Reading time : 5 min
Data, in the computer world, is information that can be stored or processed digitally.
One of the main objectives of cyber security is to protect the data of the company or an individual.
In this lesson, we will study the criteria for classifying this data in order to put in place adequate protection solutions.
The "DIC" triad, or "CIA" in English, is made up of the three main criteria necessary to evaluate the sensitivity of the data.
The availability criterion evaluates the guarantee of having access to the data when it is needed.
💡 Example: When an automated processing is going to retrieve the absence data of an employee in order to calculate his salary for the month, the data must be available at each launch of the processing, otherwise it fails.
The integrity criterion evaluates the guarantee that the state of the data has not been modified from its original state.
💡 Example: In an online store, one should not be able to change the prices of the available products if one is a customer.
The confidentiality criterion evaluates the guarantee that the access to the data is realized only by someone or something that has the right to access it (need to know).
💡 Example: reasons for sick leave should be viewable by authorized health insurance personnel, but not by the employer.
Although the DIC triad allows us to assess the sensitivity of the data in order to apply the right protection mechanisms, this triad can be extended with two new criteria.
These criteria will allow us, in addition to the protection of the data, to facilitate our work in case of an incident involving these data.
The traceability criterion evaluates the guarantee of knowing in a dated way everything that may have occurred, whether it is access to the data or its modification.
💡 Example: When a program goes to look up data stored in a database, a log of all lookups, containing the time and the accessed data, is kept on the database server.
The non-repudiation criterion evaluates the guarantee of knowing who has performed an action on a data, without the latter being able to question this assertion. It is an extension of traceability, adding a notion of identification.
💡 Example: if I use the digital signature in a document and forward that document to a person, I can no longer deny having produced that document.
We have seen in this lesson that to help us classify data, we can rely on different evaluation criteria.
There are three main criteria for data classification (availability, integrity and confidentiality) and these criteria can be supplemented by traceability and non-repudiation.
Once our data is properly classified, we will then know more easily what are the right protection mechanisms to implement, and how to react in case of an incident involving this data.
Start your cybersecurity training!
Theory & Practice
Customized by level
Start your cybersecurity training
Breathe new life into your career with our cybersecurity training courses