The goals of data classification are listed below:
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
- Availability, integrity and confidentiality are provided at the necessary levels for all identified assets
- Return on investment by implementing controls where they are needed the most
- Map data protection levels with organizational needs
- Mitigate threats of unauthorized access and disclosure
- Comply with legal and regulation requirements
The steps to develop and roll out a data classification program are:
- Compile an inventory of all information assets
- Define levels of protection for information assets
- Define a classification criteria
- Develop information classification policy
- Define information handling and labeling procedures
- Assign responsibility for classification to the owner of information
- Assign a security classification to all information assets
- Classify information according to sensitivity and how much protection is required
- Apply the classification system to documents, records, data files, and disks.
- Develop information handling procedures for each class of information
- Develop information labeling procedures for each class of information
- Integrate into security awareness and training programs
You should have a data classification policy that covers the following:
- Information as assets of individual business units
- Declare business unit managers as information owners
- Declare IT as data custodians
- Classification scheme
- Definitions for each classification
- Criteria for each classification
- Roles and responsibilities of classification
Your written procedures and guidelines should address the following;
- How to classify information
- How to change classification level if needed
- How to communicate classification change to IT
- Periodic review of
- Current classification levels and mapping to business needs
- Current access rights and privileges
- Protection levels that current controls are using
The NIST 800-60 document may be too "DoD centric" and an overkill for your needs, but this document has the necessary guidelines to develop and maintain a structured data classification program.
Sun provides a more digestible and understandable approach, which can be found at http://www.sun.com/blueprints/tools/samp_sec_pol.pdf
Lastly, this link provides detailed guidelines for how to treat different types of data.
Dig Deeper on Information Security Policies, Procedures and Guidelines
Related Q&A from Shon Harris
When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should ...continue reading
In today's security world, it's hard to keep track of each and every management standard and auditing procedure. In this SearchSecurity.com Q&A, ...continue reading
Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.