1 00:00:00,350 --> 00:00:02,330 In this lesson, we're going to talk a bit 2 00:00:02,330 --> 00:00:05,630 more in depth about the concept of data classifications. 3 00:00:05,630 --> 00:00:07,330 Now, we've mentioned the basic concepts 4 00:00:07,330 --> 00:00:08,680 previously in this course. 5 00:00:08,680 --> 00:00:10,400 But now we're going to formally define them 6 00:00:10,400 --> 00:00:11,930 to ensure you're ready for any questions 7 00:00:11,930 --> 00:00:14,840 you get about data classifications on the exam. 8 00:00:14,840 --> 00:00:16,520 Data classification is based on 9 00:00:16,520 --> 00:00:18,160 the value to the organization. 10 00:00:18,160 --> 00:00:20,000 And the sensitivity of that information 11 00:00:20,000 --> 00:00:21,570 if it's going to be disclosed. 12 00:00:21,570 --> 00:00:22,980 The person that decides the level 13 00:00:22,980 --> 00:00:25,870 of data classification is the data owner. 14 00:00:25,870 --> 00:00:27,520 Now, what exactly would we consider 15 00:00:27,520 --> 00:00:29,410 sensitive data or information? 16 00:00:29,410 --> 00:00:32,580 Well, sensitive data is any information that can result 17 00:00:32,580 --> 00:00:35,570 in the loss of security or loss of advantage to a company. 18 00:00:35,570 --> 00:00:38,490 Especially if it's access by unauthorized persons. 19 00:00:38,490 --> 00:00:40,200 Now, basically, this is the data 20 00:00:40,200 --> 00:00:41,550 that we need to be protecting. 21 00:00:41,550 --> 00:00:42,610 Anything that is sensitive, 22 00:00:42,610 --> 00:00:44,720 we want to make sure there is protection around it. 23 00:00:44,720 --> 00:00:47,330 But, we can't protect everything equally. 24 00:00:47,330 --> 00:00:49,070 And that's why we have to classify data 25 00:00:49,070 --> 00:00:50,750 into several different categories. 26 00:00:50,750 --> 00:00:52,920 And those that are a higher classification 27 00:00:52,920 --> 00:00:54,620 are going to need more protections 28 00:00:54,620 --> 00:00:56,460 and more resources spent against them. 29 00:00:56,460 --> 00:00:58,030 Those that are in lower categories, 30 00:00:58,030 --> 00:00:59,620 we're going to spend less on 31 00:00:59,620 --> 00:01:02,550 in terms of protection and time and resources. 32 00:01:02,550 --> 00:01:04,550 Now organizations need to be careful 33 00:01:04,550 --> 00:01:06,840 to establish proper policies to identify 34 00:01:06,840 --> 00:01:08,360 how data should be classified. 35 00:01:08,360 --> 00:01:10,130 Because, one of the trends I've seen a lot 36 00:01:10,130 --> 00:01:12,240 is people over classifying data. 37 00:01:12,240 --> 00:01:14,020 If you over classify your data, 38 00:01:14,020 --> 00:01:15,100 this is going to lead you to have to having 39 00:01:15,100 --> 00:01:17,680 to protect everything at a really high level. 40 00:01:17,680 --> 00:01:19,510 Which means you're going to spend a lot more money, 41 00:01:19,510 --> 00:01:21,400 a lot more time, and a lot more resources 42 00:01:21,400 --> 00:01:22,650 to protect that data. 43 00:01:22,650 --> 00:01:24,590 This includes adding additional personnel, 44 00:01:24,590 --> 00:01:27,470 additional access controls, and other technical solutions 45 00:01:27,470 --> 00:01:29,160 that you're going to have to buy and deploy. 46 00:01:29,160 --> 00:01:32,070 So, by classifying the data, it can than be separated 47 00:01:32,070 --> 00:01:33,620 into different levels of protection 48 00:01:33,620 --> 00:01:35,630 based on those classifications. 49 00:01:35,630 --> 00:01:37,610 There are two different classification schemes 50 00:01:37,610 --> 00:01:39,320 that are normally used by organizations. 51 00:01:39,320 --> 00:01:41,510 And the way you choose yours is based on whether you're 52 00:01:41,510 --> 00:01:44,620 a commercial business, or a governmental organization. 