Answer yes if your organisation has a documented Information Classification Policy that has been reviewed in the last year and that outlines the data handling procedures in operation within your organisation. Please provide the Information Classification Policy (as a PDF file) as evidence or reference a section of a previously provided Information Security Policy in the notes.
What is it?
An information classification policy defines the sensitivity of different types of data and also helps in the identification of sensitive data. Without the ability to define, recognise, and label information, it is difficult or even impossible to provide that information with the correct level of protection and to ensure that such protection is properly applied.
Why should I have it?
Information classification does several things. It not only helps categorise data according to sensitivity, but also enables the definition of environments that can handle those different data types, and what measures should be in place around each type of data. This allows a variety of policies and controls to be made more granular and help you use resources more appropriately. For example, public data of little value warrants less investment in terms of keeping it secure and confidential than highly sensitive personal or commercial data, so doing so would be wasteful of resources. Meanwhile it makes business sense to create additional controls and more restrictive policies around how highly sensitive data should be processed and stored.
Having a good information or data classification policy reassures clients than their 3rd party providers carefully consider what information is most sensitive, which should include the client’s data or anything that could introduce additional risks to the client, and handles it in an a way that is commensurate with its level of sensitivity.
A data classification policy should consider all types of data stored and processed by the organisation, both internal and external, and define how each category of data should be treated. A data discovery exercise and/or process review (any process that may interact with or allow access to data) are often useful ways to locate data across the enterprise and bring it into compliance with the terms of the policy.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy that meets your business and technical requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.