Data Classification and Information Classification and labeling is required under these areas of ISO 27001 Annex A Domains, Control Objectives and Controls:
A.7 Asset Management
A.7.2 Information Classification
A.7.2.1 Classification Guidelines
A.7.2.2 Information labeling and handling
There was quite a bit of discussion on whether we were going to have a three-tier data classification system or a four-tier data classification system.
It’s really important to get this right as early as possible. What surprised me was
1) Just how political it was
2) How difficult it was to explain to the stakeholders
3) How difficult it was to get senior management to make a decision and support it
The proposed possible three-tier classification system:
| Unclassified | Marketing and promotion literature; Annual Financial Reports for Shareholders |
| Protected | Personally Identifiable Information Names with Social Security Numbers, Phone numbers, addresses Client related; Business-related |
| Restricted | Company Strategy, Privileged Data Related to How the Company is Managed; etc. |
The proposed possible four-tier classification system:
| Unclassified | Marketing and promotion literature; Annual Financial Reports for Shareholders |
| Private | Business-related |
| Confidential | Personally Identifiable Information Names with Social Security Numbers, Phone numbers, addresses |
| Secret | Company Strategy, Privileged Data Related to How the Company is Managed; etc. |
You may want to study this because it shows how much work, thought, time and diplomacy can be expended to arrive at a business decision regarding classification of information assets and data assets.
Which one did I favor? The four-tier classification system.
Best regards,
Bill
William Favre Slater, III, PMP
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
http://billslater.com/career
Chicago, IL
No comments:
Post a Comment