You are on page 1of 8


Understanding Data Classification Based on

Business and Security Requirements
By Rafael Etges, CISA, CISSP, and Karen McNeil

ata classification, or taxonomy, is a practice related to (e.g., government functions). Once this information is known,
almost all domains of human knowledge, from two fundamental pieces of information can be tracked: the
mathematics to biology, marketing and finance. It information systems and infrastructure components that
directly affects how organizations understand business processes support those business processes, and the major classes of
at the most elementary level (i.e., manipulation of individual business data that are generated and manipulated during
pieces of information to achieve expected results), allows the regular business operations (e.g., financial data, strategic
assignment of economic value to intangible data and enables a plans). More complex organizations or organizations operating
structured approach for data management. Data classification is in a cross-section of industries (e.g., retailing plus financial
fundamental to asset management, risk assessment and the services or media plus entertainment) will have more data
strategic use of security controls within the IT infrastructure of classes identified, and some classes can be broken down into
any organization. Without the understanding of different classes subclasses (e.g., financial data can be mapped to sales,
of data according to the assessed risk and value, it is impossible manufacturing, supply chain or others).
to allocate and maximize resources to ensure continuity of From this point, senior executives must be appointed with
business operations. ownership over business information and report to the board or
For years, military systems have been using variations of a the CEO. Ownership can be tracked from revenue streams that
five-level (unclassified, sensitive-but-unclassified, are supported by the business information (i.e., control points
confidential, secret and top secret) classification scheme. This can be established by mapping who profits from the use of
structure was later adapted to the corporate environment, using information1) or from the delivery of mission-critical services
words such as private, sensitive, critical and confidential, (e.g., patient health and privacy in healthcare, public safety in
among others. However, these words alone do not assign law enforcement). In complex organizations, business
sufficient distinction among levels of classification and can information can be generated by one business unit and
lead to misinterpretation and confusion. combined and manipulated by several others over its life cycle.
To be effective, the classification scheme should clearly Ultimately, ownership should be assigned to the business unit
articulate the association between the data and their supporting with primary control over the creation, usage and disposal of
business processes. Once meaningful terminology is employed business information, even if other units also utilize it during
in the classification scheme, a secondary capability will regular operations.
naturally evolve. This capability is the mapping and expression For each data class discovered in the BIA exercise, business
of security characteristics such as ownership, liability and and security requirements must be identified and documented,
control of data. What distinguishes this from the traditional with guidance from the information owners and other
models is that the security characteristics flow directly from stakeholders (e.g., legal department, security, human
the business process, rather than being derived from military resources). The three pieces of data (data classes, ownership
or other unrelated or historic criteria. and requirements) enable the structuring of business
information and more efficient, effective and reliable
Process Overview data management.
A customized approach to data classification based on Once business data have been properly classified and
business and security requirements must start with a high-level requirements have been documented, standards and procedures
business impact analysis (BIA). It is extremely important that must be built around the requirements and enforced by the use
organizations recognize critical business information. The BIA of internal controls. The result is the gradual evolution of IT
may be performed by using assessment questionnaires or processes toward regulatory compliance and alignment with
interviewing key users, or both, and will identify the business the business strategy. Figure 1 summarizes the data
processes, structured data (e.g., database tables) and classification process.
unstructured information (e.g., e-mails, reports, spreadsheets)
that are most likely to impact the organizations ability to Ownership of Data, Control and Liability
function if disrupted, compromised or lost. The Control Objectives for Information and related
Generally, the outcomes of a BIA specify the most critical Technology (COBIT) framework recommends, in DS5.8, that
business processes for the organization, based on business Management should implement procedures to ensure that all
operations, revenue streams or the ability to deliver a service data are classified in terms of sensitivity by a formal and

