Page 316 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 316
doesn’t want attackers to modify this data so it takes steps to protect it.
Although some sources refer to sensitive information as any
data that isn’t public or unclassified, many organizations use
sensitive as a label. In other words, the term “sensitive
information” might mean one thing in one organization but
something else in another organization. For the CISSP exam,
remember that “sensitive information” typically refers to any
information that isn’t public or unclassified.
Civilian organizations aren’t required to use any specific classification
labels. However, it is important to classify data in some manner and
ensure personnel understand the classifications. No matter what
labels an organization uses, it still has an obligation to protect
sensitive information.
After classifying the data, an organization takes additional steps to
manage it based on its classification. Unauthorized access to sensitive
information can result in significant losses to an organization.
However, basic security practices, such as properly marking, handling,
storing, and destroying data and hardware assets based on
classifications, helps to prevent losses.
Defining Asset Classifications
Asset classifications should match the data classifications. In other
words, if a computer is processing top secret data, the computer
should also be classified as a top secret asset. Similarly, if media such
as internal or external drives holds top secret data, the media should
also be classified as top secret.
It is common to use clear marking on the hardware assets so that
personnel are reminded of data that can be processed or stored on the
asset. For example, if a computer is used to process top secret data, the
computer and the monitor will have clear and prominent labels
reminding users of the classification of data that can be processed on
the computer.
