Front cover - IBM Redbooks

Even though the Computer Security act has been passed in the United States
and aims to protect the interests of this country, this definition and its application
is global and the definition quoted applies to any country and any company in the
world. In other words, sensitive information is such that it needs to be kept
confidential and must be protected from unauthorized access and disclosure.
Furthermore, this also means that appropriate measures must apply to prevent
the destruction or alteration of this information.
For example, in a bank, some pieces of paper (for example, bank notes, paper
bills, currency) are extensively protected. Other pieces, such as withdrawal and
deposit slips to be filled out by customers, are not protected at all. In fact they are
placed on small tables for anyone to take.
Information is the same. There is some information that does not need to be
protected because it is common (or public) knowledge. On the other hand, there
is information that should be well protected, because its disclosure could be
damaging: it could lead to loss of an important competitive advantage, it could
lead to a severe loss of reputation or customer confidence, or, depending on the
type of business, it could lead to the injury (or the death) of people.
Data classification fulfills another important role. In addition to spelling out how
information should be secured, it also spells out how information should be
properly disclosed. The public data on a Web site may require only basic security
to prevent its defacement, but it should also be available freely enough so that
everyone can access it without any problems.
Depending on the type of business—public sector and governmental agencies
deal in certain cases with very sensitive personal information, whereas private
sector organizations deal generally with sensitive commercial information—there
are different classification methods and categories in place. The following data
classifications apply in public and private sector businesses and organizations.
Public or unclassified
Information is considered public or unclassified if its disclosure would have no
impact whatsoever on a business. Data integrity is not vital. Loss of service due
to malicious attacks is an acceptable danger. Examples of this type of
information would be the public portion of the Web site of a business and any
information available from other sources and other means about the business.
Internal
Efforts should be made to keep information in the internal category within the
organization, but should this information become public, the consequences will
not be overly critical (there might be a loss of face, or it could be an
embarrassment for the business, but not substantially more). Data integrity is
important but not vital. Internal access is segregated between different groups of
Chapter 1. Fundamentals of IT security 15