatags System](../../../Literature%20notes/Datatags%20System.md)
|
||||
[Def_Sec_Handbook_Chapter_2](../../../Literature%20notes/Def_Sec_Handbook_Chapter_2.md#Information%20classification)
|
||||
[ISO 27002:2022 NL A5.12](../../../Standards/ISO27x/OST/27002/NL/a-5.12-Classificeren-van-informatie.md)
|
||||
[Designing an information management scheme](../../../Literature%20notes/Designing%20an%20information%20management%20scheme.md)
|
||||
[Key Topics for a policy on handling classified information](../../Key%20Topics%20for%20a%20policy%20on%20handling%20classified%20information.md)
|
||||
[Traffic Light Protocol (TLP)](../../../Literature%20notes/Traffic%20Light%20Protocol%20TLP.md)
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
ChatGPT prompt, requested 6 januari 2025:
|
||||
`The FIRST TLP standard recognizes 4 labels, RED, AMBER, GREEN and CLEAR. For each label, give typical examples of the kinds of documents in a childcare organization
|
||||
|
||||
In a childcare organization, the Traffic Light Protocol (TLP) can be used to manage and classify information based on its sensitivity and the appropriate sharing audience. Here's how the different TLP labels might be applied:
|
||||
|
||||
1. **TLP:RED**
|
||||
- **Examples of Documents:**
|
||||
- Child protection reports or sensitive incident reports involving specific children or staff that are under investigation.
|
||||
- Confidential parental complaints or legal documents involving the welfare of specific children.
|
||||
- Emergency response plans detailing actions for critical incidents affecting child safety.
|
||||
- Personal records of children and staff, such as health information or background checks, requiring high confidentiality.
|
||||
|
||||
2. **TLP:AMBER**
|
||||
- **Examples of Documents:**
|
||||
- Internal assessments or evaluations regarding program effectiveness or staff performance that require restricted sharing.
|
||||
- Reports on non-critical incidents involving children that need to be shared only with relevant staff and authorities.
|
||||
- Draft policies or procedures under consideration that have not been finalized or publicly announced.
|
||||
- Strategy documents for program development or expansions that are not for public release but may be shared with select partners or stakeholders.
|
||||
|
||||
3. **TLP:GREEN**
|
||||
- **Examples of Documents:**
|
||||
- Staff training manuals and educational resources intended for internal use but could be shared with partners for collaborative learning.
|
||||
- Updates on non-sensitive program changes or organizational developments shared internally among staff.
|
||||
- General guidance or informational documents that support day-to-day operations and could be made available to partnership organizations.
|
||||
- Documents outlining health and safety protocols that are not proprietary and can facilitate broader industry best practices.
|
||||
|
||||
4. **TLP:CLEAR**
|
||||
- **Examples of Documents:**
|
||||
- Public newsletters and announcements about upcoming events or programs open to the community.
|
||||
- Marketing materials, brochures, and digital content intended for parents and the general public.
|
||||
- General policy documents and guidelines on topics such as enrolment, non-sensitive health practices, or general childcare tips.
|
||||
- Information about community involvement activities or open days intended to engage and inform the public about the organization's work.
|
||||
|
||||
These examples illustrate how the TLP can be an effective tool in a childcare organization to manage information sharing, protecting sensitive data and ensuring that information is shared with the appropriate audience.
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
ChatGPT prompt, requested 6 januari 2025:
|
||||
`The FIRST TLP standard recognizes 4 labels, RED, AMBER, GREEN and CLEAR. For each label, give typical examples of the kinds of documents in a commercial services organization`
|
||||
|
||||
The Traffic Light Protocol (TLP) is a system for classifying sensitive information to facilitate information sharing. It consists of different color-coded labels, each indicating the level of sensitivity and the degree of sharing permitted. Here's how these might apply in a commercial services organization:
|
||||
|
||||
1. **TLP:RED**
|
||||
- **Examples of Documents:**
|
||||
- Internal reports on a severe data breach or security incident that is currently under investigation.
|
||||
- Legal documents related to ongoing litigation or disputes.
|
||||
- Executive communications containing strategic decisions that could significantly impact the company's operations or reputation if disclosed.
|
||||
- Crisis management plans and tactics being deployed in real-time.
