Security/Data Classification: Difference between revisions
< Security
Jump to navigation
Jump to search
(Deploy changes from GitHub https://github.com/mozilla/wikimo_content/blob/master/Security/Data_Classification.mediawiki) |
(Deploy https://github.com/mozilla/wikimo_content/pull/143 with new data classification model) |
||
| Line 10: | Line 10: | ||
<td style="vertical-align: top; padding-left: 1em;"> | <td style="vertical-align: top; padding-left: 1em;"> | ||
<span style="background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; | <span style="background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; | ||
margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">READY</span> | margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">READY</span> <br> | ||
<br> | |||
The data classification is intended to allow Mozilla to operate effectively in the open while protecting sensitive information. | The data classification is intended to allow Mozilla to operate effectively in the open while protecting sensitive information. | ||
These data classification levels use the colors of the [[Security/Standard Levels|Standard Levels]]. | These data classification levels use the colors of the [[Security/Standard Levels|Standard Levels]]. <br> | ||
<br> | |||
This classification scheme is solely meant to communicate who the intended audiences of a particular file is, not what type of content is contained within the document.<br> | |||
<br> | |||
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec/ source repository on github]. | Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec/ source repository on github]. | ||
Changes are detailed in the [https://github.com/mozilla/wikimo_opsec/commits/master commit history]. | Changes are detailed in the [https://github.com/mozilla/wikimo_opsec/commits/master commit history]. | ||
The | The Mozilla Security Assurance team maintains this document. | ||
</td> | </td> | ||
</tr> | </tr> | ||
| Line 37: | Line 40: | ||
| | | | ||
When sharing or distributing data, documents, etc. you are responsible for setting and changing a classification label. | When sharing or distributing data, documents, etc. you are responsible for setting and changing a classification label. | ||
While it is required for all Google Drive documents, it is strongly advised that you use them with any tools and communications systems where Mozillians may share | |||
information (e.g.: | information. (e.g.: text documents, attachments to emails, Matrix topics, and other digital media documents). | ||
|} | |} | ||
| Line 48: | Line 51: | ||
! <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Public</span> | ! <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Public</span> | ||
| Data that can be shared with the world. | | Data that can be shared with the world. | ||
The | The audience of this data is meant to be anyone, internal to Mozilla or the wider public. | ||
|- | |- | ||
! <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: | ! <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: | ||
bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Mozilla Confidential - Staff and NDA'd Mozillians Only</span><br / | bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Mozilla Confidential - Staff and NDA'd Mozillians Only</span><br /> | ||
| | | The audience of this data is any employee of the Mozilla Foundation, Mozilla Corporation or any other Mozilla subsidiary as well as any individual/entity that has an NDA with Mozilla. | ||
|- | |- | ||
! <span style="background-color: # | ! <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Mozilla Confidential - Specific Workgroups and Individuals Only</span> | ||
| | | The audience of this data is meant to be specific workgroups or specific individuals. A Workgroup is a specific group of people, like a team. Use of this label requires the author to list out each workgroup and/or individual that the data is intended for, somewhere in the file. | ||
|- | |- | ||
|} | |} | ||
= | = Examples of data classification = | ||
'''''The list of examples is not an exhaustive list, nor should this list be taken as classification of types of data, only intended audiences.''''' | |||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Label | ! Label | ||
! Examples | ! Examples | ||
|- | |- | ||
! | ! <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Public</span> | ||
| | | | ||
| | * Mozilla releases a document for public consumption | ||
* Upcoming product information product teams want to share with the public | |||
* Job listings on the Mozilla career page | |||
|- | |||
! <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: | |||
bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Mozilla Confidential - Staff and NDA'd Mozillians Only</span><br /> | |||
| | |||
* Information shared in the monthly MoCo/MoFo internal meeting | |||
* Bugzilla bugs with the "Moco confidential" or "infrastructure" flags | |||
* Aggregate survey data about Mozilla employees that is not meant for the public | |||
* Fox Fooding data for soon to be released products or services which is intended to stay within Mozilla | |||
|- | |||
! <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: | |||
bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Mozilla Confidential - Specific Workgroups and Individuals Only</span><br /> | |||
| | |||
* Service passwords/credentials | |||
* Bugzilla bugs with security or restricted flags | |||
* Proprietary or protected information, code, libraries from Mozilla partners | |||
* Contracts or legal documents that can't be shared with all of Mozilla | |||