53 00:01:44,620 --> 00:01:46,590 So if you're a commercial business like we are, 54 00:01:46,590 --> 00:01:47,750 you're going to use one of four 55 00:01:47,750 --> 00:01:49,250 common classification levels. 56 00:01:49,250 --> 00:01:51,100 And these go from lowest to highest 57 00:01:51,100 --> 00:01:55,220 as public, sensitive, private, and confidential. 58 00:01:55,220 --> 00:01:56,890 Public data would have no impact to 59 00:01:56,890 --> 00:01:58,250 your company if it's released. 60 00:01:58,250 --> 00:02:00,160 And usually, this is information that's posted 61 00:02:00,160 --> 00:02:01,750 in an open-source environment, 62 00:02:01,750 --> 00:02:03,870 such as your website or other platforms. 63 00:02:03,870 --> 00:02:06,620 For example, this course is public data 64 00:02:06,620 --> 00:02:08,500 that is part of our organizational data. 65 00:02:08,500 --> 00:02:10,750 We've released it to the public and anyone who pays 66 00:02:10,750 --> 00:02:12,700 can get access to this material. 67 00:02:12,700 --> 00:02:14,280 Than we have sensitive data. 68 00:02:14,280 --> 00:02:17,000 Sensitive data might have a minimal impact if released. 69 00:02:17,000 --> 00:02:18,920 Such as your organizations financial data, 70 00:02:18,920 --> 00:02:21,520 or in my case, maybe the next course that I'm working on. 71 00:02:21,520 --> 00:02:22,650 I wouldn't want to get it out there 72 00:02:22,650 --> 00:02:23,930 before I released the course, 73 00:02:23,930 --> 00:02:25,400 because I don't want my competitors to see it 74 00:02:25,400 --> 00:02:27,310 and copy my material. 75 00:02:27,310 --> 00:02:28,920 Next, we have private data. 76 00:02:28,920 --> 00:02:30,150 Private data would contain things 77 00:02:30,150 --> 00:02:32,320 like personnel records, salary information, 78 00:02:32,320 --> 00:02:35,330 and any other data that's used only within the organization. 79 00:02:35,330 --> 00:02:36,950 For example, you don't need to know 80 00:02:36,950 --> 00:02:38,430 what the revenue is of our company, 81 00:02:38,430 --> 00:02:40,010 or how much my employees make, 82 00:02:40,010 --> 00:02:41,910 or what their social security numbers are. 83 00:02:41,910 --> 00:02:44,630 All of that is private data that we use internally, 84 00:02:44,630 --> 00:02:46,270 but none of our customers or anybody 85 00:02:46,270 --> 00:02:49,210 outside our organization needs to have access to it. 86 00:02:49,210 --> 00:02:51,070 Finally, we have confidential data. 87 00:02:51,070 --> 00:02:52,950 And this is the highest level of classification 88 00:02:52,950 --> 00:02:54,270 in the commercial realm. 89 00:02:54,270 --> 00:02:56,274 This is going to contain items such as trade secrets 90 00:02:56,274 --> 00:02:58,960 intellectual property data, source code, 91 00:02:58,960 --> 00:03:00,730 and other types of things that are seriously going 92 00:03:00,730 --> 00:03:02,800 to effect the business if it was disclosed. 93 00:03:02,800 --> 00:03:04,330 So if you think about CompTIA, 94 00:03:04,330 --> 00:03:07,530 one of the things that's confidential is the test questions. 95 00:03:07,530 --> 00:03:09,190 They don't want all those test questions running 96 00:03:09,190 --> 00:03:11,250 around the internet where you can download them, 97 00:03:11,250 --> 00:03:14,100 find the answers, and then go in and take the exam 98 00:03:14,100 --> 00:03:15,930 just by memorizing the test, right? 99 00:03:15,930 --> 00:03:17,320 That is against their policies 100 00:03:17,320 --> 00:03:20,810 and therefore they protect that data as confidential data. 101 00:03:20,810 --> 00:03:23,590 Now, if you work in a military or government sector, 102 00:03:23,590 --> 00:03:25,900 you're going to have five different classification levels 103 00:03:25,900 --> 00:03:27,560 going from lowest to highest. 