Commercial Data Classification
Criteria by which commercial data is classified include:
- Value: The most common classification criterion in commercial organizations.
- Age/useful life: Information that loses value over time, becomes obsolete or irrelevant, or becomes common/public knowledge is classified this way.
- Regulatory requirements: Private information, such as medical records
Data Classification Procedures
The standard steps for classifying data are as follows:
- Define classification levels
- Identify the criteria that determine the classification of data
- Identify data owners
- Identify the data custodians ( They are responsible for maintaining data and its security level)
- Indicate the security controls
- Document any exceptions
- Indicate the methods that can be used to transfer custody of the information to a different data owner
- Create a procedure to review the classification and ownership periodically
- Indicate procedures for declassifying the data.
- Integrate these issues into the security-awareness program
There are no specific rules for classifying the levels of data. The following can be considered as two proposed classifications:
- Data classification for commercial businesses
- Data classification for the military
- Data classification for the government
Each classification should have different procedures relating to how data is accessed, used, and destroyed. For example:
- Public: in this Classification, Disclosure is not acceptable.
- Private: It is appropriate to use the information of individuals in the organization.
- Sensitive: It is appropriate where a higher level of assurance of completeness and accuracy is required.
- Confidential: Personal information of personnel, programming codes of the organization’s proprietary software, military and government information. Confidential information is the lowest level of classified government information.
- Unclassified: Data that is insignificant or cannot be classified. (Maybe because they are not be structured)
- Sensitive but classified : like the medical data
- Secret: If disclosed, it could cause serious damage to national security or Organizational security.
- TOP Secret: If disclosed, it could be crucial damage to national
- security or organizational security.
Asset classification depends on the CIA values.
- Confidentiality: Unauthorized users should not view the information.
- Integrity: Unauthorized users should not modify the information.
- Availability: Authorized users can access the information.
Parameters that are involved in an asset may include monetary value, intellectual property value, legal and regulatory requirements, privacy requirements and competitive advantage, and so on.