What is a CISSP?
A CISSP is many different things to different people. The ISC2 promote it as the premier security certification in the world and have you believe that with a CISSP comes great knowledge, power, mastery of the Force and an abundance of wealth.
From a recruitment perspective these are the magic set of letters that could be the difference between your CV being sent forward for consideration vs. being thrown in the rubbish regardless of your 20 years experience.
Others view it simply as something their boss asked them to do. Which they duly obliged and now forever bemoan the fact they have to pay annual maintenance fee’s and give account of their continuing professional educational for very little return.
To everyone else it’s a bunch of letters security people put after their name in an attempt to make themselves feel more better than they really are.
My journey of CISSPness
Many years ago I was stuck in a job where I had hit a very low glass ceiling. There were senior security specialists in the team I was in who got to work on all the sexy projects. I was stuck continually doing the same things. Monitor the IDS logs, make firewall changes, manage privileged ID’s and undertake some ‘level 2’ support work.
I was weighing up my career options. I had to move or I would be stuck in this role for the next 10 years making a slow but sure descent into madness. The only way I could progress was by jumping ship. But how? I needed to market myself as some sort of security expert. Sure, I could talk about my experiences once face to face with a hiring manager, but getting my CV past the competition was difficult.
It was then that I came across the CISSP certification. The timing couldn’t have been better. The experience needed, the cost, the domains, everything seemed to fall into place. I was eligible to sit the exam and earn the certification. With that certification I could put those magic letters after my name. No recruiter could say no to a man with a CISSP. My colleagues who looked down on me would finally give me the respect I finally deserved.
But it wasn’t going to be an easy exam to pass. Two of my colleagues had sat the exam and failed. I was determined to not fail.
After attending a week boot camp to prepare me for the exam, I armed myself with a CISSP study guide and practice exams from cccure.org. With enough practice I passed my exam. I was the proud owner of a CISSP certificate, badge and tie pin. What more could a young security professional like me want?
The problem I found after doing my CISSP is that I had simply revised a set of topics and answered them in an exam and walked away. In reality, there was nothing I had truly learnt from revising the 10 domains and there was little in terms of what I could really apply going forward.
So I’m revisiting the CISSP. Armed with a few extra years of experience and some stories, the intention is to go through the 10 domains and see what I’ve remembered, what I’ve forgotten and what real-life experiences I can draw upon. I’ll refer to my old (and very much outdated) books, notes and course materials and make comments as I go along.
Domain 1: Information Security and Risk Management
Ah yes, this is the domain which started with security management. This section nearly put me off the CISSP altogether. The core aspects of how security should be managed were explained in such a convoluted manner that it makes little sense to me to this day.
First off, it’s quite difficult trying to define the perfect way security needs to be managed within an organisation. You can try to achieve the perfect state by having a top down approach, having a mature risk assessment model and a selection of the finest technical, administrative and physical controls. But the issue is that no two companies are the same. Every company operates information security in different ways. For some companies it’s part of their IT function, others it’s part of their risk team, or fraud team or a sub-team within networks. So picking the best way to manage security, how it should be embedded within an organization or how security programs should be run is dependent upon how the business works. That in turn will define the security responsibilities and accountabilities within the organisation.
Remember, fundamentally security is a function that is supporting the business. It isn’t the business itself. Unless it is a security company you work for. Which brings me to the first point about the balancing act security performs.
Security vs usability:
Broadly speaking, the more secure you make something, the less usable it becomes. Its a bit like fast cars. The faster or more sportier you want a car to be, the less practical and useful it becomes for everyday use. Try taking the wife and kids shopping in a Ferrari. Which is where I guess this analogy ends.
Another way of looking at it is that the more locks you put on the door, the more keys you will need to unlock it. It adds more cost and requires more effort on your part. This is what you’ll find a lot of books and experts say. But this way of thinking isn’t always true. When done correctly, i.e. implemented in the early stages of design, security can be increased without lowering the usability.
Take for example cars. Back when I was a young boy, we didn’t have central locking in cars. You had to use the key to unlock each door individually. Or the driver would get into their seat and lean over and unlock the other doors. Fast forward a few years and you now have keyfobs. One click and all your doors are unlocked, making it so much easier for everyone to make a dash for the car on a cold rainy day and not spend ages trying to unlock the doors. Aside from the convenience, it also makes securing the car a lot easier. One click and all your doors are locked. When I was young, you’d often come back to the car and find that someone had forgotten to lock one of the doors. More often than not it would be the back seat door where I had been sitting. Although I always tried to deflect the blame away from me by claiming I had locked it, or that someone else was responsible.
