Sunday, April 13, 2008

Data classification

The reason to classify data is to organize it according to its sensitivity to loss or disclosure, indicating the level of confidentiality, integrity and availability required.

Data classification helps ensure that the data is protected in the most cost-effective manner.

The classification is different in every company, but in general there are two man groups:

Private Business

Normally the availability is the main thing, if the service is down, or if data becomes lost, implies a monetary loss and image loss.

Government and military

In Government and military, the confidentiality is the main thing, integrity is the second and availability (normally) is the less important. Because there are secrets to keep, and the money don't come from the data or a service.

The information can be:


Disclosure is not welcome, but it would not impact on the company.


If disclosed could reduce competitive edge.
(technical specifications of a product)


Disclosure seriously affect a company.
(trade secrets, code)
->Business & Military


Special precaution in the integrity.


If disclosed could cause serious damage or national security.
(military plans)

Top secret

If disclosed, it could cause grave damage to a national security
(spy satellite)

Sensitive but unclassified (SBU)

Minor secret.
(medical data)


Data not sensible or classified.

The sensitivity level:
1. Top secret
2. Secret
3. Confidential
4. SBU
5. Unclasified

Data Classification Procedures

1. Identify custodian responsible for maintaining data and its security level
2. Criteria how is classified
3. The owner set the classification
4. Security controls required
5. Document exceptions
6. Methods to transfer the custody to a different data owner
7. Procedures to declassifying the data
8. Security awareness program


Senior management, and other levels of management, understand the vision of the company, the business goals and objectives.
The next layer is functional management, who understand their departments and how security affects their department.
The next layers are operational management managers and staff, understand the techniques and procedures.

The data owner is a member of senior management, he is responsible for negligent acts and decide the classification.

The data custodian maintain and protect the data, for ex. system administrator.

The data user, who routinely uses the data.

The chief information officer (CIO) should work with senior to define procedures.

Business managers determine the level of protection needed, and are involved in the selection of safeguards.

Auditor examines the practices.

Security professional, is responsible for security and carry out the senior manager's directives.

DoD Data Classification

- Top Secret
- Secret
- Confidential
- Unclassified

Data classification is done in mandatory access controls.

No comments: