- Identify Data Categories
- Identify the sensitivity of the data, and also the regulations that need to be in compliance with.
- Identify Risk Categories
- Identify the risks categories in order to better respond to them.
- Develop a Classification Policy
- If the organization does not have a classification policy implemented already, therefore in this step it can develop one in order to follow the right procedures and to decide e.g. the roles, responsibilities, permissions rights for each data category.
- Identify Data Assets
- Identify the data that is going to be categorized. In this step, the organizations need to pay attention to the data that will be shared with third parties, but also the documents that are going to be created together.
- Identify the Data Controllers
- Identify the data controllers, as they are responsible for deciding how the data is going to be used.
- Identify the Geo-location of the Data
- Identify the geo-location of the data is an essential part of the process, as regulations or/and laws can vary from different cities and countries, and may have an impact in the whole process.
- Conduct Risk Assessment
- Conduct a risk assessment based on the data and risk categories identified in previous steps. It also is relevant to consider the data that is going to be shared, in order to evaluate the risks and their consequences involved.
- Implement Data Classification
- In this activity the data classification policy will come into effect, with handling and disposal procedures being implemented.
- Develop Data Sharing Agreement
- Develop a formal data-sharing agreement with third parties based on the data requirements identified in the previous steps.
- In this phase the organization has the opportunity to monitor all the activities from the model, and whereas is necessary, improvements can be made in order to enhance the data classification process.
Conduct Data Classification
The data classification framework shows the steps to conduct classification on data and the framework also takes into consideration if the organization needs to work or share documents with third parties. (British Standard,2017) (ISO/IEC, 2005) (ISO/IEC, 2008) (NIST, 2004)
- British Standard. BS 10010:2017, Information classification, marking and handling.
- ISO/IEC 27001:2005 – Information technology — Security techniques — Information security management systems — Requirements.
- ISO/IEC 27005:2008 – Information technology — Security techniques — Information security risk management.
- NIST, FIPS PUB 199, 2004. Standards for Security Categorization of Federal Information and Information Systems.