Problem solve

Documenting how to handle confidential criteria

Shon Harris, security management expert, suggests ways to draft an internal procedure on how to handle confidential data. She discusses data classification polices, steps to develop and roll out a data classification program, and what your guidelines should cover.

Shon Harris , Logical Security

I need to write an internal procedure on how to handle confidential data. Can you offer some suggestions?

The goals of data classification are listed below:

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Availability, integrity and confidentiality are provided at the necessary levels for all identified assets
Return on investment by implementing controls where they are needed the most
Map data protection levels with organizational needs
Mitigate threats of unauthorized access and disclosure
Comply with legal and regulation requirements

The steps to develop and roll out a data classification program are:

Compile an inventory of all information assets
Define levels of protection for information assets
Define a classification criteria
Develop information classification policy
Define information handling and labeling procedures
Assign responsibility for classification to the owner of information
Assign a security classification to all information assets
Classify information according to sensitivity and how much protection is required
Apply the classification system to documents, records, data files, and disks.
Develop information handling procedures for each class of information
Develop information labeling procedures for each class of information
Integrate into security awareness and training programs

You should have a data classification policy that covers the following:

Information as assets of individual business units
Declare business unit managers as information owners
Declare IT as data custodians
Classification scheme
Definitions for each classification
Criteria for each classification
Roles and responsibilities of classification

Your written procedures and guidelines should address the following;

How to classify information
How to change classification level if needed
How to communicate classification change to IT
Periodic review of
- Current classification levels and mapping to business needs
- Current access rights and privileges
- Protection levels that current controls are using

The NIST 800-60 document may be too "DoD centric" and an overkill for your needs, but this document has the necessary guidelines to develop and maintain a structured data classification program.

Sun provides a more digestible and understandable approach, which can be found at http://www.sun.com/blueprints/tools/samp_sec_pol.pdf

Lastly, this link provides detailed guidelines for how to treat different types of data.

This was last published in August 2005

Dig Deeper on Information security policies, procedures and guidelines

Related Q&A from Shon Harris

How should security and networking groups manage the firewall?

When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should ... Continue Reading

How can a call center achieve compliance with ISO 27001?

Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris ... Continue Reading

Should an organization centralize its information security division?

Is your organization capable of having true information security governance? In our expert Q&A, Shon Harris reveals the ideal components of a ... Continue Reading

AWS announces Secret cloud region for intelligence community agencies

Tips for creating a data classification policy

Breaches reignite intellectual property protection

Data-classification levels for compliance: Why simple is best

5 PaaS security best practices to safeguard the application layer

Private vs. public cloud security: Benefits and drawbacks

How to create a cloud security policy, step by step

SolarWinds: Lessons learned for network management, monitoring

7 key SD-WAN trends to evaluate in 2021

10 network security tips in response to the SolarWinds hack

3 steps to recalibrate a strategic IT roadmap

Experts predict hot enterprise architecture trends for 2021

Cloud, security top list of IT spending priorities

Otter.ai helps Google Meet stay competitive

Will Windows 10 be the last Windows OS?

CES: Laptops sport designs friendly for remote workers

IBM acquisition spree targets hybrid cloud consulting market

How to choose between IaaS and SaaS cloud models

COVID-19 and remote work shift cloud predictions for 2021

Vodafone unveils ‘instant’ Wi-Fi

BT connects Dutch diplomatic missions

Nine out of 10 UK card payments in 2020 were contactless