As the security architect for a federally funded research and development center for the United States, the systems you manage have FISMA compliance requirements if data that touches the system is government$-$related. Let$$s assume a new research project was granted around machine learning specific to a government application. The data is sourced from government entities, thus let$$s say it is subject to FISMA $($whether or not this hypothetical example would actually be classified as such$).$ The data has been labeled haphazardly and the information classification has never fully been established. As the saying goes, $$Garbage in$,$ garbage out$($George Fuechsel, $1963)$ in terms of information management. Your assignment is to determine an information management scheme to enable labeling for information sensitivity level classification and record retention. Fill in the missing boxes in each table, which may include adding information to partially filled in boxes as well. Refine tables through group discussions.

Although it would be interesting to include machine learning in the latter part of this activity, information labeling practices are evolving. For instance, semantic segmentation is in use for image labeling and is quite precise to the pixel level. The application of labels to information sets may use different techniques than information labeling for information management $($sensitivity and record retention$)$ in practice.

Classification Levels:

Level Description Controls

Public Data suitable for external distribution and consumption Integrity protection $-$ Although data may be available publically, providing an assurance on the trustworthiness of data is important to the organization.

Unclassified$/$Internal Use

Internal Use$/$Sensitive$/$Need$-$to$-$know Business restricted or personal information that requires protection to ensure need$-$to$-$know requirement is met.

Secret Information classified as secret, requiring need$-$to$-$know access and a secret clearance. System segregation, must be maintained on systems classified as secret. Guards on systems protect data labeled as secret from moving to systems classified at a lower level. Encryption may be used to further protect data and ensure need$-$to$-$know.

Top Secret Compartmentalized information that requires top$-$secret clearance and need$-$to$-$know access. This information has higher access requirements than classified data and may be an onion skin of a secret project that not all participants can be made aware.

Record Retention:

Data Type Retention Period and requirements Controls $($may vary from sensitivity level requirements $-$ follow strictest$)$

Contracts $3$ years

Based on creation date

Preserve, review, and delete

Financial data $7$ years

Based on

Personal Information $($depends on applicable regulations $-$ list for state in US you live, plus GDPR$)$ Encryption$/$tokenization on highly sensitive data elements

Legal Hold

Machine Learning:

Data Types of annotations

News article Article topic

Region

Scholarly article Type of article

Specific discipline

Funded research

Journal$/$peer review

Image Per pixel annotations $($Semantic Segmentation$)$

Per image annotations

Document $($For your organization$)$ Research$/$Business

Business Unit

Funded by

Database records

For the types of information classification labels, let$$s assume you have a system that creates a hash of the data to be labeled in order to create an index to associate information management tags. As the architect, how might the use of hashes aid in your ability to manage information and the associated labels? Are there other alternatives to hashes that may better to index data?