During the planning phase of acquiring any new system, especially a cloud-based platform, the most critical initial determination is the classification of data that will be stored and processed. This decision is foundational as it directly influences all other security, compliance, and operational considerations. Understanding the data's sensitivity (e.g., public, confidential, restricted) dictates the required level of security controls, data residency and sovereignty requirements, and applicable legal or regulatory obligations (e.g., GDPR, HIPAA). This strategic decision precedes and informs the tactical design of access controls, user lifecycle management, and auditing procedures.

A. Role-based access control (RBAC) policies are a specific security control mechanism. The design and stringency of these policies are a direct consequence of the types of data the platform will manage, not the primary planning decision.

C. Processes for on-boarding and off-boarding users are operational procedures. While crucial for security, they are defined and implemented based on the security requirements established from the data classification and risk assessment.

D. Processes for reviewing administrator activity are a detective control. The need for and frequency of such reviews are determined by the risk level associated with the platform, which is primarily defined by the sensitivity of the data it holds.

---

1. ISACA

CISA Review Manual

27th Edition. Domain 4: Information Systems Operations and Business Resilience

Section 5.3.3 Data Classification. The manual emphasizes that data classification is a prerequisite for applying appropriate security controls. It states

"The objective of classifying information is to ensure that information assets receive an appropriate level of protection." This principle is most critical during the initial planning and requirements definition phase of an acquisition.

2. NIST Special Publication 800-144

Guidelines on Security and Privacy in Public Cloud Computing. Section 5.2.1

"Information and Data

" states

"The type of information processed

stored

and transmitted by a system is a primary factor in determining the security and privacy requirements for the system." This highlights that understanding the data is the foundational first step in planning for cloud adoption.

3. COBIT 2019 Framework: Governance and Management Objectives

ISACA. The management objective APO14 Managed Data includes the key practice APO14.02

"Define and maintain a data classification scheme." The framework guidance indicates that this classification

based on business needs and criticality

is essential to "allow for the application of appropriate controls." This is a fundamental governance activity that must be addressed in the planning phase.