Data Classification and Protection

Question 1

Data Classification

Answer 1

The undertaking of developing levels of sensitivity for information and assigning those levels for the purpose of establishing appropriate modes of protection for those data sets.

The formal data classification program consists of:
- sensitivity levels
- Marking procedures
- Access procedures
- Handling procedures
- Destruction procedures

Question 2

Sensitivity Levels

Answer 2

In a data classification program, a set of sensitivity levels is established, which reflects the nature of data that is used in the organisation. For example:
- Top secret
- Secret
- Confidential
- Restricted
- Official
- Unclassified
- Public

Question 3

Information Labelling

Answer 3

The process of affixing a word, symbol or phrase on a set of data. The purpose of labelling is to make other readers aware of the level of classification on a set of data.

Question 4

Information Handling

Answer 4

Handling guidelines need to be developed for each level of classification, for each possible activity, including:
- Computer storage
- computer access control
- Backup tape and other portable media
- Network transmission
- facsimile
- Printing
- Mailing/shipping/courier
- carrying
- Hard copy storage

Question 5

Destruction

Answer 5

Classification guidelines need to include information on the proper disposal of classified information.

Destruction procedures are steps to ensure that information is discarded in a way that renders it non-retrievable.

Question 6

Certification

Answer 6

The process of evaluation a system against a set of formal standards, policies or specifications.

Question 7

Accreditation

Answer 7

The formal approval for the use of a certified system for a defined period of time

Question 8

Internal Audit

Answer 8

The activity of self-evaluation of security controls and policies to measure effectiveness.