Approval: Current document is a DRAFT for discussion.
Revised: March 2002
ITA Version: 4.5.2
Some definitions • Scope • Local use • Protection is not automatic
The purpose of this document is to provide a conceptual model for an asset security classification scheme in accordance with Security Architecture principle A-6. Such a scheme is intended to indicate the level of protection a resource needs in terms that are understandable to the owner of the resource and that can be linked to specific safeguards. The scheme also seeks to use no more categories than are needed to capture real differences in protection as further specified by principle A-6 in support of design principle B.2 to reduce overall complexity.
Some definitions. As used in this document, the term "resource" covers hardware, software, data, information and technologies. Since there is no need to distinguish between "data" and "information" for the purpose of securing them, this document uses the two terms interchangeably. The document also refers to measures taken to implement security sometimes as "safeguards" and other times as "countermeasures."
Scope. The classification scheme described here applies to any IT resource that is owned by or located at Emory or is connected to Emory’s networks whenever that resource is to receive Emory's protection. The scheme is intended for classifying resources at the granularity of systems that use applications, sets of data and various technologies to support functions of the university. At that granularity, sets of data include databases and can be discussed as data or information for the purpose of securing them. Other examples of such resources are servers running applications and databases, desktop systems, and devices such as printers. An organizational function or operation could in principle also be classified. However, this document focuses on classification of IT resources.
Local use. The classification scheme of this document is also recommended for use by all Emory units and individuals to indicate needed protection at the local level, regardless of the source of that protection. Under such circumstances it is up to those providing protection to establish appropriate safeguards according to the classification. Leveraging the standard enterprise classification scheme and safeguards will reduce the local effort and help to establish a common and consistent security layer across Emory in accordance with architecture design principle B.5.
Protection is not automatic. Note that protection of an IT resource at the desired classification is not necessarily automatic. For a resource to receive Emory enterprise protection that is higher than that of the lowest classification, the owner, steward, or custodian of the resource must identify the resource and give it a higher classification by completing a classification worksheet and filing it with the Information Technology Division.
Security involves a balance between protection and access. Emory needs to provide members of its community with access to the resources that they require to perform their roles and responsibilities. At the same time, Emory needs to protect its resources and restrict access to them according to its policies, license agreements, applicable laws, and the requirements of granting and regulatory agencies.
The protection that a resource needs generally depends on its situation, which takes into account its vulnerability—threats and susceptibility to them—and the adverse impact of succumbing to those threats. Once the situation has been characterized, due care and good security practices that many years of experience have already shown to be applicable to that situation can be used to decide what policies are needed or are applicable and what safeguards are prudent and necessary. Then policies can be established and products can be selected to implement the safeguards. Applicable safeguards should be implemented unless there are prudent reasons to not do so. In that case, those reasons should be documented.
The identity of every resource at Emory needing protection and its situation is in general unknown. The classification scheme provides a way for owners to identify resources and characterize their operational security needs in a standard way. Use of this standard approach reduces the effort needed to secure a resource. In addition, it allows the owners to focus on their operational needs, which typically change slowly, while the administrators focus on safeguards, which typically require continual attention as new weaknesses are found and new threats appear.
The purpose of this section is to explain the philosophy, meaning and use of the classifications.
In accordance with Security Architecture principle A-4, this document takes as a given that every resource has an owner, that is, someone who has final rights regarding disposition of the resource. Owners are responsible for ensuring that the resources they own are identified, classified and secured according to the protection they need.
For most Emory IT resources, such as a major Emory IT system, Emory is the owner, and it has entrusted responsibility for the resource (including its classification) to someone else called the Steward of that resource. The Steward may employ someone called a Custodian to take care of the resource, and may delegate classification to the Custodian or base the classification on information from the Custodian. The Custodian in turn may depend upon an Administrator of the resource to supply technical advice and implement safeguards.
Table 1: Classification summary • Use versus disclosure • Classification levels and ranking
• Emory's Associates • Highest level rule • Dependency rule • Use of the classifications
The goal of security is to build an appropriately secure environment. This is done by identifying security problems as a variation from the security that is needed and closing the gap between what is currently happening and the desired state. Security is applied to counter the adverse impact of succumbing to a threat. Owners, stewards or custodians provide knowledge of the impact of succumbing. The classification scheme provides a way for them to categorize resources accordingly. The classification types correspond to the two general types of threats: loss of use and unauthorized disclosure.
