Tuesday, 28 September 2010

Data Classification and Security Requirements

At the start of a web development project you should think about the security requirements that your application needs to meet.  What legislation, industry standards etc. are relevant? One handy way to do this is to classify the type of data that the application will process. The classification can help you work out the security requirements. In addition, many information security standards such as the ISO 27001 family,recommends the use of data classification.

Here are a number of classifications which may be useful.

Public Data

This includes information that is published to a website and is available to the general public. Examples are general product or company information. The main security drivers here are probably corporate governance rules and general good web security practices (OWASP Top 10). Confidentiality is not really an issue as you want people to see it. However, the integrity is important. Malicious users should not change it.

Public data is usually either purely static or database driven.  For static html the main risk to be addressed is OWASP Top 10 - Security Misconfiguration (A6).  For a database driven website, the main risks are the standard injection and  validation issues OWASP Top 10 A1, A2 etc.. 

Personal Data

If your website processes names and addresses, then your application will need to comply with local Personal Data legislation. This is probably the most common type of classification. EU countries have implemented the European Data Directive (Directive 95/46/EC) into national legislation. The  Information Commissioner's Office is responsible in the UK. In Ireland it is managed by the Data Protection Commissioner).  Other EU countries will have corresponding bodies.

In the US state of Massachusetts the relevant law is  "201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH" which is in force since March 2010.

You should become familiar with the relevant data protection legislation in your jurisdiction.

Payment Cards

If you "store, process or transmit" payment card information your application will need to comply with the Payment Card Industry - Data Security Standard (PCSI DSS ). Requirement 6 is the main one for web application security, although many of the requirements apply.

Money

This is a broad category covering such applications as online banking etc. There are many security drivers here such as Federal Deposit Insurance Corporation  (e.g. on multiple factor authentication), the European Payments Council etc.

Intellectual Property

For intellectual property, the main security driver will be corporate governance rules and internal organisation standards.

Summary

Those are just some data classifications which you can use in determining what are the security requirements that your application needs to meet.  There are many more depending on the sector that you are in.

Your company or organisation may have internal standards or policies that your application will need to comply with.  In fact, this is the first item you should research. This applies especially to larger or multinational organisations.

To summarise, if you are starting out on a new web development project, one of the first things you should do is to classify the type of data that your application will be processing. The classification will help you identify the security requirements that your application will need to meet.

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

37 comments:

  1. Excellent post, really useful summary.

    ReplyDelete
  2. Toby, You say all the nicest things! Alexis

    ReplyDelete
  3. An information store contains a subset of corporate-wide information that is of incentive to a particular gathering of clients. Data Analytics Courses

    ReplyDelete
  4. Great information.develop Lucky me I came across your blog by chance (stumbleupon). I've bookmarked it for later!

    ReplyDelete
  5. I like viewing websites which comprehend the price of delivering the excellent useful resource free of charge. I truly adored reading your posting. Thank you!

    data science course

    ReplyDelete
  6. I like viewing web sites which comprehend the price of delivering the excellent useful resource free of charge. I truly adored reading your posting. Thank you!

    Simple Linear Regression

    Correlation vs Covariance

    ReplyDelete
  7. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.
    Data Science Training Institute in Bangalore

    ReplyDelete
  8. Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written.
    Data Science Course in Bangalore

    ReplyDelete
  9. I was just browsing through the internet looking for some information and came across your blog. I am impressed by the information that you have on this blog. It shows how well you understand this subject. Bookmarked this page, will come back for more.
    Data Science Training in Bangalore

    ReplyDelete
  10. Great post i must say and thanks for the information. Education is definitely a sticky subject. However, is still among the leading topics of our time. I appreciate your post and look forward to more.
    Best Data Science Courses in Bangalore

    ReplyDelete
  11. I have to search sites with relevant information on given topic and provide them to teacher our opinion and the article.

    Simple Linear Regression

    Correlation vs Covariance

    ReplyDelete
  12. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
    Correlation vs Covariance
    Simple linear regression
    data science interview questions

    ReplyDelete
  13. I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it.

    Simple Linear Regression

    Correlation vs covariance

    KNN Algorithm

    Logistic Regression explained

    ReplyDelete
  14. I have to search sites with relevant information on given topic and provide them to teacher our opinion and the article.

    data science interview questions

    ReplyDelete
  15. This is a wonderful article, Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more ... good luck.

    Simple Linear Regression

    Correlation vs Covariance

    ReplyDelete
  16. very well explained. I would like to thank you for the efforts you had made for writing this awesome article. This article inspired me to read more. keep it up.
    Logistic Regression explained
    Correlation vs Covariance
    Simple Linear Regression
    data science interview questions
    KNN Algorithm

    ReplyDelete
  17. However, for quick development, less code and lesser cost, Python is the ideal language here. Python can easily scale up any complex application and also can be handled by a small team. Not only do you save resources, but you also get to develop applications in the right direction with Python. data science course in india

    ReplyDelete
  18. Impressive blog to be honest definitely this post will inspire many more upcoming aspirants. Eventually, this makes the participants to experience and innovate themselves through knowledge wise by visiting this kind of a blog. Once again excellent job keep inspiring with your cool stuff.

    Data Science training in Raipur

    ReplyDelete
  19. Terrific post thoroughly enjoyed reading the blog and more over found to be the tremendous one. In fact, educating the participants with it's amazing content. Hope you share the similar content consecutively.

    Data Analytics online course

    ReplyDelete
  20. Highly appreciable regarding the uniqueness of the content. This perhaps makes the readers feels excited to get stick to the subject. Certainly, the learners would thank the blogger to come up with the innovative content which keeps the readers to be up to date to stand by the competition. Once again nice blog keep it up and keep sharing the content as always.

    Data Science training

    ReplyDelete
  21. Honestly speaking this blog is absolutely amazing in learning the subject that is building up the knowledge of every individual and enlarging to develop the skills which can be applied in to practical one. Finally, thanking the blogger to launch more further too.

    Data Analytics online course

    ReplyDelete
  22. "Thanks for the Information. Interesting stuff to read. Great Article. I enjoyed reading your post, very nice share.
    Artificial Intelligence Training in Hyderabad
    Artificial Intelligence Course in Hyderabad

    ReplyDelete
  23. This is an excellent post I saw thanks to sharing it. It is really what I wanted to see. I hope in the future you will continue to share such an excellent post.
    Data Science Training in Hyderabad
    Data Science Course in Hyderabad

    ReplyDelete
  24. Thanks for posting the best information and the blog is very helpful.data science interview questions and answers

    ReplyDelete
  25. nice blog!! i hope you will share a blog on Data Science.
    best data science course

    ReplyDelete
  26. I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors.
    data science course fees in bangalore

    ReplyDelete
  27. I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors.
    data science training in chennai

    ReplyDelete
  28. This is also a very good post which I really enjoyed reading. It is not every day that I have the possibility to see something like this..
    artificial intelligence course in pune

    ReplyDelete
  29. I want to leave a little comment to support and wish you the best of luck.we wish you the best of luck in all your blogging enedevors.
    data science training in chennai

    ReplyDelete