Figure 1Overview of the Data Classification Process

Data Ownership/ Standards/
Formalizes Custodianship Procedures
Approves and
Maintains Formalization/
Business Drivers Communication
Identification of Critical
Processes and Data Data
Provides Classification
Data Sets Data Classes Modified IT
Scheme Alignment Strategic
Existing IT (Classes x Processes/
Supporting Direction/
Processes Requirements x Information
Infrastructure Governance
Owners) Systems
Systems Data Enforcement/
Regulatory Practices Monitoring
Requirements Security/
Satisfies Internal
Operational Controls

explicit decision by the data owner according to the data Continuously review and document who has access to
classification scheme. Although IT is usually vested with the business information
responsibility of maintaining different business applications, Ensure that access controls and monitoring take into
business information does not belong to IT.2 This leaves an consideration the principle of segregation of duties (security
unclear state in many organizations as to who owns business and administration roles)
information. The complexity of business information systems
and networks, coupled with ancient cultural barriers between Security and Business
technical and nontechnical professionals, creates issues for Requirements for Classifying Data
senior executives if they cannot fully understand how the IT When classifying data, criteria based on business and
infrastructure that holds critical business information works. security requirements must be determined by a high-level BIA.
How can the board be assured that IT is applying the right Information owners can use the BIA outcomes to provide a
security controls, monitoring risk and following due diligence? clear map of key business processes and establish criteria that
The role of chief security officer (CSO) was in part created to might consider the following:
form a liaison between senior executives who are familiar with Access and authenticationOne of the most difficult exercises
financial and operational risk and the IT staff members who when defining access requirements is to understand exactly who
control virtual private networks (VPNs), firewalls, encryption has a clear need to use the information during regular business
and routers. However, business information does not belong to operations, who needs access only for support and maintenance
the CSO. The fact remains that business information must purposes, and finally who will periodically audit operations to
belong to whoever is ultimately responsible for the business prevent fraud and security incidents and detect performance
process from a revenue standpoint. Custody of supporting anomalies. COBIT recommends that the information owner, who
information systems can be delegated to IT, but not data is ultimately accountable for whatever happens with the
ownership. As COBIT control objective DS5.8 states, Owners information, be supported by a formal approval and
should determine disposition and sharing of data, as well as authorization mechanism.3 Unless unlimited anonymous access
whether and when programs and files are to be maintained, is allowed, this is a requirement expected for any business
archived or deleted. Evidence of owner approval and data information system. Unique requirements will be identified
disposition should be maintained. depending on how distributed each information system is, its
Many other COBIT control objectives (mostly in DS5 different user profiles, and the selected access control solution; a
Ensure systems security; DS11 Manage data and DS13 centralized system (e.g., a single repository controlling global
Manage operations) make reference to controls that must be access, single decision point) is desirable but not always viable
applied, according to the assessed data sensitivity and from a business standpoint, while a decentralized model (e.g.,
criticality levels, and approved and audited by the data owner. local groups granting access and synchronizing with each other
The Sarbanes-Oxley Act also requires a clear process for periodically) will require uniform approval criteria and
defining data ownership in organizations preparing to comply validation procedures among the authorizing parties to ensure
with section 404 requirements. In addition to defining data consistency. When building a data classification scheme, the
ownership, the organization must: attributes from this criterion include:
Formalize the delegation of the safeguarding of information Access approval and review process
to data custodians in a documented process