This clearly illustrates that it isn’t impossible to increase security and enhance usability at the same time. It just takes a bit of forward thinking, business engagement and understanding customer needs and behaviours.
I have these scribblings labelled supporting controls. Underneath which are listed:
Administrative: Policies, standards, etc.
Technical: encryption, authentication, IT infrastructure etc.
Physical: Fences, locks, guards etc.
Now these are pretty easy concepts to understand. You have three basic types of controls. Administrative controls are concerned largely with the security policies and standards that need to be adhered to throughout the organisation. Whereas technical controls are all about the shiny boxes with blinky lights that you install in your data centre. Physical controls do exactly what they say on the tin and put overweight security guards at the door to stop any suspicious looking individuals from entering the premises.
Physical security is becoming quite a challenge, nearly every building I’ve worked in over the last few years has reports of laptops going missing (my being there is totally coincidental). The problem is that although in the CISSP books we talk about physical security controls in the same breath as technical and administrative controls, but more often than not physical controls are handled by a completely different department.
Which brings an interesting perspective to things when a laptop goes missing. The physical security guys will look at the value of the physical device, whereas the information security team will be more concerned with the data that was or could have been present on the machine at that time.
To expand on this. Your policy and standards (administrative controls) will dictate that all laptops / mobile devices should be physically secured at all times and either not contain sensitive information, or protect any sensitive information on it.
The result of this will be physical security will supply kensington locks and advice users not to let their laptops out of their sight or leave them unattended in the car etc.
Information security will implement some technical controls such as whole disk encryption, data leakage protection controls or maybe even device tracking and remote wiping capabilities. So collectively you can appreciate how the 3 different types of controls can work together to secure your data.
Pretty simple? Well yes, that’s the theory, and securing the laptops is a good example. But in many instances in large organisations, these three control families are run by three different areas who never seem to speak to each other. Which ends up with some interesting situations. It’s something to bear in mind when you are in a position where you find yourself suggesting particular controls because they are “best practice”. It’s important to understand the right controls first and then proceed to implement them. Otherwise you can end up implementing controls that are wholly inappropriate and do nothing but waste everyone’s time or give people a false sense of security. Don’t be that guy. You’ll simply end up not just annoying people, but giving security a bad name. People will run from you and not want to give you any time. In effect you’ll become an auditor.
And nobody likes an auditor.
The wrong approach and mentality can be demonstrated with an old experiment. It started with a cage containing five monkeys.
Inside the cage, hung a banana on a string just out of reach. A small stepladder was placed in the cage. Before long, a monkey positioned the stepladder to climb towards the banana. As soon as he started to climb the stepladder, all of the monkeys were sprayed with ice cold water.
After a while, another monkey made an attempt with the same result; all the monkeys were sprayed with cold water. Pretty soon, when another monkey tried to climb the stairs, the other monkeys teamed up to beat him up in order to prevent all of them being sprayed by ice cold water.
The ice cold water was put away and one of the monkeys was removed from the cage and replaced by a new one. As soon as the new monkey was feeling hungry and made a move to get to the banana, he was quite shocked as he got a beat-down by the other monkeys as if he’d just insulted their mothers.
One by one the original monkeys were removed and replaced by new ones. Eventually, there were only new monkeys in the cage, none of whom had ever been exposed to the ice cold water treatment. Even at that time when a new monkey was introduced and it made a move for the banana, he got assaulted.
Note, that none of the monkeys have any idea why they are not permitted to climb the stepladder to the banana or why they participate in laying the smack down on any new monkey who tries to get the banana. As far as they are aware, its best practice, and how things have already been done around there.
Don’t become those monkeys at the end who beat up project managers to implement a control but have no idea WHY you’re doing it.
Referring back to my notes, I’ve got a section on ‘data ownership’. Books will tell you that this is usually a senior person within the organisation who has responsibility for protecting the data. They should classify the information and dictate how the data should be protected.
What really happens is that a middle manager is given the noble title of being an application owner of some sort. You, as the security professional will have to do the hard work in finding out what the application is, what the data is, explaining repeatedly the importance of classifying the data correctly and also what it means. Eventually the application owner will ask you to tell them what controls they should implement. I’ve yet to come across a business application owner who can achieve this without help and guidance.
