Data Classification
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi, there, and welcome to
00:00
our next lesson, data classification.
00:00
We'll be talking about what data classification is,
00:00
some of the related control measures,
00:00
and some considerations that
00:00
need to be taken into account,
00:00
particularly from an organization perspective.
00:00
Let's begin. Like I said, data classification.
00:00
There's a number of key issues around here.
00:00
First of all, let's see an infantry
00:00
of information assets.
00:00
Classifying your data will give you
00:00
a good look as to exactly what information
00:00
your organization holds and what criticality it also has.
00:00
Now in terms of the criticality,
00:00
that will provide a method of
00:00
defining what data is the most important
00:00
to the business through to what data may
00:00
be a little bit less important to business.
00:00
Data classification will also help define the data owner,
00:00
the person within the organization
00:00
or the department within
00:00
the organization that is responsible
00:00
for the life-cycle management of the data.
00:00
It will also help prevent over protection of data.
00:00
Data comes with a cost,
00:00
and certainly protecting highly sensitive data
00:00
when it's not necessarily needed to be protected in
00:00
that manner is an excessive costs which may not
00:00
be good for the organization from a resource perspective.
00:00
Now, a couple of control measures
00:00
that need to be taken into account.
00:00
The importance of the information assets.
00:00
Where does this sit in terms of the business function?
00:00
As we spoke,
00:00
the information asset owners
00:00
are important in terms of the control.
00:00
Also, there needs to be a process for granting access,
00:00
and this may vary
00:00
depending upon the sensitivity of course.
00:00
Very sensitive data may have a lot more oversight and
00:00
governance than unofficial data, for example.
00:00
A person responsible for
00:00
approving access, rights and level,
00:00
which is usually defined as
00:00
the asset owner or information asset owner or delegate,
00:00
needs to be defined in this process,
00:00
and it needs to extend the depth of security controls.
00:00
We need to have a definition of what level of
00:00
sensitivity of information is
00:00
required for encryption, for example.
00:00
Now, a couple of considerations
00:00
from an auditor perspective.
00:00
Legal, regulatory, contractual,
00:00
and compliance is certainly key.
00:00
This is information gathered by
00:00
a particular instrument that
00:00
has rules and regulations surrounding it.
00:00
It's this privacy information.
00:00
If you're in a jurisdiction that
00:00
has very strong privacy controls,
00:00
that's an important thing to recall,
00:00
and the classification system.
00:00
What system is actually being used?
00:00
Is it clearly defined and is clearly understood,
00:00
and also, is it clearly understood by the users?
00:00
That's basically our lesson.
00:00
We have talked a little bit about
00:00
the issues surrounding data classification
00:00
and some of the aspects
00:00
that need to be taken into account.
00:00
A little bit on control measures for data and some of
00:00
the considerations as an auditor
00:00
that you need to be mindful of,
00:00
when approaching this particular aspect
00:00
of the organization.
00:00
I hope you enjoyed our lesson
00:00
and I will see you in the next one.
Up Next
