Hi,
First I would like to assume that you do have a data classification policy in place, yet the auditor requested that it provide more detail, to include actual classification types, impact associated with each type, designation of data owners, data custodians, data users, and finally a risk assessment.
Based on my experience, the common classification types include: Restricted, Confidential, Internal, and Public. The common impact types are: Severe, High, Moderate, and Low.
For example:
Classification Type Impact Examples
Restricted Severe Government Information
Confidential High Passwords, PII, PCI, etc.
Internal Moderate Policies, Procedure, internal documentation, etc.
Public Low Rates, Promotions, Locations, etc.
Once your institution identifies all the data you have in your possession, you will now be able to designate the data owners, data custodians, and users. At this point you are able to perform a risk assessment based on the various scenarios, data loss, compromise, destruction.
This has been my experience, but I would like to hear about other FI experience with this as well.
Original Message:
Sent: 06-26-2020 11:27 AM
From: kouadjo bini
Subject: Data Classification
One of our audit recommendation last year was top expend our policies on data classification. it was recommended that we come up with a way to classify banks data and information per level of sensitivity and/or impact to the bank should that data be disclosed, altered or destroyed without authorization.
How are other bank classifying their data ? what criteria are you using ? and what level of classification do you have in place ?