When I first heard the term CIA triad, the image of a Japanese gangster working for the U.S. Government sprung to mind.
The CIA triad is one of the basic foundations of information security. It’s one of those simple skills like walking. Which seems a bit wobbly when you’re 1 years old. But over time you take it for granted and don’t think about it.
Conceptually it’s what drives a lot of the thinking behind every good security consultant. There’s a lot behind each of these letters than the face value of Confidentiality, Integrity and Availability.
Information wants to break free and will do everything in its power to do so. It is very creative in how it evades detection and leaks into the world and it has many allies. How many times have the famous words been uttered, “Don’t tell anyone else but I heard that…” and before you know it the story has gone twice around the world. Keeping secrets is hard. I don’t know if it’s in human nature or something, but people just want to blurt out details that are best kept within. Computers aren’t much better than humans. Sure, they don’t share the same appetite for gossip, or drop secrets in the name of impressing someone. But they’re noisy in other ways. It is not simply the case of keeping confidential details secret, but looking at signals that point towards it.
If you’re walking along a beach and see hooves printed in the sand, followed by a few pieces of fresh horse excrements, you don’t need to see the horse or be a genius to figure out a horse is close by.
Reporters deduced that the Whitehouse officials were plotting something big – like the 2nd Gulf war by the number of pizza’s that were being delivered late at night.
When trying to ensure the confidentiality of information, don’t forget the tell-tale signs that are associated with it. Confidential information generally carries a lot of baggage. Foreign embassy’s for this reason generate the same amount of network traffic every day regardless of whether there is any information worth sending, so that when they do have something big going on, no-one notices a spike in traffic volumes.
How would you feel if you bought a can of Pepsi, but taking a sip of it, you discovered is was Fanta? Well that’s what integrity is. You want the contents to be exactly what it says on the tin.
If you go to the doctor and discover he’s lost all your medical records, or disclosed it to the world by accidently putting it up on his website, it would be inconvenient, maybe embarrassing if you’re like my friend Andy who has the medical record of a crack whore ladyboy. However, if the doctor was unable to preserve the accuracy of their records, this could lead to disastrous consequences. Imagine an A+ blood type person receiving B- blood. I’m not a medical professional, but I can assume that may have some unpleasant side-affects.
Availability is sometimes treated as the step-child of security. A bit like those orphans who inherit millions from their rich parents, but aren’t allowed to touch the money until they turn 21. What’s the point in having the money if it’s unavailable to you?
Or what’s the point in having a super-model wife if she’s taken a vow of celibacy?
The point being that you want your assets to be available to you at the time that you need it. Otherwise, in many ways it ceases to be your asset.
One of the biggest challenges with availability is that once people get a taste of a service, they won’t take no for an answer. It’s like the Khan family who used to run a newsagents down my local high street when I was growing up. They started off like any normal shop. Open at 7 and close at 6 Monday to Friday and 7-12 on a Saturday.
Over time, they noticed that if they extended their closing time by 15 minutes, they would catch the next train and a whole raft of customers would come in. This worked out quite well so they extended their time even more. They extended their opening hours on a Saturday and even started opening on a Sunday.
One day Mr Khan was ill so he thought he’d shut up shop at the proper time of 6pm. The next day, several of his customers complained that they had come at 6:30 only to find the shop was closed and they had to go to inconvenience themselves by going to the next shop a few steps down.
Once a precedent is set, its near impossible to change. Even if you weren’t the one setting the precedent. Which is why nowadays you find so many 24 hour stores scattered all over the place.
The importance of having information available at the right time is just as important. People want the information when it’s convenient to them. They don’t want to see a website down for maintenance, or files currently unavailable or a credit check not being completed within 20 seconds.
Many books will tell you about qualitative and quantitative risk management and all other types of metrosexual crap like that.
Businesses aren’t overly impressed, concerned or interested in your elite skillz. Neither does anyone want to know what the latest vulnerabilities the latest patches seek to fix. They want a simple method to understand what is going down.
Consider this, if an elite commando unit were going into a house to rescue a hostage, what sort of questions would they ask?
Who’s the hostage(s), how old, any special conditions like health problems etc.
How many bandits are there. Are they armed. Do they have any special training themselves.