System architectureDistributed/centralized Expiration of access rights
User profileUser groups, requirements, trust level Distribution methods
(e.g., third party vs. internal) Requirements for authenticity and copy control
Environmental riskIntegration with other networks, IntegrityThis ensures that data must be protected from
applications, databases and users who require access and unauthorized changes. Integrity requirements might include
might pose new risks protection of information during storage (e.g., hashing and
ConfidentialityOnce sensitive information has been matching web site files to avoid defacement and hijacking
identified, it is necessary to determine where it is stored attacks), transit (e.g., IPSec VPNs requiring authentication
(databases, backup systems, business continuity sites), headers or encapsulation security payload to ensure packet
manipulated (applications) and transmitted (network integrity),6 manipulation (e.g., system checks on inputted data to
segments). Attributes from this criterion include: prevent fraud and ensure accuracy) and data compression during
Where information existsStored, transmitted, manipulated backup and transit (i.e., lossy or flawed data compression
Legal requirements for confidentiality algorithms might cause information loss or corruption in
PrivacyThese requirements can be more complex than just copyrighted or critical data, such as high-precision images or
providing confidentiality. In several countries, regulation encrypted files).7 Attributes from this criterion include:
dictates that when decisions are made based on information Change control requirements (approval, review, auditing)
received from a database, the individual who is affected by Need for automated monitoring and detection of
such decisions should have the right to examine the database unauthorized changes
and correct or amend any information that is incorrect or Authenticity and accuracy requirements
misleading.4 Controls to provide such capability include Data retentionDepending on the required retention period
identification and authentication of the affected user, access and sensitivity of data to be maintained, the organization
controls, integrity controls (to ensure that the correction or must also preserve specific versions of software, hardware,
amendment is within accepted limits), auditing and logging, authentication credentials and encryption keys to ensure the
and a monitoring and alert system to warn the affected user ability to access stored data (both media and format
that his/her information is about to be used. Attributes from readability) throughout the retention period, and to safeguard
this criterion include: against loss due to future technology change. This might
Regulatory requirements concerning private information include e-mail messages from former employees; personal
Conditions in which the user must be warned to review records; all information used during a Sarbanes-Oxley-
his/her own data related audit, including financial reports and financial report
Limitations on what the user can do when correcting data elements; processes affecting financial reports; and all
AvailabilityThis set of requirements defines the expected documentation of risks (e.g., assessments and the outcomes,
uptime for that information, the recovery time objective (how conclusions and follow-up activities of risk assessments).
long the organization can wait for recovery in case of an
incident) and the recovery point objective (how much The Sarbanes-Oxley Act and the rules issued by the US
information can be sacrificed in a disaster). Ideally, all systems Securities and Exchange Commission (SEC) require auditors
should be available 100 percent of the time, but availability to maintain, for seven years after the conclusion of the audit,
costs money. While corporate web sites definitely require next all records relevant to the audit or review, including
to 100 percent uptime and redundant systems, many are not workpapers and other documents that form the basis of the
updated frequently; therefore, they might not require the same audit or review, and memoranda, correspondence,
backup priority as the e-commerce transactions database. These communications, other documents, and records (including
are examples of two completely different requirements for electronic records), which (1) are created, sent or received in
availability. Attributes from this criterion include: connection with the audit or review, and (2) contain
Times when system must be available conclusions, opinions, analyses, or financial data related to
Desired annual uptime/downtime tolerance the audit or review. In addition, pursuant to rule 12b-11(d)
Ownership and distributionCopyrighted information under the Exchange Act, an organization must keep all
must be protected against unauthorized copy and distribution. manually signed documents filed with or furnished to the
This is not ensured by conventional controls based on SEC (including the certifications) for five years. Attributes
confidentiality, integrity and availability.5 Watermarking and from this criterion include:
encryption technologies have not yet matured to provide Regulatory and business requirements for data retention
satisfactory protection against piracy. Implementation of periods
these technologies is still very expensive, and in some cases Specific requirements for archiving and recovering the
can be circumvented to avoid or distort the watermark on information
protected information. Depending on the security AuditabilityThis is related to keeping track of all access,
requirements concerning the distribution and possession of authorizations, changes and transactions that might pose a
critical information, this should be treated as a separate class risk to any of the previously mentioned requirements.
of data. Attributes from this criterion include: Attributes from this criterion include:
Approval and billing requirements (integration with Retention time for logs and files
other systems)

Required level of detail of logged transactions Although only a subset of the control requirements described
Monitoring and correlation of raw data, detection of in the previous section was selected for clarity, a more
anomalies and malicious activity thorough discovery exercise will identify several sets of
Regulatory requirements for auditing and control control requirements for each information class or subclass
(e.g., even if audit reports and bank statements can be part of
A Sample Data Classification Scheme the finance and accounting information class, each subclass
Once high-level business processes have been identified, has distinct regulatory requirements and should be treated
ownership has been assigned to business information and a set accordingly).
of control requirements has been established, information
classes can be mapped and detailed further. The process of Impact of Data Classification on IT
identifying and categorizing business information is more Processes
important than the specific control requirements shown in the Data classification is the cornerstone of the strategy behind
example below. Different organizations will select different several security practices and initiatives during the information
sets of control requirements based on their own perspective of life cycle. If the exercise of mapping business and security
business processes and priorities, and alignment with industry requirements is conducted properly, IT staff members will have
standards such as ISO 17799, the COBIT framework and a clear understanding of how information owners require their
others. Figure 2 shows a sample data class called service data to be handled during daily operations. It will then be the
operations information and some of its control requirements. responsibility of the IT staff members to apply the proper

