We help IT Professionals succeed at work.

sample Data Classification documents

129 Views
Last Modified: 2019-01-01
I'm writing a doc on Data Classifications (taking local regulatory/practices into context with
international practices such as GDPR as optional).  Data we have in mind are:

a) our customers particulars (which includes their NRIC# ie equiv of Social Security # in the
    US, their mobile/tel# and addresses : guess all these are PII)

b) bank account numbers of the customers (for payments)

c) the transactions including historical transaction details (customers sea-port clearances
    as well as the volume & types of goods they go through our sea-port)

d) IP addresses of customers who connect to us, internal IP addresses/hostnames of our
    servers

So for each data class, need to identify if
1. they must be hosted within our country if we use cloud (& if this is IaaS, SaaS, PaaS)
2. backup of the data must be encrypted
3. data at rest/in-transit must be encrypted
4. to be classified as Restricted, Confidential, Secret, or any other categories
5. which category to be detected by DLP & which category to be blocked by DLP
6. any other actions for each of the data categories

If there are such sample docs out there, care to point me to them?
Comment
Watch Question

Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks very much;  if there's a sample such doc from the local
Govtech/IDA, will be most welcome as well.  Will close this
thread in 3 days if there's no further inputs or other samples
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
There is data.gov.sg but that search for all data type not intermediate of sensitivity. If you need the framework then probably your local authority or regulator may advice. May want to go through your internal governance team first.

Author

Commented:
I'm the internal governance team & it's the regulator that asks me to
come up with a Data Classification as we plan to host Teammate+
(if it's SaaS, it's TeamCloud) in a cloud.

I suppose Teammate+ contains sensitive financial data for auditors
to analyse fraud etc.  Anticipated some customers' data including
NRIC will be included as well

Author

Commented:
Thought NIST has a Data Classification Framework  FIPS 199 or 200
but its PDF is nowhere to be found
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
There should  be guidance of the type of data based on impact as well as the sensitivity framework. What you are looking at is to identify the data type that falls into those classification and category of sensitivity.

You can take a look at the sample from other organisations using the FIPS 199 & NIST 800-60.
There will be a two-pronged approach to data protection and management:


Classification strategy: This strategy entails classifying data elements into three categories (Highly Confidential, Confidential, and Public) to undertake appropriate protection measures. This strategy will be more relevant to the data and business process owners who would have responsibility for classifying data as well as individuals (data users) who use or access data on a regular basis.


System Security Categorization and Control strategy: This strategy entails mapping appropriate controls for information type based on the level of risk to the confidentiality, integrity, or availability of information.  The strategy will be more relevant to the technical and executive audience (Data owners, stewards and custodians) who are directly responsible for securing the data. This strategy applies primarily to information systems rather than data elements.
(doc) https://www.cu.edu/sites/default/files/CUdataclassification.docx
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.