The basic house layout, rooms and where the hostages are, or are thought to be.
Based on this, they will formulate a plan of action that will give them the highest possible chance to get in, rescue the hostages, capture / kill the bandits and not get injured in the process.
You don’t want to know that the hostage likes to be called by his nickname of Mr Twinkles and that the second bedroom has a pink rug on the floor with little stars on the ceiling that glow in the dark. It’s not useful information, its noise that needs to be filtered out and only the essential intel gathered to make a successful mission. Risk are properly understood by correctly identifying your assets, threats, vulnerabilities, likelihood and impact.
“Cover you asses”
In many films our group of macho men instruct each other to watch their asses, cover their asses, get their asses down or simply avoid getting their asses kicked.
I’m sure that the original version of the script stated asses as assets. Because that’s exactly what an asset is. It’s something valuable that you want watched, covered, hidden and not kicked about. You have tough choices in life, and that’s when faced with a difficult situation, you tend to find out which one of your assets is the most valuable. Sure a platoon commander may say that no man gets left behind, but if they’re ambushed and look like there’s no way out, he probably wouldn’t hesitate to make Private Pipper the scapegoat so he can save himself along with Butch, Hutch and Troy.
You get two types of business people, those who think they understand what their assets are and those who don’t have a clue what their assets are. It’s your job as a security professional to put them under the right amount of pressure so they actually focus on what’s really important to them. Bear in mind that priorities change with time. Just as a young single person may say that their beloved sports car is their most valuable asset, then they get married and consider their wife to be their most valuable asset, but after staying married for some time he realizes his car is still his one true love. But then he may have kids and they become his number 1 asset, until they get older and move out, never to return. So his garden becomes his best asset as he spends hours pruning plants wondering why he didn’t discover this brilliant hobby 30 years ago. It would have saved him the trouble of getting married, having kids or spending so much money on cars.
The point is that at any point in time, you need to understand what is the number 1,2 and 3 assets in the business. The ones that the owner would cry for if it were compromised. Or worse still fire you over.
There are many kinds of threats. Some threats are very simple and unimaginative such as a child in a playground threatening another that they’ll tell the teacher that they wrote on the wall unless they let them kiss their girlfriend. What? You never had that? Well it’s just something I heard happened at a school once. Kind of like a prequel to indecent proposal.
We hear of many standard threats, such as,
“I’m gonna kill youuuuuu”
“You’re gonna pay for this”
“I’ll be back”
OK that last one was Arnie, but you get the drift. These are regular threats that we are accustomed to. These are generic and broad, and the scope is usually too wide to do anything about. It’s like when someone says that hackers are out there. It’s true, but it’s like saying don’t go skinny dipping in winter in the North Pole because it can get a tad bit cold.
In risk management terms, security professionals worry about specific threats. Ones that identify a particular asset. Like when a crazed Columbian gang says that they will kidnap your daughter and hold her until you meet their demands. Now that’s specific as it clearly identifies your asset that they are targeting. So now the heat is on. You have to make sure your intel is good, because you’re going to be spending a lot of time and effort protecting your daughter and unless you’re Liam Neilson, if she gets taken, you’re in for a rough time.
Also bear in mind that threats aren’t always announced by the attacker before attacking. Unlike movies, real-life bad guys don’t monologue and tell you all their plans, giving you a chance to thwart them. No, it’s up to you to think like a thief. If you wanted the credit card database, how would you go about it? Would you hack them from outside? Cut the power supply? Bribe an employee? Drug the receptionist? Pretend you’re a maintenance man? Set fire to the building? Rappel in through an air duct in the ceiling?
You’ll be needing to build up a threat library, be creative and patient whilst building this up. Remember, your enemy will always think of one more threat.
A vulnerability is basically a weak spot that your enemy can use to attack your information. It can be best understood if you grew up playing video games where at the end of each level you had a boss to defeat. These bosses were usually pretty tough and you’d spend hours replaying the level in order to figure out how to beat them. There was usually a weak spot on the boss that you had to target. Like hitting their exposed head when their eyes turned red. Or the heel of Achilles which was his weak spot and had anyone known of this weak spot earlier, a swift arrow would have put an end to his badassery a lot quicker. Actually, come to think of it, I wonder why a mosquito never bit his heel and gave him malaria.