* Unannounced communication materials (dates, visuals, plans) for campaigns, product launches, etc | |||
* Firefox release signing keys | |||
* Specific partner conversations | |||
* User/personal passwords/credentials | |||
* [https://www.mozilla.org/en-US/about/governance/policies/participation/ Community Participation Guideline (CPG)] report data | |||
|- | |- | ||
|} | |} | ||
= | = Deciding how to classify = | ||
''The list of examples of how to label data is not an exhaustive list and serves an an indication on how to ensure the data classification labels are clearly communicated.'' | ''The list of examples of how to label data is not an exhaustive list and serves an an indication on how to ensure the data classification labels are clearly communicated.'' | ||
There are always two people involved with exchanging | There are always at least two people involved with exchanging confidential information: | ||
* The '''Discloser''' is the person who provides the information to the Recipient. | * The '''Owner''' is the person who created the file. The '''Owner''' and '''Discloser''' are often the same person, but not always. | ||
* The '''Discloser''' is the person who provides/sends/shares the information to the Recipient. | |||
* The '''Recipient''' is the person who receives the information. | * The '''Recipient''' is the person who receives the information. | ||
== | When in doubt, it's always best to classify at the most specific classification. | ||
== All new documents, box.com, etc. == | |||
'''Label''' every document with its appropriate classification at the top of the document. When possible, we recommend | '''Label''' every document with its appropriate classification at the top of the document if possible. When possible, we recommend | ||
using the header feature of the document. | using the header feature of the document. | ||
== Google Apps == | == Google Apps == | ||
'''Label''' every document (Docs, Sheets, Slides, Drawings, etc.) with its appropriate classification | '''Label''' every document (Docs, Sheets, Slides, Drawings, etc.) with its appropriate classification by utilizing the required label functionality. | ||
* For Docs, we recommend including the label in the header of the document. | * For Docs, we recommend including the label in the header of the document. | ||
* For Slides, we recommend including the label in the master slide so that it shows on all slides. | * For Slides, we recommend including the label in the master slide so that it shows on all slides. | ||
* For Sheets, we recommend creating a dedicated sheet (the tabs at the bottom of the page) either called "Data Classification" or the name of the classification for the entire file. In that new sheet, indicate the data classification. | * For Sheets, we recommend creating a dedicated sheet (the tabs at the bottom of the page) either called "Data Classification" or the name of the classification for the entire file. In that new sheet, indicate the data classification. | ||
== Wikimo (mediawiki), GitHub public repos == | == Wikimo (mediawiki), GitHub public repos == | ||
| Line 156: | Line 132: | ||
== Email subject lines == | == Email subject lines == | ||
* <span style="background-color: # | * <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; | ||
* font-weight:bold;margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: | * font-weight:bold;margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: | ||
* center;">Mozilla Confidential - Specific Individuals Only</span> information '''must''' be labeled in the subject line and should not be forwarded without the original senders express permission. | * center;">Mozilla Confidential - Specific Workgroups and Individuals Only</span> information '''must''' be labeled in the subject line and should not be forwarded without the original senders express permission. | ||
* For other emails, optionally label subjects with the appropriate classification. This one is up to you, but we encourage you to label emails when the subject is sensitive and it is important to alert recipients. | * For other emails, optionally label subjects with the appropriate classification. This one is up to you, but we encourage you to label emails when the subject is sensitive and it is important to alert recipients. | ||
| Line 167: | Line 143: | ||
Also ensure that non-public channels are protected by password or channel access control. | Also ensure that non-public channels are protected by password or channel access control. | ||
Remember that <span style="background-color: # | Remember that <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block;font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: | ||
center;">Mozilla Confidential - | center;">Mozilla Confidential - Staff and NDA’d Mozillians Only</span> and <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold;margin: .1em 0; min-width: 6em; padding: | ||
.05em .5em; text-transform: uppercase; text-align: center;">Mozilla Confidential - Specific Individuals Only</span> '''may not''' be shared on Matrix. | .05em .5em; text-transform: uppercase; text-align: center;">Mozilla Confidential - Specific Workgroups and Individuals Only</span> '''may not''' be shared on Matrix. | ||
Ex: "PUBLIC | This is a channel to discuss anything you like about Firefox". | Ex: "PUBLIC | This is a channel to discuss anything you like about Firefox". | ||
Latest revision as of 16:56, 17 January 2024
|
READY
The data classification is intended to allow Mozilla to operate effectively in the open while protecting sensitive information. These data classification levels use the colors of the Standard Levels.