The following table summarizes the major components of the classification scheme.
|
Classification
type |
Relates
to
|
Objective
|
Basis
for classification
|
Classifications
|
Focus
|
|
Criticality
|
Loss of use |
To indicate the required level of accessibility and availability, and help determine needed contingency plans, recovery plans and protection from threats such as contamination or denial of service. | Impact to Emory if the resource is inoperable, damaged, saturated, compromised, consumed, unavailable, improperly altered, inaccessible, stolen, destroyed, or otherwise unable to be used. |
Vital,
Critical, Important, Valued. |
Applications |
|
Sensitivity
|
Unauthorized disclosure or use | To help determine needed safeguards such as access authorizations and limitations. | Impact to Emory of improper, illegal or unauthorized access to the resource, use of it, or disclosure of its contents. |
Restricted,
Confidential, Internal, Public. |
Data and Information |
Use versus disclosure. Use of a resource can be exclusive or allow unlimited sharing. For example, use of data storage space and processing are exclusive in that a particular space or processor can have only one occupant at a time, whereas information can be allowed to be simultaneously viewed by as many as desired. When the use is exclusive, then unauthorized use results in loss of authorized use and thus receives a criticality classification. When use allows unlimited sharing, then unauthorized use is related to disclosure and receives a sensitivity classification.
Use and disclosure are independent in that one does not imply the other, even when the resource is information, as indicated by the following examples.
Classification levels and ranking. For each classification type, the classifications are ranked according to the amount of adverse impact; the greater the impact, the higher the corresponding classification level.
Emory's associates. Adverse impact to Emory can result not only from a direct effect on the Emory organization, but also from the Emory organization being held responsible for an adverse effect on Emory's associates, that is, those who work for Emory, attend Emory, collaborate with Emory, are affiliates of Emory, or otherwise do business with Emory.
Highest level rule. Whenever more than one level of a classification type is indicated, use the highest level.
Dependency rule. When one resource is required in order to use another resource, then loss of use the first resource leads to loss of use of the second, so the criticality classification of the first resource is at least that of the second resource. Similarly, when disclosure or use of one resource can enable disclosure or use of another resource, the sensitivity classification of the first resource is at least that of the second resource.
Use of the classifications. Resources exist in an environment of IT and non-IT components that determine vulnerability to threats. Given the classification and the environment, safeguards can be identified based on standard methods of due care and good practice augmented by solutions to new security challenges beyond due care. Note that one safeguard may counter multiple threats, and some threats may require multiple countermeasures. Once the needed safeguards are known, the gap between the current state and the desired future state can be assessed by comparing safeguards currently in place to those implied by the classification.
Criticality and sensitivity are independent types, that is, a classification according to one of the types says nothing about classification using the other type. This is illustrated by the following examples.
In a development or research environment there are situations where technologies take on the role of applications and data. In that case, their classifications should take those roles into account. The following two examples illustrate how this can happen and how it would be handled.
The purpose of having more than one classification is to allow resources to receive appropriate security while keeping the cost down. A high classification generally implies a greater security effort, which is typically more expensive than would be needed for a lower classification. Thus, although it might be tempting to give all resources the highest classifications and thereby give them the highest security Emory can provide, to do so would be more expensive than necessary. When classifying a resource, the classification assigned should be just high enough to provide the security that is prudent and required.
In the other direction, it might be tempting to provide a larger number of classifications than the table shows in the hope of further reducing cost by being able to give some resources a lower classification than otherwise. However, the complexity of the classification scheme and the security methods needed to implement it increase quickly as the number of classifications increases, which leads to a corresponding rapid increase in implementation and administration costs. Thus the number of classifications should be no more than are distinctly useful.
The following table is intended to justify the number of classifications by showing that there are at least four distinctly useful impact categories for each one and by giving corresponding examples of four distinctly different types of safeguards with distinctly different costs.
|
Impact
|
||||
| Severity of harm or damage |
Negligible
|
Minor
|
Significant
|
Serious
|
| Duration of harm or damage |
Momentary
|
Short
term
|
Medium
term
|
Long
term
|
|
Safeguards
|
||||
| Example Criticality safeguard: Platform availability | No spare | Cold spare | Hot spare with failover | Redundant copies with load balancing and transparent failover. |
| Example Sensitivity safeguard: Access policy | May be made accessible without any specific permission. | Accessibility is at the discretion of the owner. | Accessibility changes according to role. | Access is for a limited time and requires specific approval based on need. Data may not be copied without specific prior approval. |
Examples • Criticality • Sensitivity • Table 3: Implied classifications
The classification of resources can be further simplified by focusing on one type of resource as indicated under the heading "Focus" in Table 1. The simplification is based on the dependency rule given previously.
Simplification by focus is used as follows.
