Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Data Classification

    Posted 06-26-2020 11:28 AM
    One of our audit recommendation last year was top expend our policies on data classification. it was recommended that we come up with a way to classify banks data and information per level of sensitivity and/or impact to the bank should that data be disclosed, altered or destroyed without authorization. 

    How are other bank classifying their data ? what criteria are you using ? and what level of classification do you have in place ?


  • 2.  RE: Data Classification

    Posted 06-29-2020 12:10 PM

    Hi,

    First I would like to assume that you do have a data classification policy in place, yet the auditor requested that it provide more detail, to include actual classification types, impact associated with each type, designation of data owners, data custodians, data  users, and finally a risk assessment.

    Based on my experience, the common classification types include: Restricted, Confidential, Internal, and Public. The common impact types are: Severe, High, Moderate, and Low.

    For example:

     

     

    Classification Type           Impact                 Examples

    Restricted                          Severe                Government Information

    Confidential                       High                     Passwords, PII, PCI, etc.

    Internal                               Moderate            Policies, Procedure, internal documentation, etc.              

    Public                                  Low                      Rates, Promotions, Locations, etc.

     

    Once your institution identifies all the data you have in your possession, you will now be able to designate the data owners, data custodians, and users. At this point you are able to perform a risk assessment based on the various scenarios, data loss, compromise, destruction.

     

    This has been my experience, but I would like to hear about other FI experience with this as well.