This classification scheme is solely meant to communicate who the intended audiences of a particular file is, not what type of content is contained within the document.
Updates to this page should be submitted to the source repository on github. Changes are detailed in the commit history. The Mozilla Security Assurance team maintains this document. |
Mozilla Data Classification
| Sharing data |
|---|
|
When sharing or distributing data, documents, etc. you are responsible for setting and changing a classification label. While it is required for all Google Drive documents, it is strongly advised that you use them with any tools and communications systems where Mozillians may share information. (e.g.: text documents, attachments to emails, Matrix topics, and other digital media documents). |
| Label | Definition |
|---|---|
| Public | Data that can be shared with the world.
The audience of this data is meant to be anyone, internal to Mozilla or the wider public. |
| Mozilla Confidential - Staff and NDA'd Mozillians Only |
The audience of this data is any employee of the Mozilla Foundation, Mozilla Corporation or any other Mozilla subsidiary as well as any individual/entity that has an NDA with Mozilla. |
| Mozilla Confidential - Specific Workgroups and Individuals Only | The audience of this data is meant to be specific workgroups or specific individuals. A Workgroup is a specific group of people, like a team. Use of this label requires the author to list out each workgroup and/or individual that the data is intended for, somewhere in the file. |
Examples of data classification
The list of examples is not an exhaustive list, nor should this list be taken as classification of types of data, only intended audiences.
| Label | Examples |
|---|---|
| Public |
|
| Mozilla Confidential - Staff and NDA'd Mozillians Only |
|
| Mozilla Confidential - Specific Workgroups and Individuals Only |
|
Deciding how to classify
The list of examples of how to label data is not an exhaustive list and serves an an indication on how to ensure the data classification labels are clearly communicated.
There are always at least two people involved with exchanging confidential information:
- The Owner is the person who created the file. The Owner and Discloser are often the same person, but not always.
- The Discloser is the person who provides/sends/shares the information to the Recipient.
- The Recipient is the person who receives the information.
When in doubt, it's always best to classify at the most specific classification.
All new documents, box.com, etc.
Label every document with its appropriate classification at the top of the document if possible. When possible, we recommend using the header feature of the document.
Google Apps
Label every document (Docs, Sheets, Slides, Drawings, etc.) with its appropriate classification by utilizing the required label functionality.
- For Docs, we recommend including the label in the header of the document.
- For Slides, we recommend including the label in the master slide so that it shows on all slides.
- For Sheets, we recommend creating a dedicated sheet (the tabs at the bottom of the page) either called "Data Classification" or the name of the classification for the entire file. In that new sheet, indicate the data classification.
Wikimo (mediawiki), GitHub public repos
- All documentation is by default Public on https://wiki.mozilla.org
- No confidential information may be hosted on the wiki.
Email subject lines
- Mozilla Confidential - Specific Workgroups and Individuals Only information must be labeled in the subject line and should not be forwarded without the original senders express permission.
- For other emails, optionally label subjects with the appropriate classification. This one is up to you, but we encourage you to label emails when the subject is sensitive and it is important to alert recipients.
Matrix
Set your Matrix channel topic to start with the classification label. This is also recommended for public channels.
Also ensure that non-public channels are protected by password or channel access control.
Remember that Mozilla Confidential - Staff and NDA’d Mozillians Only and Mozilla Confidential - Specific Workgroups and Individuals Only may not be shared on Matrix.
Ex: "PUBLIC | This is a channel to discuss anything you like about Firefox".
Zoom, Hello, Hangouts, Skype and other video conference tools
- When using video conferencing, if this is not a public call - ensure that only the people who need to know the information have access to the video conference and chat.
- Verify the list of participants and verbally announce if you're going to share any non-public information.
Code and configuration deployments
When committing or deploying code that handles credentials:
- Ensure that the credentials are stored in a separate file (if possible encrypted).
- Optionally label the file with a comment mentioning it's data classification label (either inside the file or as a file attribute, or even in the file name if it makes sense)