One of our audit recommendation last year was top expend our policies on data classification. it was recommended that we come up with a way to classify banks data and information per
level of sensitivity and/or impact to the bank should that data be disclosed, altered or destroyed without authorization.
How are other bank classifying their data ? what criteria are you using ? and what level of classification do you have in place ?