Info Class (e.g. secret, confidential, public)
Security Risk (e.g. Confidentiality, Integrity, Availability??)
Required Security Controls
I'm not sure I understand your question, so if I've missed the mark, let me know. As the policy statement already exists for information classifications and information owners, custodians and users, you are trying to develop a checklist to assist data owners and data custodians in classifying their data, correct? This is a good strategy! Developing the owners / custodians / users a "yes" or "no" checklist format asking three or four critical questions to help them will reduce frustration and erroneous dissemination of information. (For example, is the information available through the media?) Categorize each information class so that when they reach a "yes" answer, the information is bumped into the next classification, which will allow for natural migration into the next category. Since you have defined your information classes (i.e., secret, confidential, public), your next step will be to list the assets on the spreadsheet (you have already identified them in the risk assessment / analysis) requiring protection, and determine how they will be protected. As you pointed out, your best method will be to develop a matrix or a spreadsheet. WARNING!! The list of assets will be extensive. This will be the time to "micro-manage" your assets. Do not assume your user community thinks in the same way you do. For example, one of your assets listed is MAIL. Sound straightforward? You will need to identify ALL methods available to send mail: electronic mail through internal systems only; electronic mail through external systems, including the Internet; through interdepartmental mail internal to the building; through interdepartmental mail external to the building; USPS; Federal Express; special courier; etc. For each of these methods, you now will have to determine if certain actions will be permitted and how (i.e., handling, envelope, labeling, address information, document instruction, writing instrument, etc.) for each classification. As you can see, your matrix will be rather expansive.
Dig deeper on Enterprise Risk Management: Metrics and Assessments
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.