Security Administrator System Classification
Classifying Resources
Security administrators often make the mistake of classifying too many resources as Level I.
The Level I resources should only be those that cannot be unavailable for even short periods of time.
For example, email is a critical component for most organizations' communication.
If the email server were to fail, the company would not shut down. In this case, the email server is a Level II resource.
If, on the other hand, your company hosts an e-commerce Web site, your Web server is critical to business and should be labeled as a Level I resource.
IoT Privacy Rule #1:
Exists if correlation of identity to activity is viable and probable
A frequently cited tenant of the audit profession is would a well-informed and reasonable person agree?
When it comes to privacy and the IoT, the same tenant should apply.
Is the assertion of both viability and probably of correlation rendered by reasonable and well-informed people?
Is it reasonably possible to affect the correlation?
Are the sources accessible such that a reasonable and well-informed person believes that it would come to pass given the
- time,
- skills,
- resources, and
- motivations of putative threat agents?
Question: Is this a serious risk?
The IoT is personal to the extent that data containing both identity and activity can be correlated. Correlating an identity to the data generated by everything else a person comes into contact with physically and logically and you have the whole picture.
But getting access to that identity is all too often assumed to be simple or even viable, when in fact it is not. This is where the delta between technically competent and incompetent advocates will become apparent and a danger that swallows IT project whole.
To people who contend an IP address is PII, we say show us.
Show us how to (legally or illegally you choose) get logs from the devices that issue the temporary IP addresses (carrier DHCP) to gateway devices (home modems or business routers), then get account IDs assigned by different systems (RADIUS), and then the logs from the account ID system that relate the separate billing systems, which ultimately identifies people.
Then show us how you get event logs from the gateway devices (which rarely do any logging at all) and match those to the temporarily assigned internal IP addresses (home/business DHCP) within the home or business.
And then make sure the person using the internal device is the same as the person paying the bills.
This could bring us to a second rule, about viability and probability if the nature of the information is still uncertain.