Criticality. For an application, determine the impact of not having use of it. Note any data, technologies, or other resources that need the application in order to be used. The impact of not having use of the application is at least as high as the impact of not having use of those resources. Classify the application accordingly. Then list the data, technologies and other resources that the application needs in order to be used. The impact of loss of use of those resources is at least as great as the impact of loss of use of the application. Classify these resources accordingly.
Sensitivity. For a database, data set or file, determine the impact of unauthorized use or disclosure of its contents. Application code should be considered to be a file of data if unauthorized use, copying or disclosure of the application code would have an adverse impact. Classify the data accordingly. List the applications, technologies and other resources whose unauthorized disclosure or use would enable unauthorized disclosure or use of the data. In the case of an application considered as data, copying would typically depend on a server's facilities and security. The impact of unauthorized disclosure or use of these resources is at least as great as the impact of unauthorized disclosure or use of the data. Classify the resources accordingly.
|
Criticality
|
Sensitivity
|
|
|---|---|---|
|
Application
|
Classify
the application using an impact at least as great as that of any other
resource that needs the application in order to be used.
|
Implied by the most sensitive of any information whose use or disclosure the application enables or supports. |
|
Information
|
Implied by the greatest criticality of the applications that depend on the information. |
Classify
the information using an impact at least as great as that of any other
resource it enables to be disclosed or used.
|
|
Technology
or other IT resource
|
Implied by the greatest criticality of the applications that depend on the technology or other IT resource. | Implied by the most sensitive of the information whose disclosure or use the technology or other IT resource enables or supports. |
Classify for Criticality. For each system, server or device, the criticality is that of the most critical application that runs there or otherwise depends on the system, server or device for use.
Classify for Sensitivity. For each system, server or device, the sensitivity is that of the most sensitive information to which the system, server or device provides access or otherwise enables to be disclosed or used.
The purpose of this section is to suggest indicators for classifying resources.
The criticality of a resource is intended to indicate the importance of the resource to the continued success of the operational function that it supports. Criticality indicates the required level of availability and accessibility, and helps to determine needed contingency plans.
|
Impact
Characterization
|
Criticality
classifications
|
|||
|
Valued
|
Important
|
Critical
|
Vital
|
|
| Operational importance | Of recognizable value to individuals or segments of Emory. |
Important
to the work of individuals or segments of Emory.
|
Necessary
for Emory's ongoing operation
|
Essential
to Emory
|
| Operational availability and accessibility | Preferred whenever possible. |
Required
during normal office hours
|
Required
during normal office hours plus extended hours during reporting or other
processing cycles
|
Required
24 hours a day, 7 days a week
|
| Maximum outage | An outage of more than 1 week of normal operation would be considered significant. |
An
outage of more than 1 day of normal operation would be considered significant.
|
An
outage of more than 1 hour of normal operation would be considered significant.
|
An
outage of more than 1 minute of normal operation would be considered significant.
|
| Tolerable outage | Extended outages do not result in a significant negative impact. |
Brief
outages do not result in a significant negative impact.
|
Brief
outages during certain periods do not result in a significant negative
impact.
|
Brief
outages result in a serious negative impact.
|
| Impact of loss of use | Negligible or no operational, financial or legal loss to Emory. | Negligible or no financial or legal loss, just minor operational loss such as loss of productivity. | Significantly impairs the functioning of the university or results in significant financial or legal loss. | Seriously impairs the functioning of the university or results in serious financial or legal loss. |
The sensitivity classification is intended to indicate the adverse impact to Emory of unauthorized, improper or illegal access to a resource, use of it, or disclosure of its contents. The sensitivity classification helps determine what access authorizations and limitations to set.
|
Characterization
|
Sensitivity
classifications
|
|||
|
Public
|
Internal
|
Confidential
|
Restricted
|
|
| Impact to Emory or its associates due to unauthorized disclosure or use | Negligible or no loss. | Negligible or no loss, and at most minor, short term embarrassment. | Significant financial or legal loss; significant or medium term embarrassment; or some loss of credibility or reputation. | Serious financial or legal loss; impairment to operation; serious or long term embarrassment; long term loss of credibility or reputation. |
| Scope of access | Intended for public access. |
OK to be accessible inside Emory but not outside Emory. |
Not intended for general access even within Emory. |
Intended to be accessed by as few people as possible and then only based on need. |
| Disclosure policy | May be freely disclosed without permission | May be freely disclosed within Emory, but requires permission of the owner or custodian to disclose it outside Emory. | Requires permission of owner or custodian to disclose it. | May not be disclosed outside those allowed to know. |
| Examples
(for illustrative purposes only) |
• Emory external
home page and home pages of Emory schools |
• Data or services
licensed for access only within Emory |
• Most data in
university administrative systems |
• Information
about identifiable people, such as student and patient records, personnel
data and employee performance reviews |