IS/DPP for staff #3b - Data Classification

Editor's Notes

• #2: Welcome to the third part of the baseline training IS/DPP. Herein we look at data and the different classifications we give it in order to be able to better handle it.
• #3: Like confidentiality, both entailing keeping unauthorized people out and requiring from authorized persons to handle the information confidentially. An example of a fail is the list of Amex cardholders and their spend being leaked on the internet via wikileaks or pastebin.
• #4: The classification “confidentiality” takes into account the impact on the ABC Group in case of disclosure or breach. The author of the data should classify it. If you receives unclassified data, you should.
• #5: The first level is “public”. It is information intended for public use. So it can be communicated outside the ABC Group.
• #6: All non public data, is “confidential”. That is further divided into three “circles of trust”, which contain ever smaller numbers of people.
• #7: Internal data is meant for staff only. It is information that is used to support and perform normal business operations. External staff may have access to it, but then they should be bound by a non-disclosure commitment.
• #8: Restricted data is only to be made available on a specific need-to-know basis, which means that it must be job-related for you. Personal data in principle is restricted.
• #9: Secret data is the highest level of confidentiality. It is sometimes also indicated as “strictly confidential” or “for your eyes only”. The author must have indicated you as an addressee otherwise you are not authorized to have it. It also means that a recipient has no margin to autonomously forward the information.
• #10: Most information security frameworks refer to CIA. CIA does not stand for the US Central Intellegence Agency but for
• #11: Confidentiality (which we already discussed) Integrity: which entail preventing accidental, unauthorized and deliberate alteration or deletion of data. An example of a fail is a customer succeeding in changing his card limit thus messing up our authorization process.
• #12: and Availability: which goes to ensuring that information is available to authorized persons when required to fulfill their job. An example of a fail is the data being lost due to a short power fail and being unable to give a workable backup, e.g. losing and entire week of work.
• #13: Due to the data protection legislation, we also add “privacy” to the “classifications”. That is respecting the (original) purpose for which the personal data was collected.
• #14: Here we revert to the “finality” requirement under the data protection legislation, and the expectations of the data subject. The finality requirement indicates that during the entire lifecycle of the personal data the purpose must be respected.
• #15: The expectations of the data subject, without going into detail of the technical legislation, can be captured in a quick 3 questions test. The first: What would your reaction be if we did it to your personal data?
• #16: The second: What would the reaction be of somebody who likes his privacy, if we did it to his/her personal data?
• #17: The third: What would the reaction of the public be if what we do to personal data is in detail explained on the front page of tomorrow’s newspaper?
• #18: If on one of those three questions we have to answer : “Well, the reaction may be (seriously) negative.” We should likely reconsider. You can imagine that transparency at the moment of collection of the data is a very imporant element here.
• #19: We complete the set of data classifications with two more, namely Traceability: that is ensuring that modifications can be traced back to the individual that made the modification (which we refer to as “non-repudiation”) to enable compliance with regulations and standards.
• #20: and Retention: that is ensuring that information is retained and disposed in line with legal and regulatory requirements and business objectives