Problem solve

Documenting how to handle confidential criteria

Shon Harris, security management expert, suggests ways to draft an internal procedure on how to handle confidential data. She discusses data classification polices, steps to develop and roll out a data classification program, and what your guidelines should cover.

Shon Harris , Logical Security

I need to write an internal procedure on how to handle confidential data. Can you offer some suggestions?

The goals of data classification are listed below:

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate Email Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Availability, integrity and confidentiality are provided at the necessary levels for all identified assets
Return on investment by implementing controls where they are needed the most
Map data protection levels with organizational needs
Mitigate threats of unauthorized access and disclosure
Comply with legal and regulation requirements

The steps to develop and roll out a data classification program are:

Compile an inventory of all information assets
Define levels of protection for information assets
Define a classification criteria
Develop information classification policy
Define information handling and labeling procedures
Assign responsibility for classification to the owner of information
Assign a security classification to all information assets
Classify information according to sensitivity and how much protection is required
Apply the classification system to documents, records, data files, and disks.
Develop information handling procedures for each class of information
Develop information labeling procedures for each class of information
Integrate into security awareness and training programs

You should have a data classification policy that covers the following:

Information as assets of individual business units
Declare business unit managers as information owners
Declare IT as data custodians
Classification scheme
Definitions for each classification
Criteria for each classification
Roles and responsibilities of classification

Your written procedures and guidelines should address the following;

How to classify information
How to change classification level if needed
How to communicate classification change to IT
Periodic review of
- Current classification levels and mapping to business needs
- Current access rights and privileges
- Protection levels that current controls are using

The NIST 800-60 document may be too "DoD centric" and an overkill for your needs, but this document has the necessary guidelines to develop and maintain a structured data classification program.

Sun provides a more digestible and understandable approach, which can be found at http://www.sun.com/blueprints/tools/samp_sec_pol.pdf

Lastly, this link provides detailed guidelines for how to treat different types of data.

This was last published in August 2005

Dig Deeper on Information security policies, procedures and guidelines

Related Q&A from Shon Harris

How should security and networking groups manage the firewall?

When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should ... Continue Reading

How can a call center achieve compliance with ISO 27001?

Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris ... Continue Reading

Should an organization centralize its information security division?

Is your organization capable of having true information security governance? In our expert Q&A, Shon Harris reveals the ideal components of a ... Continue Reading

AWS announces Secret cloud region for intelligence community agencies

Tips for creating a data classification policy

Breaches reignite intellectual property protection

Data-classification levels for compliance: Why simple is best

Unify on-premises and cloud access control with SDP

Get to know cloud-based identity governance capabilities

6 AIOps security use cases to safeguard the cloud

Network capacity planning best practices for return to office

Aruba product integrations advance its SASE strategy

Wi-Fi 6 rollout requires careful review of network devices

CIO role post-pandemic is 'opportunity of a lifetime'

Hybrid care is healthcare's future

Replacing vs. maintaining legacy systems

VMware launches Anywhere Workspace to secure remote workers

Incorporating zero trust into endpoint security

Keeping tabs on employees in the hybrid workplace

Elastic vs. AWS highlights open source monetization dilemma

Evaluate Azure CLI vs. PowerShell for resource management

Ready to be a GCP architect? Try this quiz and see

Anti-food waste app Karma taps up Google Cloud to power global expansion plans

NCSC offers teachers free cyber security training

Neos Networks launches business-grade Ethernet FTTx service across UK