Michael is charged with developing a classification program for his company. Which of the following should he do first?
A.
Understand the different levels of protection that must be provided.
B.
Specify data classification criteria.
C.
Identify the data custodians.
D.
Determine protection mechanisms for each classification level.
Explanation:
A: Before Michael begins developing his company’s classification program, he must understand the different levels of protection that must be provided. Only then can he
develop the necessary classification levels and their criteria. One company may choose to use only two layers of classification, while another may choose to use more.
Regardless, when developing classification levels, he should keep in mind that too many or too few classification levels will render the classification ineffective; there should be
no overlap in the criteria definitions between classification levels; and classification levels should be developed for both data and software.
B is incorrect because data classification criteria cannot be established until the classification levels themselves have been defined. The classification criteria are used by data
owners to know what classification should be assigned to specific data. Basically, the classifications are defined buckets and the criteria help data owners determine what bucket
each data set should be put into.
C is incorrect because there is no need to identify the data custodians until classification levels are defined, criteria are determined for how data are classified, and the data
owner has indicated the classification of the data she is responsible for. Remember, the data custodian is responsible for implementing and maintaining the controls specified by
the data owner.
D is incorrect because protection mechanisms for each classification level cannot be determined until the classification levels themselves are defined based on the different
levels of protection that are required. The types of controls implemented per classification will depend upon the level of protection that management and the security team have
determined is needed.