|
||||
|
||||
2. **TLP:AMBER**
|
||||
- **Examples of Documents:**
|
||||
- Internal audit findings and potential vulnerabilities that need to be addressed.
|
||||
- Draft versions of sensitive projects or product developments not yet publicly announced.
|
||||
- Employee performance reviews and confidential HR investigations.
|
||||
- Negotiation strategies or contract terms involving significant vendors or partners.
|
||||
|
||||
3. **TLP:GREEN**
|
||||
- **Examples of Documents:**
|
||||
- Internal newsletters and policy updates meant for all employees but not for public or competitor knowledge.
|
||||
- Market analysis reports or industry research intended to guide internal strategy but not yet published externally.
|
||||
- Training materials and resources meant for internal skill-building and organizational development.
|
||||
- Summary reports on non-critical projects or initiatives that may be shared with specific partners under NDA.
|
||||
|
||||
4. **TLP:CLEAR**
|
||||
- **Examples of Documents:**
|
||||
- Press releases and publicly available company announcements.
|
||||
- Marketing materials and brochures intended for public distribution.
|
||||
- White papers and research reports approved for public or client distribution.
|
||||
- General information about company policies and procedures that are not sensitive or proprietary.
|
||||
|
||||
These examples serve to illustrate how TLP labeling can be employed within a commercial services organization to manage the dissemination of information effectively, depending on its sensitivity and intended audience.
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
ChatGPT prompt, requested 6 januari 2025:
|
||||
`The FIRST TLP standard recognizes 4 labels, RED, AMBER, GREEN and CLEAR. For each label, give typical examples of the kinds of information found in the information security function of the organization and its systems`
|
||||
|
||||
### The FIRST TLP standard recognizes 4 labels, RED, AMBER, GREEN and CLEAR. For each label, give typical examples of the kinds of information found in the information security function of the organization and its systems
|
||||
|
||||
The Traffic Light Protocol (TLP) is a system designed to facilitate sharing sensitive information by specifying what can be shared and with whom. Here are typical examples of information under each TLP label within an organization's information security function:
|
||||
|
||||
1. **TLP:RED**
|
||||
- **Example Information:** Detailed specifics on a newly discovered zero-day vulnerability affecting critical systems, incident investigation reports with sensitive details, personal data of incident responders or affected parties, or intelligence on imminent threats that could lead to significant harm.
|
||||
- **Sharing Guidelines:** Intended for the named recipients only. Extreme caution is required due to the sensitive nature of the information. It should not be shared beyond the intended recipients without explicit permission.
|
||||
|
||||
2. **TLP:AMBER**
|
||||
- **Example Information:** Incident detection techniques, indicators of compromise (IOCs) that might be used by threat actors, internal security processes or system configurations, and vulnerabilities that are being actively exploited but are not publicly known.
|
||||
- **Sharing Guidelines:** Restricted to individuals or groups within the recipient’s organization who need to know in order to prevent or mitigate the impact of incidents.
|
||||
|
||||
3. **TLP:GREEN**
|
||||
- **Example Information:** General threat intelligence reports, summaries of common attack vectors, security awareness materials, lessons learned from incidents (with sensitive details redacted), and industry best practices for various security processes.
|
||||
- **Sharing Guidelines:** Information can be shared within the community or group but not publicly. It can be shared with peers and partner organizations within the same sector or community.
|
||||
|
||||
4. **TLP:CLEAR**
|
||||
- **Example Information:** Publicly available security advisories, general security policies, declassified information about previous incidents, and announcements that have already been made public.
|
||||
- **Sharing Guidelines:** Information can be freely shared with anyone, including the general public. Offers the least restriction and encourages wide dissemination.
|
||||
|
||||
Using TLP labels allows organizations to better control the dissemination of sensitive information, ensuring it reaches those who need it while preventing leakage to unintended parties.
|
||||
|
||||
### Answer the same question, but now focus on information that would facilitate gaining access to systems and information of the organization
|
||||
|
||||
When considering the potential for facilitating unauthorized access to an organization's systems and information, here’s how different types of sensitive information might be categorized under each TLP label:
|
||||
|
||||
1. **TLP:RED**
|
||||
- **Example Information:** Administrative credentials, passwords, or encryption keys for critical systems; architectural diagrams of the network including security solutions and defenses in place; detailed security vulnerability assessments and penetration testing results exposing critical vulnerabilities; and detailed incident reports that expose system weaknesses.