104 00:03:27,560 --> 00:03:30,200 These are probably what you hear inside movies all the time. 105 00:03:30,200 --> 00:03:33,300 Things like unclassified, sensitive but unclassified, 106 00:03:33,300 --> 00:03:35,810 confidential, secret, and top secret. 107 00:03:35,810 --> 00:03:38,240 The lowest classification is unclassified. 108 00:03:38,240 --> 00:03:40,170 And unclassified data generally can be 109 00:03:40,170 --> 00:03:42,510 released to the public either just in general 110 00:03:42,510 --> 00:03:44,680 or under the Freedom of Information Act. 111 00:03:44,680 --> 00:03:46,520 So there's actually a law in the United States 112 00:03:46,520 --> 00:03:47,850 that the public has a right to know 113 00:03:47,850 --> 00:03:49,280 information about their government. 114 00:03:49,280 --> 00:03:52,010 And if you submit a Freedom of Information Act request 115 00:03:52,010 --> 00:03:53,700 to one of the government organizations, 116 00:03:53,700 --> 00:03:55,860 they have to find all of the unclassified data 117 00:03:55,860 --> 00:03:57,710 that matches those terms you've asked for 118 00:03:57,710 --> 00:03:59,360 and then provide it back to you. 119 00:03:59,360 --> 00:04:02,550 The next category is called sensitive but unclassified data. 120 00:04:02,550 --> 00:04:04,500 And this includes things like medical records, 121 00:04:04,500 --> 00:04:06,810 personnel files, and other items that won't 122 00:04:06,810 --> 00:04:08,400 hurt national security if released, 123 00:04:08,400 --> 00:04:10,110 but they would impact those who's data 124 00:04:10,110 --> 00:04:11,650 was being used inside of it. 125 00:04:11,650 --> 00:04:13,840 So, for example, if you look at the military, 126 00:04:13,840 --> 00:04:16,130 they have a lot of soldiers and sailors and airmen. 127 00:04:16,130 --> 00:04:17,770 If I took on of their medical records 128 00:04:17,770 --> 00:04:20,260 that has their birthday, their social security number, 129 00:04:20,260 --> 00:04:22,030 and medical information about them, 130 00:04:22,030 --> 00:04:25,200 that would be considered sensitive but unclassified. 131 00:04:25,200 --> 00:04:27,250 If it gets out the Private Timmy 132 00:04:27,250 --> 00:04:29,710 had a strep infection last week, 133 00:04:29,710 --> 00:04:31,130 that would effect Timmy, maybe, 134 00:04:31,130 --> 00:04:33,790 but it's not going to effect the military at large. 135 00:04:33,790 --> 00:04:35,920 The next one we have is confidential. 136 00:04:35,920 --> 00:04:38,530 Confidential data includes data such as trade secrets 137 00:04:38,530 --> 00:04:40,970 and other information that can seriously effect 138 00:04:40,970 --> 00:04:43,720 the government if unauthorized disclosure were to happen. 139 00:04:43,720 --> 00:04:45,090 Than we get into secret data. 140 00:04:45,090 --> 00:04:46,780 And secret data is going to include things like 141 00:04:46,780 --> 00:04:49,190 military deployment plans, defensive postures, 142 00:04:49,190 --> 00:04:51,000 and other information that could seriously 143 00:04:51,000 --> 00:04:54,290 damage national security if disclosure was to happen. 144 00:04:54,290 --> 00:04:55,700 Now, when I talked about confidential, 145 00:04:55,700 --> 00:04:57,760 it would seriously effect us. 146 00:04:57,760 --> 00:05:01,120 Now if I talk about secret, it could seriously damage us. 147 00:05:01,120 --> 00:05:03,090 Finally, we have the highest classification 148 00:05:03,090 --> 00:05:05,020 which is known as top secret. 