Back

Establish, implement, and maintain a data classification scheme.


CONTROL ID
11628
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598

This Control has the following implementation support Control(s):
  • Take into account the characteristics of the geographical, behavioral and functional setting for all datasets., CC ID: 15046
  • Approve the data classification scheme., CC ID: 13858
  • Disseminate and communicate the data classification scheme to interested personnel and affected parties., CC ID: 16804


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The licensed corporation should implement a comprehensive information security policy to prevent any unauthorised disclosure. This policy should include an appropriate data classification framework, descriptions of the various data classification levels, a list of roles and responsibilities for iden… (14., Circular to Licensed Corporations - Use of external electronic data storage)
  • Deciding on data classification/de-classification and archival/purging procedures for the data pertaining to an application as per relevant policies/regulatory/statutory requirements (Critical components of information security 11) c.2. Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Databases and their contents are classified based on the sensitivity or classification of data that they contain. (Control: ISM-0393; Revision: 8, Australian Government Information Security Manual, June 2023)
  • Databases and their contents are classified based on the sensitivity or classification of data that they contain. (Control: ISM-0393; Revision: 8, Australian Government Information Security Manual, September 2023)
  • Volatile media must be treated as no less than unclassified after sanitization, except that under certain conditions top secret media cannot be reclassified. (Control: 0353, Australian Government Information Security Manual: Controls)
  • Work instructions and processes for the implemented classification scheme of information and assets are in place in order to ensure the labeling of information as well as the corresponding handling of assets. This only refers to assets which store or process information. (Section 5.4 AM-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Firms are responsible for classifying their data. While the PRA does not prescribe a specific taxonomy for data classification, it expects firms to implement appropriate, risk-based technical and organisation measures to protect different classes of data (eg confidential, client, personal, sensitive… (§ 7.5, SS2/21 Outsourcing and third party risk management, March 2021)
  • firms remain responsible for correctly identifying and classifying data in line with their legal and regulatory obligations, and adopting a risk based approach to the location of data. They also remain responsible for configuration and monitoring of their data in the cloud to reduce security and com… (Table 3 ¶ 1 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • classify relevant data based on their confidentiality and sensitivity; (§ 7.3 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • The entity uses a combination of controls to restrict access to its information assets including data classification. The entity enforces logical separations of data structures and the segregation of incompatible duties applies device security hardening and security configuration policies, including… (S7.1 Restricts access to information assets, Privacy Management Framework, Updated March 1, 2020)
  • Ensure all data in Amazon S3 has been discovered, classified and secured when required. Description: Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an… (2.1.4, CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 2)
  • A thorough data management review should be performed and data classification should be considered. (App A.4 (Recommendations for Data Management), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Communications about the data elements that uniquely identify an individual should follow the data classification policy. (§ 3.4.4 ¶ 3, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • Verify that all sensitive data is identified and classified into protection levels. (1.8.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • The organization should establish multi-level data identification schemes and multi-level classification schemes. (Critical Control 15.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Data and objects containing data shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization, third-party obligation for retention, and prevention of un… (DSI-01, Cloud Controls Matrix, v3.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and proced… (DSP-01, Cloud Controls Matrix, v4.0)
  • Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as "Sensitive," "Confidential," and "Public," and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise chan… (CIS Control 3: Safeguard 3.7 Establish and Maintain a Data Classification Scheme, CIS Controls, V8)
  • The organization implements and maintains a written risk-based policy or policies on data governance and classification, approved by a Senior Officer or the organization's governing body (e.g., the Board or one of its committees). (ID.AM-5.1, CRI Profile, v1.2)
  • The organization implements and maintains a written risk-based policy or policies on data governance and classification, approved by a Senior Officer or the organization's governing body (e.g., the Board or one of its committees). (ID.AM-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Is there a data classification and retention program that identifies the data types that require additional oversight and governance? (§ P.7, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • Determine whether management identifies and classifies the entity's data effectively. Determine whether management does the following: (App A Objective 3:5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Documentation of the data types maintained, data owners and users, and purposes of reports. (App A Objective 3:9f Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Evaluate whether business line management is consulted to assist in data classification, recovery standards development, and appropriate control validation. (App A Objective 3:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Classifies data maintained within the database. (App A Objective 3:7i, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Data identification and classification processes. (III.A Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Thus, a best practice is to group containers together by relative sensitivity and to ensure that a given host kernel only runs containers of a single sensitivity level. This segmentation may be provided by using multiple physical servers, but modern hypervisors also provide strong enough isolation t… (4.3.4 ¶ 3, NIST SP 800-190, Application Container Security Guide)
  • Develop/integrate cybersecurity designs for systems and networks with multilevel security requirements or requirements for the processing of multiple classification levels of data primarily applicable to government organizations (e.g., UNCLASSIFIED, SECRET, and TOP SECRET). (T0071, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Attach data tags containing [Assignment: organization-defined permissible processing] to [Assignment: organization-defined elements of personally identifiable information]. (PT-2(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Attach data tags containing [Assignment: organization-defined permissible processing] to [Assignment: organization-defined elements of personally identifiable information]. (PT-2(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)