Page 312 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 312
In 2014, FireEye, a U.S. network security company,
purchased Mandiant for about $1 billion. However, you can still
access Mandiant’s APT1 report online by searching for “Mandiant
APT1.” You can view the joint report by searching for “JAR-16-
20296A Grizzly Steppe.”
Defining Data Classifications
Organizations typically include data classifications in their security
policy, or in a separate data policy. A data classification identifies the
value of the data to the organization and is critical to protect data
confidentiality and integrity. The policy identifies classification labels
used within the organization. It also identifies how data owners can
determine the proper classification and how personnel should protect
data based on its classification.
As an example, government data classifications include top secret,
secret, confidential, and unclassified. Anything above unclassified is
sensitive data, but clearly, these have different values. The U.S.
government provides clear definitions for these classifications. As you
read them, note that the wording of each definition is close except for a
few key words. Top secret uses the phrase “exceptionally grave
damage,” secret uses the phrase “serious damage,” and confidential
uses “damage.”
Top Secret The top secret label is “applied to information, the
unauthorized disclosure of which reasonably could be expected to
cause exceptionally grave damage to the national security that the
original classification authority is able to identify or describe.”
Secret The secret label is “applied to information, the unauthorized
disclosure of which reasonably could be expected to cause serious
damage to the national security that the original classification
authority is able to identify or describe.”
Confidential The confidential label is “applied to information, the
unauthorized disclosure of which reasonably could be expected to