Figure 2Example of Data Classification Table

Service Operations InformationControl Requirements (Sample Data)

Access approval and review Logical access is granted by the help desk system.
Financial systems, supported by IT, need limited access.
Customers need limited access via front-end web interface.
Access and Authentication

Architecture summary Information is centralized on an internal database behind a firewall and a network-based intrusion
detection system (IDS). Business requires that two application servers and the financial enterprise
resource planning (ERP) module have access to it.
User profile Financial users are trusted but must be logged.
Help desk staff members are outsourced and must be fully screened, trained and monitored.
External users (customers accessing via the Internet) are not to be trusted.
Identified environmental External access must use Secure Socket Layer (SSL) authentication and encryption.
risks/threats Web, database and application servers should be protected by a host-based IDS.
Service operations database resides in the same network as less-secure servers (internal mail);
segmentation on a separate VLAN must be enforced.
Information storage Service operations database (including backup tapes) must be encrypted and submitted to an annual
security assessment; access control lists must be reviewed every three months.
Information traffic Service operations must be protected by HTTPS/SSL on the Internet and by encrypted and

authenticated channels on the internal network.

Information manipulation Service operations data must never be stored locally by the help desk support system, and only trusted
senior staff should have unlimited access to data.
The service operations web application must be submitted to a security assessment every three
Legal requirements Encryption is required for financial information and recommended for data accessed by other financial
systems (or strong compensating controls must be in placeSarbanes-Oxley section 404).

Recovery point objective Zero

Recovery time objective 30 minutes
Desired annual uptime 98 percent service level agreements (SLAs) with web interface, 95 percent desired on internal systems
Retention time for audit logs 36 months for raw data on auditing logs
12 months for correlated data
Log format and depth Web transaction logs, firewall security events, open database connectivity (ODBC), syslog events and
Simple Network Management Protocol (SNMP) traps must be captured on the web server, firewall,
application and database server, as well as on the IDS. Depending on storage capacity and performance

limitations, all security events should be captured.

Event detection and Rejected access attempts must be logged and sent to the correlation engine for analysis. Access
correlation requirements times and frequency must be captured to feed historical databases and Bayesian anomaly analysis
Regulatory requirements All access and changes to service operation information must be fully logged.

Source: Assurent,

security controls, such as encryption, authentication and classes of data and can be related to COBIT control guidelines
logging. In organizations where ownership is not the decisive (see figure 3):
factor, controls are applied on an ad hoc basis, following Software developmentFor applications that handle data
trends guided by biased media. with special requirements, security is considered at all life
The following high-level IT processes will be directly cycle stages of the software development process. A detailed
affected by different requirements from business-driven assessment of security risks must be conducted during the

