Information and asset classification in the CISSP exam

This article will help you answer two questions related to the CISSP certification exam: 

1. What types of sensitive data must I know for the CISSP exam? 
2. What types of data classifications do I need to know, and how are they affected by the type of data? 

These questions, along with their accompanying subsections, cover a small portion of one of the CISSP certification Common Body of Knowledge (CBK) domains, namely, the second domain entitled Asset Security, which consists of the following topics: 

• 2.1 Identify and classify information and assets 
• 2.2 Establish information and asset handling requirements 
• 2.3 Provision information and assets securely 
• 2.4 Manage data lifecycle 
• 2.5 Ensure appropriate asset retention (e.g., End-of-Life (EOL), End-of-Support (EOS)) 
• 2.6 Determine data security controls and compliance requirements 

For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

1. What types of sensitive data do I need to know for the test?

Sensitive data refers to any information that isn’t public or unclassified. 

Sensitive data can consist of four types: confidential, proprietary, protected and other protected data. Also, it’s helpful to learn the following types of sensitive data: 

Personally Identifiable Information (PII)

As the name suggests, this information can be used to identify an individual. According to a definition by the National Institute of Standards and Technology (NIST), PII is information about an individual maintained by an agency which: 

1. Can be used to distinguish or track an individual’s identity based on identifiers, such as name, date of birth, biometric records, social security number, and 
2. Additional information that may identify a person, such as medical, financial, employment and educational information. 

Organizations are obliged to protect PII, and many laws impose requirements on companies to notify individuals whose data has been compromised due to a breach. 

Protected Health Information (PHI)

PHI is any information related to a health condition that can be linked to a specific person. It’s a common misconception that only medical care providers, such as hospitals and doctors, must protect PHI. In fact, most employers collect PHI to provide or supplement healthcare policies. Thus, HIPPA compliance applies to many organizations in the United States. 

Proprietary information

Proprietary information is information specific to a company or organization, such as software programs, source and object code, copyright materials, engineering drawings, designs, inventions (whether or not patent-protected), algorithms, formulas, schemes, flowcharts, processes of manufacturing, marketing, trade secrets, pricing and financial data, etc. 

These kinds of data are valuable company assets because they represent a combination of hard work and organizational know-how. For this reason, proprietary information is often confidential. 

If competitors manage to work their way to an organization’s proprietary information, the consequences may be grievous because it can result in the company losing its competitive edge. Legal defensive mechanisms, such as copyrights and patents, are insufficient because they don’t prevent bad actors from accessing sensitive proprietary data. 

Another concern is disgruntled (former) employees. They may try to steal sensitive proprietary information to either sell it or out of spite. 

2. What types of data classifications do I need to know, and how are they affected by the type of data? 

Every organization needs to implement a data classification program. Security experts define data as a process of categorizing all data assets at the disposal of a given organization by a value that considers data sensitivity pertinent to the different categories of assets. Furthermore, such a value should also take into account the ramifications of an unauthorized disclosure. 

Therefore, while low-risk data (classified as “Private”) requires a lesser level of protection, high-risk data (often labeled “Top Secret” or “Confidential”) necessitates a maximum level of protection and care. 

The data classification process also involves identifying the risk and impact of a particular incident based on 1) the type of data and 2) the level of access to this data. In effect, these two components, along with the possible business impact, help determine the most appropriate response. 

Once you know that certain data is so sensitive that it seems to be indispensable, you should take necessary measures to defend it, perhaps by allocating funds and resources towards its protection. 

When thoughtfully designed, a data classification program provides decision-makers with a clearer view of what constitutes the company’s most important information assets and how to distribute resources to protect them. 

Consequently, a well-designed data classification program can reduce an organization’s cybersecurity costs, enabling decision-makers to focus their security resources on the most at-risk assets. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Information Classification Policy 

Many companies use the following four steps to build a document called an Information Classification Policy. 

