Instructions: Answer all questions in a single document. Then submit to the appr
ID: 3864851 • Letter: I
Question
Instructions: Answer all questions in a single document. Then submit to the appropriate assignment folder. Each response to a single essay question should be about a half-page in length (about 150 words).
1. Not all information has the same importance and value to a company. How data is classified is an important factor used in determining the amounts of funding and resources that should be applied to protecting each type of data. Describe the data classification levels within commercial and military organizations and provide examples of the types of information that would be classified at each classification level.
2. It takes a team of individuals throughout the organization working together to safeguard the integrity and confidentiality of data resources. Describe the layers of responsibility within an organization when it comes to asset security and data protection. For each role, discuss their responsibility within the organization for asset security.
3. The architecture of a computer system is very important and comprises many topics. The system must ensure that memory is properly segregated and protected, ensure that only authorized subjects access objects, ensure that untrusted processes cannot perform activities that would put other processes at risk, control the flow of information, and define a domain of resources for each subject. It also must ensure that if the computer experiences any type of disruption, it will not result in an insecure state. Many of these issues are dealt with in the system’s security policy, and the security mode is built to support the requirements of this policy. Explain the concept of a trusted computing base and describe how it is used to enforce the system’s security policy. Provide examples of specific elements (hardware, software or firmware) in the architecture of the computer system could be used that provide security within the TCB.
PLEASE PROVIDE CITATION IN APA FORMAT
Explanation / Answer
1A. Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity.The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.
Commercial Classification
Classification of commercial or nongovernment organizations does not have a set standard. The classification used is dependent on the overall sensitivity of the data and the levels of confidentiality desired. Additionally, a nongovernment organization might consider the integrity and availability of the data in its classification model.
eg :
Classification
Description
Sensitive
Data that is to have the most limited access and requires a high degree of integrity. This is typically data that will do the most damage to the organization should it be disclosed.
Confidential
Data that might be less restrictive within the company but might cause damage if disclosed.
Private
Private data is usually compartmental data that might not do the company damage but must be keep private for other reasons. Human resources data is one example of data that can be classified as private.
Proprietary
Proprietary data is data that is disclosed outside the company on a limited basis or contains information that could reduce the company's competitive advantage, such as the technical specifications of a new product.
Military Organizations :
Military and intelligence organizations set their classifications on the ramifications of disclosure of the data.
Classifications for Sensitive Data
The classifications for the sensitivity of data used in government and military applications are top secret, secret, confidential, sensitive but unclassified, and unclassified.
2A. Layers of responsibility are classified into following roles :
A Data Owner has administrative control and has been officially designated as accountable for a specific information asset dataset.
Responsibilities :
This person is responsible for the information assests that must be protected.
Data Custodian is a person who has technical control over an information asset dataset. Usually, this person has the administrator/admin, sysadmin/sysadm, sa, or root account or equivalent level of access. This is a critical role and it must be executed in accordance with the access guidelines developed by the Data Owner.
Responsibilities of the Data Custodian
1. Assign and remove access to others based upon the direction of the Data Owner.
2. Produce reports or derivative information for others.
3. Log all information provided and access granted to others.
4. Implement appropriate physical and technical safeguards to protect the confidentiality, integrity, and availability of the information asset dataset.
Data Users also have a critical role to protect and maintain information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider who is authorized by the Data Owner to access information assets.
Responsibilities :
1. Adhere to policies, guidelines and procedures pertaining to the protection of information assets.
2. Report actual or suspected security and/or policy violations/breaches to an appropriate authority.
3A . The Trusted Computing Base (TCB) is the part of the system that is responsible for enforcing system-wide information security policies. By installing and using the TCB, you can define user access to the trusted communication path, which permits secure communication between users and the TCB. TCB features can only be enabled when the operating system is installed. To install TCB on an already installed machine, you will have to perform a Preservation installation. Enabling TCB permits you to access the trusted shell, trusted processes, and the Secure Attention Key (SAK).
Example :
Security Kernel: The hardware firmware, and software elements of a TCB that implement the reference monitor concept. It must mediate all accesses, be protected from modification, and be verifiable as correct.
Classification
Description
Sensitive
Data that is to have the most limited access and requires a high degree of integrity. This is typically data that will do the most damage to the organization should it be disclosed.
Confidential
Data that might be less restrictive within the company but might cause damage if disclosed.
Private
Private data is usually compartmental data that might not do the company damage but must be keep private for other reasons. Human resources data is one example of data that can be classified as private.
Proprietary
Proprietary data is data that is disclosed outside the company on a limited basis or contains information that could reduce the company's competitive advantage, such as the technical specifications of a new product.