GRC 10

Data and information classification scheme, asset classification, and key business processes

Author’s name:

Institutional affiliation:

Data and information classification is the foundation of effort to ensuring sensitive data is handled appropriately since data protection is critical to an organization’s profitability and survival. To ensure the security of the data, there is a need to identify exactly what is to be protected. The organization needs to identify the value of the data at the time of creation, separate valuable information that may be of target from valuable to less valuable and make informed decisions about resource allocation to secure the information from unauthorized access. An effective data classification scheme should, therefore, be created.

Restricted data

This includes highly sensitive customer and corporate data that if disclosed may put the organization at high legal or financial risk. This type of data should have the most limited access with a high degree of integrity, since should it be disclosed, it may cause the most damage to the organization. Loss or modification of the data can also affect the organization’s assets, operations, and individuals. It includes the data that the organization is obligated largely to safeguard most stringently. It includes personally identifiable information like the financial account numbers, credit card information, social security numbers, protected health information, unencrypted keys and passwords, criminal background collected by the application. (Kolhe, Trivedi, Tiwari, & Singh, 2018)

Confidential data

This is data that is less restrictive within the company but may cause a lot of damage if disclosed. This type of data is sensitive that if compromised, could affect the operations of the organization negatively as it may affect individuals or the business as a whole. It includes contracts with vendors, investors’ information, employee reviews.

Internal data

This includes the types of information that are potentially sensitive and are not intended to be disclosed to the public. It may contain information that may reduce the organization’s competitive advantage. The data includes the technical specifications of a new product, employees’ contact list, internal memos, correspondence, sales playbooks, and organizational charts.

Public data

This is the least sensitive data used in the organization that may cause the least harm if disclosed. The data is freely disclosed to the public regardless of their affiliation with the organization. It includes the organization’s directory, marketing materials, price lists, and job postings. (Dimon, 2013)

In alignment with data and information classification scheme, IT assets should be properly classified as follows:

Identification of information system owners

The information system owners have a responsibility to ensure that the organization’s data has a security classification. In case of information being externally generated, the information system owner should classify the data and guide its control within the organization.

Assessment of data vulnerabilities

Risk assessment should be performed and vulnerabilities attributed to each information considered. The relevant data security issues to be considered include the data control, data encryption, blending of data with other customer data, business processes if a security breach does not occur, data backup frequency. (Lee, 2013)

Application of controls to data

They are applied to ensure that appropriate protection is given to specific data. It includes the ‘need to know’ principle which states that the data should only be made available to those who need to access the information to do their work, a clear desk policy which states that classified data are secured and that unauthorized users are not able to access any network, system or electronic material related to the data.

Audit logs

To maintain the integrity and confidentiality of classified data, a strict logging process is to be formed as part of the security classified data register. It should be properly designed its capable of providing a trail of evidence that can be used to identify illegal or inappropriate access to data.

Disposal of data

Disposal of any kind of organization’s information should follow the appropriate guidelines to ensure confidentiality and security of the information. (Manaf, Ahmad, & Sahibuddin, 2011)

For the organization’s data and information to maintain its confidentiality, strict policies should be put in place to ensure the objectives are met. The policies are as follows;

All data and information must be uniquely identified, assigned an information system owner and given information classification. The security classification should be used for the assessment of potential impact. The information system owner is responsible for the adherence of the information and security policy.

Information system owners should ensure that appropriate controls are in place for monitoring their data and information, authorizing and revoking their access, and addressing any audit needed.

All organization’s users who have access to the data and information are to be made aware of the information management and security policy, its procedure and their responsibility in maintaining information security. (Klitou, 2014)

References

Dimon, R. (2013). Enterprise performance management done right : an operating system for your organization. Hoboken, New Jersey: John Wiley & Sons.

Klitou, D. (2014). Privacy-invading technologies and privacy by design : safeguarding privacy, liberty and security in the 21st century . The Hague: Asser Press, cop.

Kolhe, M., Trivedi, M. C., Tiwari, S., & Singh, V. K. (2018). Advances in data and information sciences : proceedings of ICDIS-2017. Volume 1. singapore: Springer.

Lee, R. (2013). Computer and information science . new york: Springer.

Manaf, A. A., Ahmad, R., & Sahibuddin, S. (2011). information angineering and information science . Berlin, Heidelberg: Springer Berlin Heidelberg.