Documenting how to handle confidential criteria
I need to write an internal procedure on how to handle confidential data. Can you offer some suggestions?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

The goals of data classification are listed below:

  • Availability, integrity and confidentiality are provided at the necessary levels for all identified assets
  • Return on investment by implementing controls where they are needed the most
  • Map data protection levels with organizational needs
  • Mitigate threats of unauthorized access and disclosure
  • Comply with legal and regulation requirements

The steps to develop and roll out a data classification program are:

  1. Compile an inventory of all information assets

  3. Define levels of protection for information assets

  5. Define a classification criteria

  7. Develop information classification policy

  9. Define information handling and labeling procedures

  11. Assign responsibility for classification to the owner of information

  13. Assign a security classification to all information assets

  15. Classify information according to sensitivity and how much protection is required

  17. Apply the classification system to documents, records, data files, and disks.

  19. Develop information handling procedures for each class of information

  21. Develop information labeling procedures for each class of information

  23. Integrate into security awareness and training programs

You should have a data classification policy that covers the following:

  • Information as assets of individual business units

  • Declare business unit managers as information owners

  • Declare IT as data custodians

  • Classification scheme

  • Definitions for each classification

  • Criteria for each classification

  • Roles and responsibilities of classification

Your written procedures and guidelines should address the following;

  • How to classify information
  • How to change classification level if needed
  • How to communicate classification change to IT
  • Periodic review of
    • Current classification levels and mapping to business needs
    • Current access rights and privileges
    • Protection levels that current controls are using

The NIST 800-60 document may be too "DoD centric" and an overkill for your needs, but this document has the necessary guidelines to develop and maintain a structured data classification program.

Sun provides a more digestible and understandable approach, which can be found at http://www.sun.com/blueprints/tools/samp_sec_pol.pdf

Lastly, this link provides detailed guidelines for how to treat different types of data.

This was first published in August 2005