149 00:05:05,020 --> 00:05:06,290 Top secret data might include 150 00:05:06,290 --> 00:05:09,060 the blueprints for a weapon system or other information 151 00:05:09,060 --> 00:05:11,220 that would gravely damage national security 152 00:05:11,220 --> 00:05:12,770 if it was known to those who weren't 153 00:05:12,770 --> 00:05:14,670 authorized for this level of information. 154 00:05:14,670 --> 00:05:16,250 And so you can see these classifications 155 00:05:16,250 --> 00:05:18,730 get more and more serious and they 156 00:05:18,730 --> 00:05:20,800 would have bigger and bigger effects to us. 157 00:05:20,800 --> 00:05:23,280 And so we're willing to spend more money and more time 158 00:05:23,280 --> 00:05:25,870 to protect the higher level of classification. 159 00:05:25,870 --> 00:05:28,800 So, protecting data takes up a lot of resources 160 00:05:28,800 --> 00:05:30,050 as I've already mentioned. 161 00:05:30,050 --> 00:05:32,150 And therefore, it's really important for you to understand 162 00:05:32,150 --> 00:05:34,600 the life cycle of the data as you collect it, 163 00:05:34,600 --> 00:05:36,760 retain it, and eventually dispose of it. 164 00:05:36,760 --> 00:05:38,560 Now, what I mean by that is that data 165 00:05:38,560 --> 00:05:40,070 shouldn't be stored forever. 166 00:05:40,070 --> 00:05:41,650 Your organization needs to have policies 167 00:05:41,650 --> 00:05:42,710 that are going to dictate 168 00:05:42,710 --> 00:05:44,540 how the data is going to be stored, 169 00:05:44,540 --> 00:05:45,960 when the data is going to be stored, 170 00:05:45,960 --> 00:05:47,770 and for how long it is going to be stored. 171 00:05:47,770 --> 00:05:49,030 And then finally, how are you going 172 00:05:49,030 --> 00:05:50,710 to destroy it when you are done with it? 173 00:05:50,710 --> 00:05:52,730 For example, let's say I was going to have a course 174 00:05:52,730 --> 00:05:54,000 that's going to happen next week 175 00:05:54,000 --> 00:05:55,370 and you sign up to attend the course. 176 00:05:55,370 --> 00:05:56,760 And you give me your information like 177 00:05:56,760 --> 00:05:58,860 your credit card number, your name, 178 00:05:58,860 --> 00:06:01,350 your address, your email, things like that. 179 00:06:01,350 --> 00:06:03,230 How long should I keep that in my system? 180 00:06:03,230 --> 00:06:04,500 Should I keep it just until you come 181 00:06:04,500 --> 00:06:05,630 and show up for the course? 182 00:06:05,630 --> 00:06:07,730 Or, should I keep if for the next six months? 183 00:06:07,730 --> 00:06:09,650 Maybe a year, maybe five years, 184 00:06:09,650 --> 00:06:12,050 maybe 20 years, maybe forever. 185 00:06:12,050 --> 00:06:14,950 Well, that's going to depend on the organizational needs. 186 00:06:14,950 --> 00:06:17,010 All of this should be defined in your policies. 187 00:06:17,010 --> 00:06:18,750 And they should clearly be documenting 188 00:06:18,750 --> 00:06:20,590 what your organizational needs are, 189 00:06:20,590 --> 00:06:22,110 how long you need to keep this data, 190 00:06:22,110 --> 00:06:23,980 and what the life cycle's going to look like. 191 00:06:23,980 --> 00:06:25,820 Also, you need to insure that you're following 192 00:06:25,820 --> 00:06:28,440 the local, state, and government laws and regulations 193 00:06:28,440 --> 00:06:30,280 for data retention time requirements. 194 00:06:30,280 --> 00:06:32,710 Because, depending on the type of organization you are, 195 00:06:32,710 --> 00:06:35,910 you may have legal requires that say you need to maintain 196 00:06:35,910 --> 00:06:38,730 certain types of data for certain periods of time. 197 00:06:38,730 --> 00:06:41,200 We'll talk a little bit about those laws and regulations 198 00:06:41,200 --> 00:06:42,792 in a future lesson. 199 00:06:42,792 --> 00:06:44,988 (electric buzzing)