Security Triads

Scanning through (way too many) RSS feeds today, I ran into this great article by Marcus Cary in the Rapid 7 Community:

“Disclosure, Destruction, and Denial”

Even if you don’t consider yourself a security techie, it’s worth taking the time to read. It’ll help you see vulnerabilities from the eyes of your “enemy” and it makes a couple great points about how not properly categorizing security requirements you risk everything. For instance:

Disclosure is the opposite of Confidentiality. Organizations need to do assessements and categorize their data. This rarely happens; employees need to be aware so they can protect corporate assets. For instance the Department of Defense (DoD) classifies data as:

  • Top Security – disclosure would cause grave harm to country
  • Secret – disclosure would cause significant harm to country
  • Confidential – disclosure would cause embarrassment to country
  • Unclassified – public dissemination

Companies usually wrap everything up into corporate “confidential” which leads to problems. Again, if you try to protect everything with the same level of security, you will fail. Corporations need to tier the confidentiality of their data in the same way the Government does:

  • Confidential Level 3 – disclosure would cause grave harm to company (company closure)
  • Confidential Level 2 – disclosure would cause significant harm to company (stock tanking, layoffs)
  • Confidential Level 1 – disclosure would cause embarrassment to company (bad press)
  • Public – public dissemination

(Emphasis mine.)

Give it a read.  It’s not that long, and afterward you may start choosing the DDD triad over the CIA one. 🙂

(This is cross-posted on our TixxTech blog.)

Comments are closed.

Powered by WordPress | Designed by Elegant Themes