Find Resources & Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

You must be logged in to join this group.

PO2.3 - Data Classification Scheme

This topic is intended to enable collaboration and sharing of information to facilitate a better understanding and approach to implementing this COBIT control objective based on the risk, value and guidance provided by its corresponding control practices.

COBIT Control Objective PO2.3 - Data Classification Scheme is contained within Process Popup Define the Information Architecture

Click “Join This Community” to be able to actively participate in discussions and contribute content. You must be an ISACA member to join this topic. Join ISACA now.

This Topic Has:
139 Members
0 Online
5651 Visits

Community Leader

Knowledge Center Manager

Knowledge Center Manager

Title: Become a Topic Leader!

Badge: Energizer

Data Classification Scheme

Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data. This scheme should include details about data ownership; definition of appropriate security levels and protection controls; and a brief description of data retention and destruction requirements, criticality and sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption.

View value and Risk Drivers  help

Hide value and Risk Drivers help

Value Drivers

  • Ensured availability of information that supports decision making
  • The focus of security investments based on criticality
  • Defined accountability for information integrity, availability and security
  • Data access consistently permitted based on defined security levels
  Risk Drivers
  • Inappropriate security requirements
  • Inadequate or excessive investments in security controls
  • Occurrence of privacy, data confidentiality, integrity and availability incidents
  • Non-compliance with regulatory or third-party requirements
  • Inefficient or inconsistent information for decision making

View Control Practices  help

Hide Control Practices  help

  1. Create a classification scheme that defines attributes for data classification, such as data ownership, definition of security levels (confidentiality, integrity and availability), a brief description of data retention and destruction requirements.
  2. Define data classification levels for each of the defined attributes (e.g., for confidentiality: public, internal, confidential).
  3. Identify business owners accountable for information (data owners).
  4. Ensure that the data owner classifies all information using the defined scheme and levels. Classification covers the whole life cycle of information from creation to disposal. Where an asset has been assessed as having a certain classification, any component inherits the same classification.
  5. Make owners understand the consequences of the classification, and balance security needs against cost considerations and other business requirements considering the value of the assets they own.
  6. Ensure that information and data are labelled, handled, protected and otherwise secured in a manner consistent with the data classification categories.

Discussions: 1 total

Must be a Topic member to contribute
Hi, I am performing an analysis on the impact of combining Internal and Confidential classification of information and the impact on Company policies and standards.  For example, what is the impact (riks and/or value) of combining Internal and Confidentia...
AdamPC | 11/2/2015 1:42:14 PM | COMMENTS(0)

Documents & Publications: 40 total

Must be a Topic member to contribute
View All »
Posted by ISACA 181 days ago
Posted by ISACA 650 days ago
Posted by ISACA 864 days ago
Posted by ISACA 916 days ago
Posted by ISACA 979 days ago

Events & Online Learning: 6 total

15 Jun 2015
ISACA International Event
Ciudad de México, Mexico
13 Aug 2018
ISACA International Event
Nashville, Tennessee, US
2018 GRC Conference - 13-15 August , Nashville, TN. Explore the future of Governance Risk and Control through expert-led workshops and sessions developed by the IIA and ISACA. Register early for our GRC learning tracks.

Journal Articles: 119 total

Volume 4, 2018
by Robert E. Davis, DBA, CISA, CICA
How organizational representatives communicate about technological innovation is often a significant factor in the success or failure of innovation management.
Volume 4, 2018
Organizations aim to achieve their objectives while managing risk within their risk appetites. A good governance structure for managing risk is to establish three lines of defense.
Volume 4, 2018
by Mehmet Zeki Önal, CISA, CRISC, CGEIT, CCSA, CRMA
From the risk management perspective, the need for data governance exists not only in the insurance sector, but also in all sectors affected by IFRS regulations.
Volume 4, 2018
by Rama Lingeswara Satyanarayana Tammineedi, CISA, CRISC, CBCP, CISSP, MBCI, PMP
Performance evaluation of an organization’s risk management system ensures the risk management process remains continually relevant to the organization’s business strategies and objectives.
Volume 4, 2018
by Ramón Serres, CGEIT, CISM, CSX Fundamentals, CCSK, CISSP
Managing cybersecurity or, more specifically, managing cybersecurity risk, is much more than just technology and, in most cases, has nothing to do with having the money to afford state-of-the-art technology.
Volume 3, 2018
by Giuliano Pozza, CGEIT, e-CF Plus (CIO), ITIL v3
The world of information and data management is changing faster than anyone could have predicted a few years ago, and attention to sensitive data protection is growing, as the new GDPR is clearly proving.

Wikis: 2 total

Blog Posts: 30 total

5 Jun 2018
Recently, I witnessed an interesting webcast by Scopism, an UK-based consulting and training company. They announced the publication of the SIAM(c) Foundation Body of Knowledge, available for free through their website Service Integration...
Posted By : Peter873 | 2 comments
What do you think: when artificial intelligence (AI) will be smarter than humans? Can you predict it and if yes, when it will approximately happen in your opinion? Vote in poll at link below, please:
Posted By : Dragan Pleskonjic | 3 comments
Have you experienced ransomware attack so far and, if yes, what did you do to resolve? I set up Twitter poll here: It lasts for seven days. Thank you for taking part in the poll.
Posted By : Dragan Pleskonjic | 5 comments
My personal thoughts after listening to C-level executives at the CxO Roundtable Series sponsored by Intel, IBM, HyTrust & ReedSmith. For an invite, please reach out to me. Data Protection under the GDPR For past few months, I’ve been helping to org...
Posted By : Thomas152 | 1 comments
16 Jan 2018
Is it possible to use crowd-sourced security intelligence to predict future events? For this exercise, experimental web site Security Predictions has been built to harness the ‘wisdom of crowds’....
Posted By : Dragan Pleskonjic | 3 comments
Information Security and Privacy is hot issue at present time. Number of security breaches is rapidly increasing.  In case of late detection, costs of breaches are skyrocketing. In the same time Artificial Intelligence (AI), Machine Learning (ML) are fast...
Posted By : Dragan Pleskonjic | 0 comments