Data Security Classification
Define information security classes, and provide guidelines on protection levels and access controls appropriate to each class.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Data Security Classification at each level of maturity.
- 2Basic
- Practice
- Establish information security classes and basic guidelines for protection levels and access controls, and apply these to some datasets such as financial records and employee records.
- Outcome
- Data breaches become less likely since the sensitive data that ought to be protected is identified and beginning to be classified.
- Metric
- % of datasets with security classifications.
- 3Intermediate
- Practices
- Document information security classes and apply these on all new projects.
- Put guidelines in place for protection levels and access controls for most architecture layers inclusive of networks, IT services, and data stores, such as network-attached storage and databases.
- Outcome
- Data classifications are extended and facilitate appropriate confidential business uses of key datasets.
- Metrics
- % of datasets with security classifications.
- # of outstanding security metadata requests.
- % of unused security metadata attributes.
- % of data classifications in active use.
- 4Advanced
- Practices
- Ensure availability of comprehensive information security classes across all datasets.
- Put in place advanced security controls, monitoring, evidential logging, and anomaly responses for all architecture layers, inclusive of networks, IT services, data stores, compute centres, and end devices.
- Outcome
- A comprehensive inventory and appropriate classification of all data exists, and protection levels and controls are effective.
- Metrics
- % of datasets with security classifications.
- # of outstanding security metadata requests.
- % of unused security metadata attributes.
- % of data classifications in active use.
- 5Optimized
- Practice
- Continually update information security classes and their associated protection levels based on the latest recommendations from security agencies and vendors, and emerging research.
- Outcome
- Data classifications continually facilitate the efficient and effective use of data and information in a secure manner.
- Metrics
- Frequency of review cycle.
- # of outstanding update requests.