Some vulnerabilities are easier to identify than others. Detecting an SQL injection vulnerability on your web application is pretty easy. What’s not so easy to detect is a more complex vulnerability. Like where the airduct is placed perfectly above the computer in your sealed room allowing Tom Cruise to lower himself down and access it.
But this raises a dilemma. Many security researchers spend countless hours trying to find complex vulnerabilities and plug them before an attacker finds them. But when you look into the history of security breaches, a lot of them are perpetrated via simple attacks.
Spend your time looking for vulnerabilities wisely.
We all have arguments with friends a lot. Especially if you’re playing a competitive game. Whether it be football, poker, a video game or even tiddlywinks. You can often hear the best of friends hurl the most creative of insults at each other. Dave, one of my friends grew up a big fan of Duke Nukem and loved quoting one-liners from it. .
So every now and then we’d be out playing something like tennis and I’d serve an Ace that would go whizzing past him. His response would be, “I’m gonna rip off your head and shit in your brains.”
Charming. But I know the likelihood of him actually following up on that threat is about zero.
Likelihood can be tricky to estimate. One of the reasons is that people tend to rely a bit too much on past experiences. My cousin Tariq learnt this lesson the hard way. He’d had his car for nearly 3 years and never had a puncture. As a result he had removed the spare wheel and tools kept in the boot of the car in order to save weight. Being a student he was always low on cash and had heard that by reducing the weight of the car he would cut down on fuel costs and hence save some money. Which when you’re a student sounds great because in a month he may save enough money to buy a pot noodle.
Him and his friend Max was going on a road trip during a break from University. They went to visit the Lake District to enjoy some of the scenery. Well, that’s what they said they went there for. Personally I have my doubts. Their return journey was quite late, well past midnight. They couldn’t afford to stay in a hotel or B&B.
As fate would have it, they ended up with a flat tyre in a dark country lane in the middle of no-where. To top it off, Tariq didn’t have any breakdown cover because – being a student he wanted to save money. They called up friends for help. Half of whom were probably asleep or too drunk on a Saturday night to bother answering the phone. Eventually one of their friends answered and agreed to drive up with his spare tyre. For most of the night they stayed in the car afraid that they would be decapitated by a mass-murderer in the meantime.
Try to work out how likely something is to occur.
An asteroid is heading for earth. It’s due to enter the atmosphere what do you do? Do you gather your family, embrace in a heartfelt hug, wanting to spend these moments with your loved ones? Do you ignore it and carry on as usual? Maybe you hop in an aeroplane and try to get a flight to the side of the planet furthest away from impact? Or maybe you’re experienced in drilling, so plan on flying up, landing on the rock, drilling deep into its core and dropping a nuclear device inside it.
Your reaction will be generally driven by the impact the asteroid will have. Many asteroids burn up in the earth’s atmosphere and we don’t notice them. Some become beautiful shooting stars. Others land on top of some poor buggers caravan. Other times the effects are far more severe. It’s not an exact science, but depending on the size and location where it will land, you can make a pretty good assessment of what the impact will be.
Combining these together, we arrive at the magic formula. The holy grail. The essence and meaning of life itself. What is the risk?
Tradition will state that right about now the book includes a 3×3, 4×4 or a 5×5 matrix of impact vs likelihood to establish the risk. A typical matrix would look something like:
|Didn’t hurt||is that the best you got?||Owwwch||Holy Shit!|
In the real world though, more often than not, despite the presence of a scientific methodology to determine a risk rating people still rely on good old gut feel mixed in with a healthy dose of bias.
This bias comes in many shapes and forms and can seriously impact a risk rating. An antivirus vendor will say that a virus can end the world so will rate any system without an AV solution as a majorly screwed situation to be in. If a company has recently experienced an incident where they lost an unencrypted laptop, suddenly having an unencrypted laptop becomes a MAJOR level of risk that threatens world peace and could destroy the lives of billions and must be encrypted at all costs. In these scenario’s people get emotional. The head of IT probably got his balls chopped off for being the unfortunate bugger at the wheel when one laptop went missing, so he doesn’t want to risk the same happening a second time.
You won’t be able to change people’s bias all the time. In fact, if they’re more senior than you within the organisation, it becomes pretty darn hard. But being a great consultant doesn’t mean winning each and every battle. Arguing if a risk should be rated as medium or high isn’t the objective. It’s about being aware of the risk, agreeing it exists (at whatever level) and making sure something is done about it.
