sunhux
asked on
sample Data Classification documents
I'm writing a doc on Data Classifications (taking local regulatory/practices into context with
international practices such as GDPR as optional). Data we have in mind are:
a) our customers particulars (which includes their NRIC# ie equiv of Social Security # in the
US, their mobile/tel# and addresses : guess all these are PII)
b) bank account numbers of the customers (for payments)
c) the transactions including historical transaction details (customers sea-port clearances
as well as the volume & types of goods they go through our sea-port)
d) IP addresses of customers who connect to us, internal IP addresses/hostnames of our
servers
So for each data class, need to identify if
1. they must be hosted within our country if we use cloud (& if this is IaaS, SaaS, PaaS)
2. backup of the data must be encrypted
3. data at rest/in-transit must be encrypted
4. to be classified as Restricted, Confidential, Secret, or any other categories
5. which category to be detected by DLP & which category to be blocked by DLP
6. any other actions for each of the data categories
If there are such sample docs out there, care to point me to them?
international practices such as GDPR as optional). Data we have in mind are:
a) our customers particulars (which includes their NRIC# ie equiv of Social Security # in the
US, their mobile/tel# and addresses : guess all these are PII)
b) bank account numbers of the customers (for payments)
c) the transactions including historical transaction details (customers sea-port clearances
as well as the volume & types of goods they go through our sea-port)
d) IP addresses of customers who connect to us, internal IP addresses/hostnames of our
servers
So for each data class, need to identify if
1. they must be hosted within our country if we use cloud (& if this is IaaS, SaaS, PaaS)
2. backup of the data must be encrypted
3. data at rest/in-transit must be encrypted
4. to be classified as Restricted, Confidential, Secret, or any other categories
5. which category to be detected by DLP & which category to be blocked by DLP
6. any other actions for each of the data categories
If there are such sample docs out there, care to point me to them?
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
There is data.gov.sg but that search for all data type not intermediate of sensitivity. If you need the framework then probably your local authority or regulator may advice. May want to go through your internal governance team first.
ASKER
I'm the internal governance team & it's the regulator that asks me to
come up with a Data Classification as we plan to host Teammate+
(if it's SaaS, it's TeamCloud) in a cloud.
I suppose Teammate+ contains sensitive financial data for auditors
to analyse fraud etc. Anticipated some customers' data including
NRIC will be included as well
come up with a Data Classification as we plan to host Teammate+
(if it's SaaS, it's TeamCloud) in a cloud.
I suppose Teammate+ contains sensitive financial data for auditors
to analyse fraud etc. Anticipated some customers' data including
NRIC will be included as well
ASKER
Thought NIST has a Data Classification Framework FIPS 199 or 200
but its PDF is nowhere to be found
but its PDF is nowhere to be found
There should be guidance of the type of data based on impact as well as the sensitivity framework. What you are looking at is to identify the data type that falls into those classification and category of sensitivity.
You can take a look at the sample from other organisations using the FIPS 199 & NIST 800-60.
You can take a look at the sample from other organisations using the FIPS 199 & NIST 800-60.
There will be a two-pronged approach to data protection and management:(doc) https://www.cu.edu/sites/default/files/CUdataclassification.docx
Classification strategy: This strategy entails classifying data elements into three categories (Highly Confidential, Confidential, and Public) to undertake appropriate protection measures. This strategy will be more relevant to the data and business process owners who would have responsibility for classifying data as well as individuals (data users) who use or access data on a regular basis.
System Security Categorization and Control strategy: This strategy entails mapping appropriate controls for information type based on the level of risk to the confidentiality, integrity, or availability of information. The strategy will be more relevant to the technical and executive audience (Data owners, stewards and custodians) who are directly responsible for securing the data. This strategy applies primarily to information systems rather than data elements.
ASKER
Ok, last assistance: I've been trying to load the following 2 URLs & it's still loading the last 3 hrs:
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=2ahUKEwiCr6rQs8zfAhUP4o8KHe7JBm4QFjABegQIAhAB&url=http%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2Ffips%2Fnist.fips.199.pdf&usg=AOvVaw3C7ruME_vR-IwN_c2M5Dqe
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=2ahUKEwiCr6rQs8zfAhUP4o8KHe7JBm4QFjABegQIAhAB&url=http%3A%2F%2Fnvlpubs.nist.gov%2Fnistpubs%2Ffips%2Fnist.fips.199.pdf&usg=AOvVaw3C7ruME_vR-IwN_c2M5Dqe
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Security
Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection. Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.
32K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
Govtech/IDA, will be most welcome as well. Will close this
thread in 3 days if there's no further inputs or other samples