Page 315 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 315

Confidential or Proprietary The confidential or proprietary label
               typically refers to the highest level of classified data. In this context, a

               data breach would cause exceptionally grave damage to the mission of
               the organization. As an example, attackers have repeatedly attacked
               Sony, stealing more than 100 terabytes of data including full-length
               versions of unreleased movies. These quickly showed up on file-
               sharing sites and security experts estimate that people downloaded
               these movies up to a million times. With pirated versions of the movies
               available, many people skipped seeing them when Sony ultimately

               released them. This directly affected their bottom line. The movies
               were proprietary and the organization might have considered it as
               exceptionally grave damage. In retrospect, they may choose to label
               movies as confidential or proprietary and use the strongest access
               controls to protect them.

               Private The private label refers to data that should stay private
               within the organization but doesn’t meet the definition of confidential

               or proprietary data. In this context, a data breach would cause serious
               damage to the mission of the organization. Many organizations label
               PII and PHI data as private. It’s also common to label internal
               employee data and some financial data as private. As an example, the
               payroll department of a company would have access to payroll data,

               but this data is not available to regular employees.

               Sensitive Sensitive data is similar to confidential data. In this
               context, a data breach would cause damage to the mission of the
               organization. As an example, information technology (IT) personnel
               within an organization might have extensive data about the internal
               network including the layout, devices, operating systems, software,
               Internet Protocol (IP) addresses, and more. If attackers have easy

               access to this data, it makes it much easier for them to launch attacks.
               Management may decide they don’t want this information available to
               the public, so they might label it as sensitive.

               Public Public data is similar to unclassified data. It includes
               information posted in websites, brochures, or any other public source.
               Although an organization doesn’t protect the confidentiality of public
               data, it does take steps to protect its integrity. For example, anyone

               can view public data posted on a website. However, an organization
   310   311   312   313   314   315   316   317   318   319   320