Overview#

Data Classification is part of Information Lifecycle Management and may also be referred to as Data Taxonomy

Data Classification, in the context of Information Rights Management, is the classification of data based on its level of sensitivity and the impact to the Organizational Entity or Personal Entity should that data be subject to Disclosure-Alteration-Destruction (DAD) without authorization.

Data Classification may be dictated by Regulatory compliance or Standard Compliance some of which we have identified IDM Related Compliance Items

Data Classification types#

Data Classification types could be:

Microsoft Azure Information Protection recommendations [4]#

Microsoft recommends:

These "tags" are recommended be used always and used within Microsoft products (ie Word, Excel etc) and they are working with DLP vendors to recognizes and take appropriate actions based on these "default" Data Classification

NIST.SP.800-63 Data Classification#

Making certain attribute values available to a Relying Party can carry National Security implications. In situations where this may be the case, identification of such data values at the time of exchange can be absolutely crucial to ensuring that they are appropriately handled and protected across the data lifecycle.

The recommended values for use in Data Classification are:

As with all classified information, the determination of the classification level for any data must be made by the appropriate U.S. Federal Government authority and the integrity of this classification must be maintained as the data is transmitted or stored in by IT systems.

Releasability [2] [3]#

Refers to restrictions that may be placed on the Confidentiality of data values.

The recommended data values for this element include:

  • Sensitive But Unclassified (SBU) is a releasability restriction often used.
  • FOUO - For Official Use Only
  • NATO - The data value is releasable to NATO allies only and should not be distributed to other foreign nationals.
  • NOFORN - The data is not releasable to any foreign nationals.
  • FVEY - The data is releasable to Five Eye nations only.
  • Public Release - The data is explicitly approved for Public release.
  • Externally Releasable for Business Purposes - The data value has been explicitly approved for release to parties externally, but for approved business purposes only. For example, this may be leveraged by an entity to approve the release or attribute values as part of a federated environment supporting their supply chain.
  • Do Not Release - The data has not been approved for release beyond the originating organization.
  • None - There are no distribution or release caveats associated with the data. This, however, does not mean that the data may be freely distributed.

Example Data Classification#

While each Entity Data Classification will be different it may be helpful to see Example Data Classification as shown below.

The Data Classification helps determine what baseline security controls are appropriate for safeguarding that data. All Organization data should be classified into one of three sensitivity levels, or classifications:

Restricted Data Example#

Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the Organization or its affiliates. Examples of Restricted data include: The highest level of security controls should be applied to Restricted data.

Private data Example#

Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the Organization or its affiliates. By default, all Organization Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.

Public data Example#

Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the University and its affiliates. Examples of Public data include press releases, sales brochures and advertising publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

Data Classification of data should be performed by an appropriate Data Steward. Data Stewards are senior-level employees of the Organization who oversee the Information Lifecycle Management of one or more sets of Organization Data.

More Information#

There might be more information for this subject on one of the following:
https://youtu.be/GWcnZFMPcnE

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-46) was last changed on 02-Mar-2017 12:45 by jim