286
A Practical Guide to Security Assessments
Risk:
If users are not aware of the data classification policy and if it is not
easily accessible, there is a risk they will not follow it because they do not
know about it or are not willing to take the time to find out about it.
Client Response:
6. Does the classification scheme provide enough guidance so users can
easily classify information?
Guidance:
When users access the data classification policy, it would be
helpful for them to have some criteria or examples to help them classify
information and distinguish the differences between the various classifica-
tions. As users begin to classify data, real examples, which can be used as
reference points by personnel, will become available. One sign of a lack of
guidance is that people are not using the existing classification scheme
because the meaning of the classifications is unclear. If no guidance exists
and personnel are unclear on classifying data, it would be worth incorpo-
rating this into a user awareness program and incorporating examples into
the classification policy.
Risk:
Without some guidance or examples of data for each of the classifi-
cations, personnel might not classify data properly. This can lead to incon-
sistent data classification and data not getting appropriate treatment.
Client Response:
7. Are specific roles and responsibilities defined for data classification —
specifically for data owners and system owners?
Guidance:
Data classification, like other areas of security or operations in
general, requires clear roles and responsibilities to ensure that key tasks are
performed. In the case of data classification, there must be personnel who
“own” the data and are thus responsible for classifying it. One thing to look
out for is that data classification might be viewed as an IT problem and as
a result, IT is responsible for classifying the data. IT should not be making
data classification decisions because they do not have the expertise to do
so nor do they own the data. The IT group’s responsibility should be to pro-
vide the necessary level of protection for data based on the classification.
In addition, data owners should understand that there are costs related to
different classifications — e.g., there are additional costs related to pro-
tecting confidential documents versus public documents.
AU1706_book.fm Page 286 Wednesday, July 28, 2004 11:06 AM