Risk management policies provide the framework for assessing risk across data classification and RCSA activities. The resulting risk assessment looks at how risk is managed end to end. This means that the risk assessment can examine how data classification affects data handling and the RCSA process. It can also identify control gaps between the quality assurance and quality control processes. Risk management policies identify the criteria and content of assessments. Risk management requirements may vary by industry and regulatory standards.

When creating a data classification scheme, you must keep the following in mind:

• Keep the classification simple—no more than three to five data classes.
• Ensure that data classes are easily understood by employees.
• Data classification must highlight which data is most valuable to the organization.
• Classify data in the most effective manner that classifies the highest-risk data first.

The takeaway is that there is no one common approach to defining risk and controls within an organization. Many of the same elements are there but repackaged in a different form. Regardless of what the plan is called, it’s important that the risk management policies promote a thorough understanding of the business. They should include a definition of its risks and the ability to ensure data is properly handled.