Avatar of sunhux
sunhux asked on

sample Data Classification documents

I'm writing a doc on Data Classifications (taking local regulatory/practices into context with
international practices such as GDPR as optional).  Data we have in mind are:

a) our customers particulars (which includes their NRIC# ie equiv of Social Security # in the
    US, their mobile/tel# and addresses : guess all these are PII)

b) bank account numbers of the customers (for payments)

c) the transactions including historical transaction details (customers sea-port clearances
    as well as the volume & types of goods they go through our sea-port)

d) IP addresses of customers who connect to us, internal IP addresses/hostnames of our
    servers

So for each data class, need to identify if
1. they must be hosted within our country if we use cloud (& if this is IaaS, SaaS, PaaS)
2. backup of the data must be encrypted
3. data at rest/in-transit must be encrypted
4. to be classified as Restricted, Confidential, Secret, or any other categories
5. which category to be detected by DLP & which category to be blocked by DLP
6. any other actions for each of the data categories

If there are such sample docs out there, care to point me to them?
* Data SecurityOS SecuritySecurity

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
sunhux

Thanks very much;  if there's a sample such doc from the local
Govtech/IDA, will be most welcome as well.  Will close this
thread in 3 days if there's no further inputs or other samples
btan

There is data.gov.sg but that search for all data type not intermediate of sensitivity. If you need the framework then probably your local authority or regulator may advice. May want to go through your internal governance team first.
ASKER
sunhux

I'm the internal governance team & it's the regulator that asks me to
come up with a Data Classification as we plan to host Teammate+
(if it's SaaS, it's TeamCloud) in a cloud.

I suppose Teammate+ contains sensitive financial data for auditors
to analyse fraud etc.  Anticipated some customers' data including
NRIC will be included as well
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
sunhux

Thought NIST has a Data Classification Framework  FIPS 199 or 200
but its PDF is nowhere to be found
btan

There should  be guidance of the type of data based on impact as well as the sensitivity framework. What you are looking at is to identify the data type that falls into those classification and category of sensitivity.

You can take a look at the sample from other organisations using the FIPS 199 & NIST 800-60.
There will be a two-pronged approach to data protection and management:


Classification strategy: This strategy entails classifying data elements into three categories (Highly Confidential, Confidential, and Public) to undertake appropriate protection measures. This strategy will be more relevant to the data and business process owners who would have responsibility for classifying data as well as individuals (data users) who use or access data on a regular basis.


System Security Categorization and Control strategy: This strategy entails mapping appropriate controls for information type based on the level of risk to the confidentiality, integrity, or availability of information.  The strategy will be more relevant to the technical and executive audience (Data owners, stewards and custodians) who are directly responsible for securing the data. This strategy applies primarily to information systems rather than data elements.
(doc) https://www.cu.edu/sites/default/files/CUdataclassification.docx
ASKER
sunhux

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question