Data Identification and Classification
Define information security classes, and provide guidance on protection and access control appropriate to each class.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Data Identification and Classification at each level of maturity.
- 1Initial
- Practice
- Classify highly sensitive data such as payroll, health, and other sensitive material.
- Outcome
- Confidentiality and sensitivity around payroll and HR related data is facilitated.
- Metric
- # People and systems with unapproved access # Authorized people or systems without access
- 2Basic
- Practice
- Classify key sensitive data with respect to business use and confidentiality. Request meta data attributes to support the management of data classifications.
- Outcome
- Data breaches now become less likely since the data that ought to be protected is identified
- Metric
- % Unclassified data volumes/privacy classified data volumes
- 3Intermediate
- Practice
- Have IT and business units jointly developing data, network and systems classification guidelines for security. Use security classification meta-data consistently across IT and participating business units.
- Outcome
- Data classifications facilitate the appropriately confidential business uses of data. Consistency and compliance are improving in relation to data usage and characterizations.
- Metric
- # Outstanding security meta-data requests # Unused security meta-data attributes % Unused security meta-data attributes
- 4Advanced
- Practice
- Use security classification meta-data consistently across IT and business units. Regularly review and improve security classifications enabling flexibility, cost reductions and efficiency of IT operations across the organization.
- Outcome
- An inventory of available data exists and it is appropriately classified. Classification meta-data is enabling business functions and helping to protect data as necessary. Security classifications evolve with the business and do not become a hindrance to agility.
- Metric
- % Data classifications in active use/Data classifications # Business units not participating in data classification activities # Classification requests open
- 5Optimized
- Practice
- Conduct regular audits to gain an accurate view of the nature and use (and in particular the efficiency of use) of the data held by the organisation.
- Outcome
- Data classification meta-data facilitates the efficient and effective use of data and information that is secured and safe.
- Metric
- # Unclassified (internal/external) data sources or structures. # Outstanding update requests ~ Efficiency of use trends