User:Shawndouglas/sandbox/sublevel3
During the asset inventory, you'll also want to address classifying the type of data contained or transported by the cyber asset, which aids in decision making regarding the controls you'll need to adequately protect the assets.[1] Use a consistent set of nomenclature to define the data. For example, if you look at universities such as the University of Illinois and Carnagie Mellon University, they provide guidance on how to classify institutional data based on characteristics such as criticality, sensitivity, and risk. The University of Illinois has a defined set of standardized terms such as "high-risk," "sensitive," "internal" and "public,"[2] whereas Carnagie Mellon uses "restricted," "private," and "public."[3] You don't necessarily need to use anyone's classification system verbatim; however, do use a consistent set of terminology to define and classify data.[1] Consider also adding additional details about whether the data is in motion, in use, or at rest.[4]
If you have difficulties classifying the data, pose a series of data protection questions concerning the data's characteristics. One such baseline for questions could be the European Union's definition of what constitutes personal data. For example[1][5]:
- Does the data identify an individual directly?
- Does the data relate specifically to an identifiable person?
- Could the data—when processed, lost, or misused—have an impact on an individual?
References
- ↑ 1.0 1.1 1.2 Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 23 July 2020.
- ↑ "Data Classification Overview". Cybersecurity. University of Illinois System. 2019. https://cybersecurity.uillinois.edu/data_classification. Retrieved 23 July 2020.
- ↑ "Guidelines for Data Classification". Information Security Office Guidelines. Carnegie Mellon University. 23 May 2018. https://www.cmu.edu/iso/governance/guidelines/data-classification.html. Retrieved 23 July 2020.
- ↑ Bowie, K. (9 April 2019). "SEC Cybersecurity Guidance: Data Loss Prevention". Adelia Associates, LLC. Archived from the original on 30 November 2019. https://web.archive.org/web/20191130181159/https://adeliarisk.com/sec-cybersecurity-guidance-data-loss-prevention/. Retrieved 23 July 2020.
- ↑ Koch, R. (1 February 2019). "What is considered personal data under the EU GDPR?". Proton Technologies AG. https://gdpr.eu/eu-gdpr-personal-data/. Retrieved 23 July 2020.
