Data Classification
Classifying Data
The first step to data destruction is knowing what type of data we are dealing with, before we proceed to decide the appropriate sanitization method to use
For an organization with limited internal guidelines on data classification, reference and guidance can be taken from a series of publications by the National Institute of Standards and Technology (also known as NIST), a US Government's non regulatory federal agency within the U.S. Department of Commerce.
Links to NIST's Computer Security Resource Center (CSRC) below:
FIPS PUB 199 - Standards for Security Categorization of Federal Information and Information Systems
NIST Special Publication 800-60 Volume I Revision 1 - Guide for Mapping Types of Information and Information Systems to Security Categories
NIST Special Publication 800-60 Volume II Revision 1 - Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories
For further reading for larger IT departments, a full list of guidelines can be found here: https://csrc.nist.gov/publications/sp800
Listed below are some of the more useful guides from the NIST 800 series of publications related to data destruction and information handling. Any organization or IT manager looking to improve their information security would do well to go through these guides.
800-83 Revision 1: Guide to Malware Incident Prevention and Handling for Desktops and Laptops
800-60 Volume 1 Revision 1: Guide for Mapping Types of Information and Information Systems to Security Categories
Classifying Data, Extracted from NIST 800-60 Vol 1, page 10
“The potential impact is LOW if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.
The potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.
The potential impact is HIGH if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.”