Problem solve

Documenting how to handle confidential criteria

Shon Harris, security management expert, suggests ways to draft an internal procedure on how to handle confidential data. She discusses data classification polices, steps to develop and roll out a data classification program, and what your guidelines should cover.

Shon Harris , Logical Security

I need to write an internal procedure on how to handle confidential data. Can you offer some suggestions?

The goals of data classification are listed below:

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Availability, integrity and confidentiality are provided at the necessary levels for all identified assets
Return on investment by implementing controls where they are needed the most
Map data protection levels with organizational needs
Mitigate threats of unauthorized access and disclosure
Comply with legal and regulation requirements

The steps to develop and roll out a data classification program are:

Compile an inventory of all information assets
Define levels of protection for information assets
Define a classification criteria
Develop information classification policy
Define information handling and labeling procedures
Assign responsibility for classification to the owner of information
Assign a security classification to all information assets
Classify information according to sensitivity and how much protection is required
Apply the classification system to documents, records, data files, and disks.
Develop information handling procedures for each class of information
Develop information labeling procedures for each class of information
Integrate into security awareness and training programs

You should have a data classification policy that covers the following:

Information as assets of individual business units
Declare business unit managers as information owners
Declare IT as data custodians
Classification scheme
Definitions for each classification
Criteria for each classification
Roles and responsibilities of classification

Your written procedures and guidelines should address the following;

How to classify information
How to change classification level if needed
How to communicate classification change to IT
Periodic review of
- Current classification levels and mapping to business needs
- Current access rights and privileges
- Protection levels that current controls are using

The NIST 800-60 document may be too "DoD centric" and an overkill for your needs, but this document has the necessary guidelines to develop and maintain a structured data classification program.

Sun provides a more digestible and understandable approach, which can be found at http://www.sun.com/blueprints/tools/samp_sec_pol.pdf

Lastly, this link provides detailed guidelines for how to treat different types of data.

This was last published in August 2005

Dig Deeper on Information security policies, procedures and guidelines

Related Q&A from Shon Harris

How should security and networking groups manage the firewall?

When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should ... Continue Reading

How can a call center achieve compliance with ISO 27001?

Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris ... Continue Reading

Should an organization centralize its information security division?

Is your organization capable of having true information security governance? In our expert Q&A, Shon Harris reveals the ideal components of a ... Continue Reading

SearchCloudSecurity

Security for SaaS applications starts with collaboration

Following established best practices helps enterprises facilitate collaboration and communication through SaaS applications while...

An inside look at the CCSP cloud security cert

Get insights into the Certified Cloud Security Professional cert, cloud infrastructure and platform benefits and risks, and more ...

Test your cloud security smarts with these CCSP exam questions

Read up on cloud-based BCDR in this excerpt from Chapter 4 of 'CCSP Certified Cloud Security Professional All-in-One Guide,' then...

SearchNetworking

Palo Alto SD-WAN gets analytics, Prisma security

The Prisma integration and root cause analysis in the Palo Alto SD-WAN could help it standout in a market packed with competitors...

Enterprise 5G deployment options and how to procure them

Enterprises have to choose from three main 5G deployment options to make 5G work: public services from a mobile operator, network...

How to establish enterprise 5G partnerships and when

Enterprises that buy 5G public services, procure network slices or build their own private 5G networks need to establish the ...

SearchCIO

Trump's dangerous U.S. TikTok ban

President Trump's U.S. TikTok ban over national security is resting on a vague foundation. The concern can be applied to multiple...

MSP roles and responsibilities are undergoing rapid change -- here's why

It's a new era for managed service providers and CIOs. MSPs increasingly act as strategic partners, helping IT teams fulfill the ...

How machine learning model management plays into AI ethics

In the first episode of the 'Today I Learned' podcast, we're exploring the topic of ethical AI with insights from Scott Zoldi, ...

SearchEnterpriseDesktop

Microsoft launches Word transcription tool

The new Microsoft Word transcription feature makes crafting notes from an audio file a more streamlined process. The service is ...

Evaluate if the MacBook Air is good for business use

The MacBook Air is popular in the consumer market, but IT admins should evaluate the MacBook Air for business as a separate issue...

Microsoft ending 365 IE 11 support in 2021

With Microsoft 365 IE 11 support coming to an end, organizations must prepare for the day when relying on the browser is no ...

SearchCloudComputing

Partner products now certified for AWS Outposts

AWS has brought more than 30 certified partner software products into the mix for Outposts, the on-premises version of its public...

Get to know low-code/no-code tools from major cloud vendors

With the help of low-code or no-code services, application development doesn't have to be so painstaking or strenuous. Learn why ...

Explore cloud computing's effect on application development

AWS and cloud computing changed the way organizations build and run applications. Explore why that happened and see what to ...

ComputerWeekly.com

Ex-NCSC boss Ciaran Martin joins cyber venture capital outfit

Outgoing NCSC CEO Ciaran Martin is to take up a new role guiding new investments in cyber security

UK government reveals more insight into imminent contact-tracing app

Head of Track and Trace and health minister stung by criticism about contact-tracing app’s development compared with Scotland and...

Outgoing NCSC CEO: Ransomware threat kept us up at night

Former NCSC CEO Ciaran Martin sheds some light on some of the biggest cyber threats currently facing the UK

AWS announces Secret cloud region for intelligence community agencies

Tips for creating a data classification policy

Breaches reignite intellectual property protection

Data-classification levels for compliance: Why simple is best

Please create a username to comment.