Figure 3High-level IT Processes

High-level IT Process COBIT 3rd Edition Control Objective ISO 17799:2000 Controls
Software development PO2Define the information architecture. 10Systems development and maintenance
PO9Assess risks.
AI2Acquire and maintain application software.
Incident response DS5Ensure systems security. 3.1Information security policy
DS10Manage problems and incidents. 4.1.1Management information security forum
4.1.2Information security coordination
4.1.5Specialist information security advice
4.1.6Cooperation between organizations
6.3Responding to security incidents and malfunctions
8.1.3Incident management procedures
9.5.6Duress alarm to safeguard users
Access control PO9Assess risk. 9Access control
and authentication DS5Ensure systems security.
DS13Manage operations.
Archival and recovery DS4Ensure continuous service. 8.4.1Information backup
capabilities 11Business continuity management
12.1.3 Safeguarding of organizational records
Disaster recovery and DS4Ensure continuous service. 8.4.1Information backup
business continuity DS5Ensure systems security. 11Business continuity management
DS10Manage problems and incidents.
Outsourcing and PO7Manage human resources. 4.2.1Identification of risks from third-party access
third-party management DS2Manage third-party services. 4.2.2Security requirements in third-party contracts
DS5Ensure systems security. 4.3Outsourcing
6.1.3Confidentiality agreements
6.2.1Information security education and training
7.1.4Working in secure areas
12.1.5Prevention of misuse of information processing
Auditing, event logging AI1Identify automated solutions. 3.1.2Review and evaluation
and monitoring AI6Manage changes. 4.1.1Management information security forum
DS9Manage the configuration. 4.1.2Information security coordination.
DS10Manage problems and incidents. 6.1.4Terms and conditions of employment
DS11Manage data. 6.3Responding to security incidents and malfunctions
8.3.1Controls against malicious software
9.5Operating system access control
9.6Application access control
9.7Monitoring system access and use
10.4.3Access control to program source library
12.1.5Prevention of misuse of information processing
12.1.7Collection of evidence
12.2Reviews of security policy and technical compliance
12.3System audit considerations
Physical security PO4Define the IT organization and relationships. 7Physical and environmental security
and zoning PO6Communicate management aims and direction.
PO8Ensure compliance with external requirements.
PO9Assess risk.
AI3Acquire and maintain technology infrastructure.
AI6Manage changes.
DS4Ensure continuous service.
DS5Ensure systems security.
DS9Manage the configuration.
DS10Manage problems and incidents.
DS11Manage data.
DS12Manage facilities.
DS13Manage operations.

specifications stage, along with architecture and component operations will tell how much effort and resources must be
integration reviews. This can be partly achieved by following spent on archiving and redundant technologies (mirroring,
the Systems Security Engineering Capability Maturity Model storage area networks, replicated databases, transaction
(SSE-CMM), metrics and SSE-CMM appraisal method logging, clustering, fail-over capabilities, etc.) to support
(SSAM),9 in conjunction with threat-modeling scenarios and business systems.
risk-based decisions on the software project. The Disaster recovery and business continuityThe same
documentation of requirements, specifications and RTO, RPO and uptime requirements established for the
architectural decisions, based on the identification of archival and recovery processes define which information
potential threats and attack scenarios (including attack trees systems must be supported by plain backups; a cold site (a
and probable attack vectors),10 as well as formal facility with power and cooling where a computing system
consideration of mitigation controls on the proposed can be installed with some time and effort); a combination of
architecture and design, should be mandatory on software a more expensive, temporary hot site (fully prepared
projects that will handle critical data. redundant facility) to be used while the companys cold site
Incident responseIncidents can be directly tied and is set to host emergency operations; or a fully manned
categorized according to the information class that was redundant hot site. The requirements for availability
compromised, almost on a one-to-one relationship. Escalation determine how ready the site must be (e.g., real-time remote
and communication procedures depend on the impact level update, business relocation strategy), while access controls,
on business data, as do decisions on whether to involve law auditability and confidentiality say how much physical and
enforcement and media. For each data category, different logical controls must be in place to protect data during a
incident scenarios can be elaborated; while some classes have crisis. An old attack stratagem is to generate an emergency
similar response procedures, others have unique requirements condition, wait until all systems go to redundant (a usually
(e.g., strategic information leaked to competitors or much less secure) mode, when decision makers will be
copyrighted media being accessed without authorization).11 thinking in terms of availability and going back to business as
Access control and authenticationWhere information soon as possible; this is the time when data are most
systems have similar requirements for access controls and vulnerable to unauthorized access and interference. Figure 4
authentication, it may be advantageous to adopt some type of shows the natural tradeoff among security requirements,
single sign-on (SSO) solution. Specifically, if users typically desired availability and the cost of a disaster recovery and
operate the same applications every day, these applications business continuity strategy. Figure 5 shows how different data
share the same environment, work with the same classes of classes can be mapped to security and availability
data and, therefore, are subjected to the same business risks, requirements. This high-level map supports the establishment
an SSO solution might be considered. SSO solutions should of strategic priorities and considerations for each data class
be carefully analyzed before being deployed on systems that during disaster recovery and business continuity scenarios.
handle different classes of data, for this scenario connects
data with dissimilar security requirements by a single
authentication solution. Figure 4Cost vs. Security Requirements

