Asset/data classification
Objectives and Benefits
- determine protection level (primary)
- determines appropriate levels of information resource protection
- identify data owners for data classification
- business value including contribution to revenue
- supports principles of security proportionality
- identifies controls commensurate with impact
- determines the priority and extent of risk mitigation efforts
Consider
- data retention policies
- methodologies based on exposure, in regard to data and the protection lifecycle
- best method to classify data is impact assessment associated with compromise of data by the data owner
- data protection strategies
- user awareness of data classification schemas to reduce the cost of over protection and the risk of under protection of assets
- classification is based on criticality and sensitivity
- impacts of data breaches
- potential financial losses
Greatest challenges
- inaccurate valuation of information assets
Roles and responsibilities
Information owner: determine the classification of information across the information owner’s scope of responsibility
Prerequisites
identify data owners is the first step in implementing data classification
Cathy Jenkins 