1. Create an information asset inventory

In the context of the CISSP exam, the term “asset” encompasses not only 1) sensitive data but also 2) the hardware that processes it and 3) the media on which it’s stored. 

The whole point of creating an asset inventory is to allow persons, such as executives, to establish which kinds of classified information the company holds and who is responsible for it – its owner. 

An organization can store classified information on a wide array of media, ranging from paper documents and information transmitted verbally to electronic documents, databases, storage media (e.g., hard drives, USBs and CDs) and email. 

2. Classify information

Most standardization policies — for instance, ISO 27001 — do not prescribe a specific framework classification for organizational information. This is left to the discretion of the organization itself. Nevertheless, when a person is entrusted with classifying information, they should take into account two basic factors: 1) the size and structure of the organization and 2) what is commonly accepted in the country or industry in which the organization operates. 

By way of illustration, databases, tables and sequences of files carry an increased risk due to their larger size and the possibility of a single event resulting in a massive breach. Sensitive information in data collection is unlikely to be segregated from less sensitive ones. Therefore, the classification of the sensitivity level should encompass all of the data in the collection. 

It should also be noted that the asset owner is usually responsible for classifying company information. Under normal circumstances, this process also relies on the results of a risk assessment, which often assigns higher classifications to data that carries elevated levels of risk. 

3. Label information

It’s one thing to classify information, but it’s a completely different thing to label it. Labeling aims to develop guidelines for classifying each type of information. As was the case with classification, when it comes to labeling data, the asset owner has the freedom to adopt whichever rules they feel meet the company’s goals. 

4. Decide how to handle information assets

Many security experts emphasize this phase of the classification process because it develops rules that protect each kind of information asset – based on its level of sensitivity. 

Types of data classifications 

In the U.S., the two most widespread classification schemas include A) government/military classification and B) private-sector classification. 

• Top Secret — This is the highest level of classification. The unauthorized disclosure of such information can cause exceptionally grievous damage to national security. 
• Secret — This refers to highly restricted information. The unauthorized disclosure of this classification of data may cause significant damage to national security. 
• Confidential — This category includes sensitive, private, proprietary and highly valuable data. The unauthorized disclosure of this type of data may result in serious, yet not necessarily detrimental, damage to national security. 

These three levels of data are collectively known as ‘Classified’ data. However, there also exists: 

• Unclassified — This is the lowest level of data classification. Furthermore, unclassified data is neither sensitive nor classified, and hence it’s available to anyone through procedures identified in the Freedom of Information Act (FOIA). 

For the private sector, the CISSP exam focuses on the following classification system: 

• Confidential — This is the highest level in the private sector classification system. This category is reserved for extremely sensitive and internal data. A “Confidential” level necessitates the utmost care, as this data is extremely sensitive and intended for use by a limited group of people, such as a department or a workgroup, after they’ve been granted need-to-know privileges. If confidential data gets divulged, it can damage the organization considerably. Common examples include proprietary data and sensitive employee information. 
• Private — This refers to data intended for internal use only and whose disclosure may significantly negatively impact the organization. This includes all data and information being processed inside the organization, and that should be handled by internal employees only. 
• Sensitive — This classification applies to data the organization treats as more sensitive and private than that which they make available to the public. 
• Public — This is the lowest level of data classification. Disclosing this information won’t cause serious negative consequences for the organization. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

You should remember that companies can use any labels they feel meet their needs in contrast to the strict government/military classification scheme. Also, a data classification program in the private sector doesn’t need to be overly complex or sophisticated. As long as it’s designed with the company’s policies and goals in mind, it should suffice. 

Now that you understand how the CISSP views data classification, you’re ready to explore the exam in more depth. To do so, you can refer to our CISSP exam tips and tricks ebook. If you want to expedite your learning with an immersive course, you can take advantage of a CISSP boot camp, which prepares you to pass the exam within a few days. 

Looking for more information regarding how the CISSP can impact your professional journey and earnings prospects? Then check out our Cybersecurity salary guide and our ebook for mid-career professionals, Cybersecurity certification and skills.