IVI Framework Viewer

Data Security Classification

C1

Define information security classes, and provide guidelines on protection levels and access controls appropriate to each class.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for Data Security Classification at each level of maturity.

2Basic
  • Practice
    Establish information security classes and basic guidelines for protection levels and access controls, and apply these to some datasets such as financial records and employee records.
    Outcome
    Data breaches become less likely since the sensitive data that ought to be protected is identified and beginning to be classified.
    Metric
    % of datasets with security classifications.
3Intermediate
  • Practices
    • Document information security classes and apply these on all new projects.
    • Put guidelines in place for protection levels and access controls for most architecture layers inclusive of networks, IT services, and data stores, such as network-attached storage and databases.
    Outcome
    Data classifications are extended and facilitate appropriate confidential business uses of key datasets.
    Metrics
    • % of datasets with security classifications.
    • # of outstanding security metadata requests.
    • % of unused security metadata attributes.
    • % of data classifications in active use.
4Advanced
  • Practices
    • Ensure availability of comprehensive information security classes across all datasets.
    • Put in place advanced security controls, monitoring, evidential logging, and anomaly responses for all architecture layers, inclusive of networks, IT services, data stores, compute centres, and end devices.
    Outcome
    A comprehensive inventory and appropriate classification of all data exists, and protection levels and controls are effective.
    Metrics
    • % of datasets with security classifications.
    • # of outstanding security metadata requests.
    • % of unused security metadata attributes.
    • % of data classifications in active use.
5Optimized
  • Practice
    Continually update information security classes and their associated protection levels based on the latest recommendations from security agencies and vendors, and emerging research.
    Outcome
    Data classifications continually facilitate the efficient and effective use of data and information in a secure manner.
    Metrics
    • Frequency of review cycle.
    • # of outstanding update requests.