The Case for “Reverse Information Classification”

© 2012 Chevron Corporation All rights reserved.

The Case for “Reverse

Information Classification”

Michael J. Lewis Senior Staff Security Strategist Chevron Information Technology Company 2012 API Cybersecurity Conference Houston, Texas November , 2012

This document is intended only for use by Chevron for presentation at the

November 2012 API Cybersecurity Conference and posting on the

November 2012 API Cybersecurity Conference website.. No portion of this

document may be copied, displayed, distributed, reproduced, published,

sold, licensed, downloaded, or used to create a derivative work, unless the

use has been specifically authorized by Chevron in writing.

TOP

SECRET


Today’s Premise

Everyone agrees that

(formal) information

classification is the

start of information

security

Information

classification drives

access and the

selection of controls to

protect data

2


Today’s Premise

But (formal)

information

classification

– Is inherently flawed

– And even then, we

don’t execute it

particularly well

anyway

3


Today’s Premise

We can try to

improve an

inherently flawed

process or we can

think out of the box

4


Our agenda for today

Introductions

Traditional classification

Pitfalls with traditional classification

Reverse classification

Conclusions, recommendations, questions, and answers

5


Disclaimer

The concepts covered within

this presentation:

Have not been adopted for

use by Chevron

Represent the presenters’

opinion

6


Introductions

7


Obligatory Company Profile Slide

Chevron is the second-largest integrated energy company in the United States and among the largest corporations in the world, based on market capitalization as of December 31, 2011

Involved in virtually every facet of the energy industry:

– Explore for, produce and transport crude oil and natural gas

– Refine, market and distribute transportation fuels and lubricants

– Manufacture and sell petrochemical products

– Generate power and produce geothermal energy

– Provide energy efficiency solutions

– Develop the energy resources of the future, including research for advanced biofuels.

Business activities around the world

Diverse and highly skilled global workforce consists of approximately 61,000 employees including more than 3,000 service station employees

8


Who am I to give this talk?

Over thirty years at Chevron last

thirteen in security

Experience with a multitude of

computing environments

– Mainframe

– UNIX

– Windows PC

– Directories

– Virtual machines

Led efforts to document Chevron

security architecture in 2005 and

revise it this year

9


Traditional Classification

10


Traditional classification – Federal Government / Military

Classify data

Classify people

People at a certain level can access information at that level or below

11

TOP

SECRET

None


Traditional classification – Corporate

Generally 3 – 4 classification levels

– Public – stuff intended for the outside

– Internal/Business – non-sensitive corporate data

– Confidential – Sensitive business data

– [Really confidential – really sensitive business data]

Process

– Classify data

– Controls are set based on classification

12


Pitfalls of traditional classification

13


Pitfalls of the federal classification scheme

14

//upload.wikimedia.org/wikipedia/commons/5/5d/Bradley_Manning_US_Army.jpg


Pitfalls of traditional classification (slide 1 of 3)

What is the classification of this data

element?

999-99-9999

Public? Business? Sensitive?

Super Sensitive?

15



Classification is hard because classification definitions leave much to be desired

– Terms are subjective

• “most sensitive business data” versus “particularly sensitive information”

• “severe negative impact” versus “very large negative impact”

• Based on these, where would you put a social security number?

– Data types listed are incomplete

• What do you do if your data type isn’t listed?

• What to do with new data constructs (like Big Data)?

Classification of some data changes during the information lifecycle

– For example, merger data. The classification of the data before the merger versus 15 years after the merger.

Recording classification level is difficult

16



Classification focuses only on confidentiality

– If public data doesn’t require controls, then why is the general public prevented from writing on one’s corporate web site?

Legal requirements

– Special controls/tests are needed for information within legal regimes (SOX, PCI)

– Data may span multiple classification levels.

Access Controls are not based on classifications

– Access controls are set based on need to access

– Anyone with cleared need (from the CEO to a janitor) may be able to access data at the highest classification

• Note that this may include a partner if there is business reason to share the information.

Controls (like encryption) based on classification are often not implementable

17


Another approach

19


Returning to a previous example

20

999-99-9999

Does this information need protection?

If so, how should it be protected?


Reverse classification

Assess the risk of

confidentiality, integrity,

and availability

loss/breach to the

information

Apply controls to

manage the risk

Map control set back to

a classification level

21


What reverse information classification does for me

Addresses all aspects of security (confidentiality, availability, integrity) rather than solely confidentiality

Addresses legal requirements (SOX)

Access controls are incorporated

Lifecycle changes are managed by changing the controls (which is likely part of the process already)

No need to squabble over nebulous classification definitions or implement massive projects to classify all data.

Simplification of standards

Risk management approach

22


Additional responsibility on information owner to execute risk

assessments

– Information owners may not be risk assessment proficient

– Caveat: sensitivity of some data (merger and acquisitions, privacy) is

patently obvious

Controls need to be linked to classification

– Effects of combinations may be challenging.

Bucking the tide

23

Utopia?


Conclusion

Traditional information

classification has been around

for decades but does not

necessarily provide proper

information protection

Reverse information

classification focuses on

implementing controls to

address risk and managing any

“classification” needs afterward

– Minimum: Data are protected

– Best case: simplification of

standards and elimination of

built-in exceptions

What have you got to lose?

24


Questions

25

The Case for “Reverse Information Classification”

Documents

Transcript of The Case for “Reverse Information Classification”