To ensure the correct level of protection is set for a certain information asset, the information needs to be classified accordance with its importance to the organization. A classification policy is normally a high level document which does not tell your data owners how to classify the data under their responsibility. So, to understand the needs of protection, a method to classify the information is needed. This is normally done by asking a few questions. Depending on the answers, each classification category (Confidentiality, Integrity or Availability) gets a certain level. With these levels, the data owner can determine which security measures should be taken. Yes, should be. Because security is a risk based framework, an owner can choose to accept the risk and not implement a certain control.
When you have a method to classify your information and your security baseline is clear, you can map the classification method to the security measures you expect to be taken. A lot of these security measures will be automated. An example is the setup of encryption during transport. Now-a-days, a good security policy would state that all digital communications must be encrypted, making it for the data owners more easy to align with this control.
How
The classification of information must be aligned with the needs of the organization and should show the level of impact that the information’s compromise would have for the organization. A good classification policy will help you with this (link). In order to have a consistent classification results, an organization wide method should be used.
A common way to get a consistent classification result is by asking a view questions. Depending on the answer, the right classification can be determined. Below is a sample setup you can use:
| Confidentiality | Low (1) | Medium (2) | High (3) |
|---|---|---|---|
| What is the financial impact to the organization due to unauthorized data disclosure? | |||
| What is the legal impact to the organization due to unauthorized data disclosure? | |||
| What is the impact on the image of the organization due to unauthorized data disclosure? |
| Integrity | <500K (1) | 500K – 5M (2) | >5M (3) |
|---|---|---|---|
| How much revenue can the organization lose when the integrity of data is not correct? | |||
| How much revenue can the organization lose due to impact on the image of the organization when the integrity of the data in not correct? | |||
| What could be the total financial damage to the organization when the integrity of data is not correct? |
| Availability | Low (1) | Medium (2) | High (3) |
|---|---|---|---|
| How critical is the application/system for the organization? | |||
| Does the unavailability of the application/system means a financial damage to the organization? | |||
| What is the expected impact to the organization when clearing the backlog after an unavailability? |
Looking at this example, the highest score an information asset could get is C=3, I=3 and A=3 (or CIA=333).
When you have a classification method set and you understand the importance of the used applications and systems, you can prioritize what controls you need to setup first and which controls can be setup at a later stage.
Risks
Setup a classification process which is supported by the organization. If you organization is just starting in a security certification process, you might want to keep it simple, but if your organization has already experience in classification, you might want to extend the classification process by including Business Continuity requirements, like Recovery Time Objectives.
Don’t make the classification process to difficult. People who are not security minded should understand your process and be able to go through it quickly.
Example Control Ruleset
When the following controls are used, you should be compliant for this topic:
- All applications and systems are classified according to the classification process.
- The classification rating is reviewed at least annually by the responsible owner of the application or system.
Related links
Data Discovery & Classification using Azure
Data classification using AWS
Automating the classification of data used in Google Cloud
