Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Data Classification

    Загружено:

    gcox31750
    432 просмотров14 страниц
    The document describes a data classification schema that categorizes data into four sensitivity levels - Public, Internal Use, Confidential, and Restricted. It provides examples of types of data that fall into each category and notes that Confidential and Restricted data require additional steps in the data inventory process. The document also outlines components of a data governance structure including business process owners, a data classification process, and categories for the data inventory such as assets, attributes, protection, and backup frequency.

    Исходное описание:

    Power Point of Data Classification

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PPTX, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    The document describes a data classification schema that categorizes data into four sensitivity levels - Public, Internal Use, Confidential, and Restricted. It provides examples of types of data that fall into each category and notes that Confidential and Restricted data require additional steps in the data inventory process. The document also outlines components of a data governance structure including business process owners, a data classification process, and categories for the data inventory such as assets, attributes, protection, and backup frequency.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PPTX, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    432 просмотров14 страниц

    Data Classification

    Загружено:

    gcox31750
    The document describes a data classification schema that categorizes data into four sensitivity levels - Public, Internal Use, Confidential, and Restricted. It provides examples of types of data that fall into each category and notes that Confidential and Restricted data require additional steps in the data inventory process. The document also outlines components of a data governance structure including business process owners, a data classification process, and categories for the data inventory such as assets, attributes, protection, and backup frequency.

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PPTX, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 14

    Classifying data according to sensitivity level

    Data Classification Schema


    Internal Use

    Public
    Information intended or required for
    sharing with public

    Non-Sensitive information that is


    used in daily operation of an agency

    o Brochures
    o Press Releases
    o Website Material

    o
    o
    o

    Confidential

    Work Phone Numbers


    Policies
    Interagency communication

    Restricted

    Sensitive information in use by an


    agency

    Highly sensitive information


    protected by statutory penalties

    o Information security plans


    o Personally Identifiable Information
    (PII)

    o Data received from the Internal

    Revenue Service (IRS)


    o Personal Health Information (PHI)

    Potential Impact table


    Question to Ask

    Financial Impact

    What would the potential financial impact be if this


    information were compromised?

    Reputational
    Impact

    What would the potential reputational impact be if this


    information were compromised?

    Operational Impact

    What would the potential operational impact be if this


    information were comprised?

    Potential Answers
    High
    If you answered any of
    the above questions
    with: a severe or
    catastrophic adverse
    impact

    Moderate
    If you answered any of
    the above questions
    with: a serious adverse
    impact

    Low
    If you answered any of
    the above questions
    with: a limited adverse
    impact

    Data Description
    Description
    Representation of the data and describes the datas use within the
    business process. This description gives a brief explanation of what the
    data set is used for to the reader.
    Business Process Owner (Data Owner)
    Individual that has ownership over the information in the business
    process. The data owner should be able to edit the data, have a full
    understanding of the data, and an ability to interpret the data.
    When listing the data owner, its important to note which group they
    are a part of, in case of an unexpected departure.
    Data Custodian
    Individual that manages the application/system that contains the
    business process data. This individual could be an IT system
    administrator, system owner, database administrator, or business
    process owner, etc.
    When listing the data custodian, its important to note which group he
    or she is a part of, in case of an unexpected departure.

    Data Governance Structure

    Business Process Owner


    o In-depth knowledge of a particular business process and
    its data
    Classifies the systems within the Data Inventory
    Oversees the capture, maintenance, and distribution of data
    for a particular business process
    Make security decisions regarding access to the data of the
    business process
    Implements a control structure
    Establish Roles and Responsibilities for each Business
    Owner

    Data Classification Schema


    After determining the classification of the data within each system, the
    business process owner should do one of the following:
    If a system only contains Public or Internal Use data the business

    process owner should conclude the Data Inventory and submit it to the
    Data Inventory Quality Assurance team for further review.
    If a system contains Confidential or Restricted Information the
    business process owner should continue to the Data Set Level tab of the
    Data Inventory.

    Asset Category
    Asset covers a system that is used in a given business
    process within a functional area (e.g., Human Resource,
    Accounting, Legal).

    Asset Category

    Assets Functional Area


    Business unit within an agency that the business process is associated with.
    Example: Human Resource, Information Technology, Legal, Shared Services, and
    Accounting.
    Assets Business Process
    A set of activities performed by an agency that support agency objectives.
    Example: accounts payable, treasury, billing, learning and training, and HR onboarding.
    Assets Sub-Process
    specific task and/or component of a business process.
    Example, a sub-process of HR Onboarding could be setting up automatic deposit with the
    new hires bank account. A sub process of billing could be importing the invoices into a
    system.
    Assets Application/System
    Sub-processes are linked to critical applications/systems used when performing
    activities associated with the business process.
    For example, if a business process requires tickets to be made with CA Service Desk to
    report an error, the business process owner should list CA Service Desk as an
    Application/System under the sub-process Error Handling.

    Data Attributes
    Personally Identifiable Information (PII) Information considered PII when it can be
    used to distinguish or trace an individuals
    Identify

    Protected Health Information (PHI)

    Information is considered PHI when its a


    subset of health information, including
    demographic information collected from an
    individual

    Federal Tax Information

    Information is considered FTI when is


    provided by the IRS

    Criminal Justice Information System


    (CJIS)

    Information is considered CJIS when


    provided from the FBI

    Confidential or Restricted

    Have the same security objectives; however


    restricted data is protected by statutory
    laws, regulations and other mandates
    related to protecting information

    Data Classification Data Protection


    Once the sensitive data elements of a system have

    been identified, it is important for the business


    process owner to identify the current level of
    protection on that system.
    System owners should identify the system-level data

    protection devices, such as access control, encryption,


    and firewalls.

    Data Classification Backup Frequency


    The systems schedule for creating a copy of vital data for the purpose of
    recovery.

    N/A The system is not backed up in the year


    Daily
    Weekly
    Monthly
    Quarterly
    Yearly

    ***Data retention indicates how long a systems data


    needs to be preserved. ***

    Data Description Category


    The Data Description category focuses on the attributes of a
    high-risk data set in a system. The characteristics including
    the data sets name, frequency of use, data type, description,
    business process owner, and data custodian.

    Data Description
    Data Set Name

    Frequency
    of Use

    Data Type

    Information
    Security Plans

    Daily

    Structured

    Weekly

    Structured

    Yearly

    Structured

    HR Personnel
    Records
    HR Personnel
    Tax Records

    Description
    Records of
    individual
    employee time
    SCEIS Page with
    PII
    Tax information for
    W2s

    Business
    Process
    Owner
    (Data Owner)

    Data
    Custodian

    John Doe (HR


    Director)

    Jane Doe
    (HR Admin)

    John Doe
    (HR Director)
    John Doe
    (HR Director)

    Jane Doe
    (HR Admin)
    Jane Doe
    (HR Admin)

    Questions

    Вам также может понравиться