|
||||
- **Sharing Guidelines:** This information is highly sensitive and should only be shared with specific, authorized individuals who require it for critical tasks. It must not be shared beyond these individuals without explicit permission due to the risk of compromise.
|
||||
|
||||
2. **TLP:AMBER**
|
||||
- **Example Information:** Configuration details of critical security systems (e.g., firewalls, intrusion detection/prevention systems), lists of known vulnerabilities within less critical systems, scripts or tools used for internal security checks, and access controls or user privilege levels of staff within the organization.
|
||||
- **Sharing Guidelines:** Information should only be shared with personnel or departments directly involved in securing or maintaining systems. It should not be distributed beyond these necessary recipients within the organization.
|
||||
|
||||
3. **TLP:GREEN**
|
||||
- **Example Information:** General guidelines on password policies, which IT systems are in place along with their general functions but without exposing critical configurations, high-level security framework overviews, and anonymized metrics on system access attempts (e.g., frequency of login attempts).
|
||||
- **Sharing Guidelines:** This information can be shared within the community or with partner organizations, enabling sharing of best practices or awareness of common challenges without exposing sensitive details that might facilitate system access.
|
||||
|
||||
4. **TLP:CLEAR**
|
||||
- **Example Information:** Public security policies, non-sensitive security training materials aimed at general staff awareness, historical data on resolved security incidents without sensitive details, and general announcements regarding security posture improvements.
|
||||
- **Sharing Guidelines:** Such information can be freely shared with the public, including stakeholders outside the organization, since it does not directly compromise the security of systems or facilitate unauthorized access.
|
||||
|
||||
By appropriately classifying information related to access facilitation, organizations can better protect their systems from unauthorized access while still disseminating necessary security information effectively.
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
ChatGPT prompt, requested 6 januari 2025:
|
||||
`The FIRST TLP standard recognizes 4 labels, RED, AMBER, GREEN and CLEAR. For each label, give typical examples of the kinds of documents in a hospital
|
||||
|
||||
In a hospital setting, managing information sensitivity is crucial for maintaining patient confidentiality and operational integrity. Here's how the Traffic Light Protocol (TLP) might be applied:
|
||||
|
||||
1. **TLP:RED**
|
||||
- **Examples of Documents:**
|
||||
- Detailed patient medical records containing sensitive personal health information.
|
||||
- Incident reports related to severe patient safety issues or medical errors under investigation.
|
||||
- Legal documents concerning ongoing malpractice litigation or sensitive negotiations.
|
||||
- Emergency response plans or security protocols related to current high-risk situations.
|
||||
|
||||
2. **TLP:AMBER**
|
||||
- **Examples of Documents:**
|
||||
- Internal audit reports assessing compliance with healthcare regulations like HIPAA.
|
||||
- Strategic planning documents for upcoming service expansions or new medical programs.
|
||||
- Internal memos detailing sensitive operational changes or staffing adjustments.
|
||||
- Clinical trial results or research findings not yet published or publicly disclosed.
|
||||
|
||||
3. **TLP:GREEN**
|
||||
- **Examples of Documents:**
|
||||
- Internal newsletters updating staff on non-sensitive policy changes or hospital initiatives.
|
||||
- Training manuals for medical and administrative staff intended for internal distribution.
|
||||
- Non-confidential aggregate data reports used for internal performance tracking or quality improvement.
|
||||
- Educational materials for staff that might also be available for partner healthcare organizations under certain conditions.
|
||||
|
||||
4. **TLP:CLEAR**
|
||||
- **Examples of Documents:**
|
||||
- Public health announcements or educational brochures available to patients and the public.
|
||||
- Press releases about hospital achievements, new programs, or community events.
|
||||
- General policy documents that are applicable and accessible to patients, such as visiting hours or parking information.
|
||||
- Community engagement materials promoting health and wellness initiatives.
|
||||
|
||||
These examples illustrate how a hospital can employ the TLP labeling system to appropriately safeguard sensitive information while facilitating necessary information sharing within and outside the organization.
|
||||
Loading…
Add table
Add a link
Reference in a new issue