4.2.2 Assignment & Accounting
Ownership, classification.
Assignment and accounting ensure that data is clearly owned, appropriately classified based on sensitivity, and tracked through comprehensive audit logs.
Data Ownership and Roles Organizations must establish legal and operational control over data to prevent disputes and unauthorized disclosure. - Data Owner: Usually a senior executive who has ultimate responsibility for the data and determines its classification level. - Data Steward/Custodian: Focuses on the technical aspects of data management, such as maintaining backups, ensuring integrity, and implementing security controls. - Third-Party Ownership: Contracts must define who owns data created during a service term. Some providers claim ownership of data generated on their proprietary systems, while others transfer all rights to the client. - Intellectual Property: Proper ownership assignment prevents legal disputes regarding copyrights and patents.
Data Classification levels Classification allows security professionals to apply the correct amount of protection based on the data's sensitivity. - Top Secret: Disclosure causes "exceptionally grave damage" to national security. - Secret: Disclosure causes "serious damage" to national security. - Confidential: Disclosure causes "damage" to national security. - Private/Proprietary: Commercial terms for sensitive internal data like trade secrets or PII. - Public: Information intended for general consumption with no risk to the organization if disclosed.
Governance Frameworks Established frameworks provide structures for risk management and data auditing. - CIS Benchmarks: Provided by a nonprofit to offer best-practice configurations for diverse organizations, including small businesses. - COBIT: An ISACA framework focused on enterprise-wide governance and information technology management. - ISO 31000: A high-level executive framework for managing risk. - SSAE 18: Standards from the AICPA used for auditing financial reporting and service organization controls (SOC).
Accounting and Auditing Accounting is the process of tracking what users do with resources to ensure non-repudiation and security. - AAA Framework: Consists of Authentication (who you are), Authorization (what you can do), and Accounting (tracking what you did). - Log Management: Like a digital "sign-in sheet," accounting keeps a historical record of access over time. - Audit Policies: Administrators use tools like the Windows Local Security Policy or Group Policy Management Console (GPMC) to track events like failed logon attempts or file access. - Usage Tracking: Essential for identifying the scope of a breach and verifying compliance with security policies.
Quick recall - Owner vs. Custodian: The owner decides the classification; the custodian implements the protection. - Non-repudiation: Accounting ensures a user cannot deny performing a specific action. - Sensitivity: The primary factor used to determine which classification label to apply. - Scope of Damage: The key differentiator between Top Secret, Secret, and Confidential levels.