IVI Framework Viewer

Data Identification and Classification

D1

Define information security classes, and provide guidance on protection and access control appropriate to each class.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Data Identification and Classification at each level of maturity.

1Initial
  • Practice
    Classify highly sensitive data such as payroll, health, and other sensitive material.
    Outcome
    Confidentiality and sensitivity around payroll and HR related data is facilitated.
    Metric
    # People and systems with unapproved access # Authorized people or systems without access
2Basic
  • Practice
    Classify key sensitive data with respect to business use and confidentiality. Request meta data attributes to support the management of data classifications.
    Outcome
    Data breaches now become less likely since the data that ought to be protected is identified
    Metric
    % Unclassified data volumes/privacy classified data volumes
3Intermediate
  • Practice
    Have IT and business units jointly developing data, network and systems classification guidelines for security. Use security classification meta-data consistently across IT and participating business units.
    Outcome
    Data classifications facilitate the appropriately confidential business uses of data. Consistency and compliance are improving in relation to data usage and characterizations.
    Metric
    # Outstanding security meta-data requests # Unused security meta-data attributes % Unused security meta-data attributes
4Advanced
  • Practice
    Use security classification meta-data consistently across IT and business units. Regularly review and improve security classifications enabling flexibility, cost reductions and efficiency of IT operations across the organization.
    Outcome
    An inventory of available data exists and it is appropriately classified. Classification meta-data is enabling business functions and helping to protect data as necessary. Security classifications evolve with the business and do not become a hindrance to agility.
    Metric
    % Data classifications in active use/Data classifications # Business units not participating in data classification activities # Classification requests open
5Optimized
  • Practice
    Conduct regular audits to gain an accurate view of the nature and use (and in particular the efficiency of use) of the data held by the organisation.
    Outcome
    Data classification meta-data facilitates the efficient and effective use of data and information that is secured and safe.
    Metric
    # Unclassified (internal/external) data sources or structures. # Outstanding update requests ~ Efficiency of use trends