I really like the word countermeasure. Sounds very officially and efficient. I usually think this word was invented to make a boring conversation sound really important.
Employee: “sir, we’ve identified the risk and it’s classified as ‘holy shit!’
Boss: (punching table): “Well don’t just stand there holding your pen, go and deploy the countermeasures!”
Sadly, I’ve never had such a cool discussion, but I hope that someone out there has.
So what do we mean by countermeasures? Those are the actions that we want to take in response to a risk. Typically, there are four types of countermeasures that can be deployed:
1. Risk Acceptance
Sometimes the easiest option is to simply accept a risk. Some things are just too far out of your control, or their impact just doesn’t warrant you worrying about it. Actually, when I say ‘you’ worrying about it, it’s actually the business who need to worry about it. Your job is to provide these options and it’s the business to decide which one is most appropriate.
2. Risk transference
Some choose to transfer the risk to another party. A common example is that of taking out insurance to cover your losses. Although for those of you who’ve ever had much dealing with an insurance company will know that when it comes to making a claim you’re not as well covered as you thought you’d be. Outsourcing or moving infrastructure to the so-called cloud is also another popular option.
3. Risk mitigation
This is where you get serious and put in place countermeasures that will reduce the risk down to an acceptable level. For example, if you jumped out of an aeroplane, there is the risk of you ending up on the ground like a bug splattered over a windscreen. However, if you put in place a mitigating control, such as a parachute. You bring the risk down to a much more acceptable level.
4. Risk Avoidance
Avoiding risk isn’t an act of cowardice. OK well, sometimes it may be perceived that way, but it’s sometimes the best option. Just change your business practice so that you don’t fall into the trap. A bit like if you’re out shopping with your girlfriend and you see an ex. It’s usually just better to avoid making eye contact or any other interaction and move along like nothing happened.
Once you’ve implemented your chosen countermeasures, it’s a good idea to check them to make sure they’ve done their job and not introduced another vulnerability. Find a way to measure their effectiveness and decide if the end risk is now at an acceptable level. if not, you’re going to have to start all over again. Or you could tick the box and move on. It depends on how many hundreds of risks you’ve got to get through by the end of the week.
I’ve got some more information in this domain around Standards. Yeah go and read up on ISO27001 and other such things. Be aware these all exist and roughly cover the same material but in a different order.
There’s also some stuff about developing a security program, along with the different phases a program should go through. Again, this is all good stuff in theory, but like I mentioned earlier at the beginning of this domain, the way in which you plan and run your security program will vary greatly depending on the type of company you work in.
What is important though is that you plan your security program well and if challenged, you can defend each and every control you implement. Don’t be a sheep that blindly follows a standard. Just because ISO27001 says HR should undertake background checks on employees, doesn’t mean you must do it. Understand the type of business you are running, the type of work employees do and the information they have access to. If certain controls are not being met by the majority of your organisation, then maybe it’s time to assess it and replace it with a control that is more appropriate.
You can’t protect ALL the information ALL the time. So you classify them into different categories. this will ensure that you apply the most strict controls to the most sensitive data.
A bit like putting your hardened criminals in solitary confinement, the rest to general population, lower minions to parole and leave the rest be free.
Always remember, just because something in isolation is of a low classification, it may still be dangerous. Seemingly mundane and innocent information can end up being a source of leakage – so careful what you label public and also take care of internal info.
An example of a 4 level classification scheme looks a bit like this:
Secret information is the type of information people take to the grave. It’s the kind of information that would cause mass panic. It’s best not written down or discussed, it’s something that stays in your head and never repeated to another soul.
What happens in Vegas, stays in Vegas. Confidential information is generally restricted to a small group of people and related to a specific event.
Internal information is generally only of use or mild interest to internal employees. Generally most companies adopt internal as their default classification.
This is information that companies may publish themselves. Like press releases announcing the arrival of a new CEO, because that kind of information is what the public lives for. Other information may not be announced with such fanfare, or announced at all. But the company is not too concerned with who knows this information.
This is another one of those topics which makes perfect sense in theory but an absolute nightmare to implement in the real world because you need your users to identify and correctly classify their information. It just doesn’t happen and technical controls are limited in what they can achieve in this space. So a lot of companies just treat everything as confidential, apply a broad set of technical controls to protect it and pray really hard.