PO2.3 Data Classification Scheme
CobiT definition:
Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public,
confidential, top secret) of enterprise data. This scheme should include details about data ownership; definition of appropriate
security levels and protection controls; and a brief description of data retention and destruction requirements, criticality and
sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption.
Bill says,
What I really like about CobiT is it forces you to look at things in a comprehensive way. For data classification you really need to analyze every bit of data you collect, categorize it, and decide who will have access, how you will control it, etc - but those are future controls. For this one it is all about defining the classification of data.
Let’s look at some non-traditional data that really does need to be captured in your classification scheme. For example, you probably use WebEx for data conferencing. And I am sure you realize that there is a lot of data archives pertaining to the meetings held through WebEx - many of which can have very telling titles.
As an aside, if you are using WebEx make sure you do not have your site open to the public - or you have strict rules and controls in place regarding what people can use as the subject line in meetings. Prior to us turning this off I saw some pretty awkward meeting titles that were open for all to see - employees, customers and competitors.
So you probably have never thought about that data but you need to. What parts are important? I know for me we record the monthly usage locally because after three months we lose access to it through WebEx. Who has access to that? How can we be sure we know who is responsible for archiving it? These are all important questions that you need to go through as part of the classification exercise.
Don’t be scared off by how much data you have, this is work that needs to be done!
The third step in Defining the Information Architecture is defining the data classification sceme.
Ian Saunders wrote:
Hi Bill,
I came across your article via a google alert and I read with interest. I work for WiredRed Software and our e/pop web conferencing software is ’similar’ to WebEx.
I was interested to know that WebEx only archive records for x3 months. I couldn’t agree more about the corportate security aspects of having public access to the WebEx web conferencing site.
We stumbled accross ALL of the WebEx conference names for one of WebEx’s investment banking customers in the UK - some of the conference titles can be quite revealing…..
Anyway, if you or your colleagues aare interested in a more ’secure’ web conferencing product then please consider WiredReds’ e/pop web conferencing software.
Best regards,
Ian Saunders
http://www.wiredred.co.uk
Posted on 22-Jul-08 at 8:06 am | Permalink
IT Governance CobiT Control Objective Integrity Management | IT Governance Blog wrote:
[...] One man’s journey into the world of IT Governance « PO2.3 Data Classification Scheme [...]
Posted on 02-Aug-08 at 11:36 am | Permalink