System architecture impacts access and authentication

controls (e.g., a centralized directory controlling access over a
large WAN, or decentralized authentication repositories trying
to synchronize and replicate over a distributed or extremely
segmented network); new availability and confidentiality
DR/BC strategy cost

requirements will probably be discovered as more research

is done.

Approval cycles determine how much trust can be granted to

subjects who require access to business information, and how
much control and accounting are required before access is
granted to different user profiles. Business processes need to
be reviewed because most were not designed with security in
tinc g d nts
nt g

ide urin
pos dlin eme

mind. The tradeoff between security and efficiency almost requirements

andta han equir

RPO and others

always is inclined to the latter (e.g., how much information
da ty r

the help desk is willing to give to solve a problem, how much

for ecuri

information a sales representative can access to close a deal,


how exactly the approval process works when access to

sensitive information is granted).
Archival and recovery capabilitiesFor each information
class and supporting systems, the desired uptime, recovery
Source: Assurent,
point and time objectives, and assessed impact of disrupted

Outsourcing and third-party managementOutsourcing Administrative controls must consider details of legal
and third-party management must maintain a high level of agreements between consultant and client, nondisclosure
diligence when working with critical information. Specific agreements (NDAs), security training, and clear and
controls must be applied to ensure that access levels of third- formalized understanding of information ownership
party agents are strictly controlled and formal authorization (especially on software development contracts). ISO
17799:2000 provides a comprehensive list of requirements to
be included in contracts with third parties in section 4.2.2
Figure 5Availability vs. Security Requirements Security requirements in third-party contracts.
Auditing, event logging and monitoringAll classes of
critical information must have their own requirements for
protection, management and retention. Auditing capabilities
must allow the data owner (or delegates) to attest that the
Security requirements for data handling

Highly sensitive, Highly sensitive, requirements are being met and detect deviations and
low availability critical availability
during and postincident

anomalies. The results of the BIA identify to data and

business owners exactly which assets need to be monitored.
Once the assets and the associated security requirements are
established, IT can determine the specific information that
Nonsensitive, Nonsensitive, must be collected. Following the example displayed in
low availability critical availability
figure 1, the service operations information data class was
identified as critical to the business, and the organization
determined a set of security and business requirements. Now
Availability requirements business and information owners must discuss the current
(RTO, RPO and others.) situation with IT and establish a set of recommended controls
to be implemented and reviewed to properly monitor this
Business data classes information. Figure 6 shows a set of proposed security
controls according to the sample requirements identified in
figure 2, based on the ISO 17799:2000 standard and COBIT
and authentication methods are enforced. Necessary technical 3rd Edition framework.
controls include enhancing logging and monitoring of Physical security and zoningBecause different classes of
activities, establishing separate user groups, restricting log-on data are often handled in the same facility, there should be a
times, and setting short expiration dates to all guest accounts. separation between physical areas (e.g., floors) that house

Figure 6Requirements and Supporting Controls

Service Operations InformationLogging and Monitoring Requirements (Based on Sample Data From Figure 1)
Access Control Requirements Availability Requirements
Authentication and Confidentiality Requirements12
Authorization13 Audit RPO14 RTO15
Logical access by All access and changes to Desired RPO is zero 30 minutes Encryption is required for credit
the help desk (staff service operations (service operations card information16 and
and systems), information must be information cannot recommended for data accessed
financial systems fully logged. be lost). by other financial systems (or
supported by IT and strong compensating controls).
the front-end web
COBIT and ISO 17799 Recommended ControlsAuditing and Monitoring
Regular review of Interviews with help Monitoring availability Performance monitoring Detection and filtering of
help desk desk staff to evaluate of redundant databases, by the security operations unencrypted service operations
application system current practices fail-over and mirroring group information being transmitted
(documentation, and awareness levels capabilities (e.g., Enforcement of SLA with over public networks
code and databases) Review of change network connectivity network providers Review of encryption key
Penetration tests control applied on the on segments used by Regular testing of management practices
to validate the help help desk system and critical systems) incident response Review of legal agreements
desk systems databases. If possible, procedures that support with third-party providers
access controls an automated approval critical systems to (e.g., help desk staff, software
Access violations and control process service operations development, network
generating alarms should be in place to information management and ISP)
manage changes.
Compiled by: Assurent,

