I need to write an internal procedure on how to handle confidential data. Can you offer some
suggestions?
The goals of data classification are listed below:
- Availability, integrity and confidentiality are provided at the necessary levels for all identified assets
- Return on investment by implementing controls where they are needed the most
- Map data protection levels with organizational needs
- Mitigate threats of unauthorized access and disclosure
- Comply with legal and regulation requirements
The steps to develop and roll out a
Requires Free Membership to View
data
classification program are:
- Compile an inventory of all information assets
- Define levels of protection for information assets
- Define a classification criteria
- Develop information classification policy
- Define information handling and labeling procedures
- Assign responsibility for classification to the owner of information
- Assign a security classification to all information assets
- Classify information according to sensitivity and how much protection is required
- Apply the classification system to documents, records, data files, and disks.
- Develop information handling procedures for each class of information
- Develop information labeling procedures for each class of information
- Integrate into security awareness and training programs
You should have a data classification policy that covers the following:
- Information as assets of individual business units
- Declare business unit managers as information owners
- Declare IT as data custodians
- Classification scheme
- Definitions for each classification
- Criteria for each classification
- Roles and responsibilities of classification
Your written procedures and guidelines should address the following;
- How to classify information
- How to change classification level if needed
- How to communicate classification change to IT
- Periodic review of
- Current classification levels and mapping to business needs
- Current access rights and privileges
- Protection levels that current controls are using
The NIST 800-60 document may be too "DoD centric" and an overkill for your needs, but this document has the necessary guidelines to develop and maintain a structured data classification program.
Sun provides a more digestible and understandable approach, which can be found at http://www.sun.com/blueprints/tools/samp_sec_pol.pdf
Lastly, this link provides detailed guidelines for how to treat different types of data.