DSP-04: Data Classification

CSF v1.1 References:

Previous Version:

Control Statement

Classify data according to its type and sensitivity level.

Implementation Guidance

Implement data classification by defining organizational data categories, such as public data, confidential data, etc. Automated tools to label files, per their sensitivity levels, may be used. Appropriate security measures/protection should be implemented, per its categorization. Use data classification, tagging, or metadata fields based on industry-standard frameworks such as (but not limited to):

  1. Carnegie Mellon University: Guidelines for Data Classification
  2. SANS Institute: Tagging Data to Prevent Data Leakage (Forming Content Repositories)

Auditing Guidance

  1. Examine the organization's procedures and technical requirements for classifying data. Establish that this process and key controls comply with the organization's data privacy and security policy. Establish whether the organization has documented the roles and responsibilities for this process.
  2. Establish if the organization's data classification matrix is aligned with the organization's data classification requirements.
  3. Select a sample of data to confirm that each item has been classified appropriately.
  4. Examine measure(s) that evaluate(s) this process and determine if the measure(s) address(es) implementation of the process/control requirement(s) as stipulated. Reviews, tests, or audits should be completed periodically by the organization to measure the effectiveness of the implemented controls and to verify that non-compliance and opportunities for improvement are identified, evaluated for risk, reported, and corrected in a timely manner.
  5. Obtain and examine supporting documentation maintained as evidence of these metrics to determine if the office or individual responsible reviews the information and if identified issues were investigated and corrected. Determine if the individual or office is able to correct issues without the need to routinely escalate the issues to the next level of management. Examine related records to determine if the individual or office conducted any follow-ups on the deviations to verify they were corrected as intended.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.