staff and equipment being used on research and development 7
Ladino, Jeffrey N.; Data Compression Algorithms,
projects, HR and payment systems, or financial systems. The
same applies to printers, photocopiers and fax machines used 19951996/jnl22/jeff.html
by different sectors with distinct security requirements. 8
HP Laboratories Palo Alto, Self-Aware Services: Using
Whenever such equipment is shared between high- and low- Bayesian Networks for Detecting Anomalies in Internet-
security zones, security is jeopardized, as no authentication is based Services,
required to read a paper report found in the printers tray. 2001-23R1.pdf
Other scenarios that may jeopardize security are shared 9
public areas, meeting rooms with network jacks, shared paper 10
Schneier, Bruce; Attack TreesModeling Security
recycle bins, third parties working without supervision in Threats,
sensitive areas, and laptops used at an employees home 11
NIST SP800-61 offers a method for determining incident
during weekends and at the organizations premises on criticality. See Computer Security Incident Handling Guide,
working hours.17
Summary Encryption can be enforced on stored (including backups)
The fundamental objective in classifying and protecting and transmitted information.
data should be based on the reasons why the data are important All access to the information (except public) must be denied
to the business in the first place. IT does not have this by default and provided on a need-to-know basis upon
knowledge in most cases. Therefore, each line of business formal authorization from the information owner.
must identify which pieces of information are critical to its The recovery point objective (RPO) is the time (relative to
business processes. From a security standpoint, it does not an event compromising data) in which data must
really matter what names are assigned to data as long as data be restored, without affecting business operations
sets are established that provide more meaning to business (e.g., overnight backups ensure an RPO of only 24 hours.
operations. The advantage of employing classification If the organization cannot afford to lose 24 hours of data,
terminology that reflects the business operation will be evident another backup solution must be implemented to comply
in communicating ownership and integrating the security with the RPO).
requirements into each business process. The recovery time objective (RTO) is the time period after
The key success factor in a data classification scheme is an event compromising data by which business functions
that classes of information are properly defined and related to need to be restored. Different business functions may have
process owners, easily communicated to all stakeholders, and different RTOs (e.g., the RTO for the payroll function may
clearly convey a business value to the organization, while be two weeks, whereas the RTO for sales order processing
expressing the need for hard, technical internal controls may be two days).
that IT understands. PCI guidelines for protection of cardholder information
ISO/IEC 17799:2000, section 7Physical and
Endnotes Environmental Security
Wylder, John; Strategic Information Security, Auerbach, 2003
Additional references to the differences between Rafael Etges, CISA, CISSP
information ownership and stewardship can be found in the is a senior information security advisor at Assurent Secure
Information Security Management Handbook, Fifth Edition, Technologies (, a leading information
by Tiptop and Krause, and in Information Classification: a security engineering and consulting group. He has worked on
Corporate Implementation Guide, by Jim Appleyard. governance and risk assessments as a consultant for major
COBIT, DS5 Ensure systems security, control objective 8, telecommunications and financial groups in Canada and Latin
control practice 5 America.
Freeman, Edward H.; When Technology and Privacy
Collide, Information Security Management Handbook Karen McNeil
Schwartau, Winn; Mad as Hell IV: Security Basics for is a senior member of the delivery team at Assurent Secure
Ma & Pa, Technologies and plays a key role in overseeing technical
/0,294698,sid14_gci1096261,00.html security assessment and risk assessment initiatives in global
Foundstone and Microsoft, Using Microsoft Windows enterprise environments.
IPSec to Help Secure an Internal Corporate Network