Information Security Classification

All data is not created equal, some will benefit from greater levels of control. Data should be classified based on sensitivity and criticality. As employees create data, they should be aware of the level of sensitivity and criticality of the data, and should classify it appropriately, so that as others retrieve the data, they know how to handle it. Also within applications, data should be classified, so that the right person has (the right level of) access to the right data contained within it. 

 Control Objective

  • Classification is documented, approved, communicated, and followed
  • Employees must understand not all data is created equal, some data is more sensitive than others and should benefit from greater controls
  • Employees should possess only the sensitive information they need, handle it carefully, and label it as appropriate
  • Sensitive information must be encrypted in-transit and at rest
  • Prohibit production data in test environments unless security controls are equivalent to (or better than) production environments

Resources

Information Security Classification Framework (PDF)

Information Security Classification Guidelines (PDF)