Data classification is a fundamental component of a risk-based information security program. The BEST source for determining the appropriate classification for new data is a risk assessment. This process evaluates the data's value, sensitivity, and criticality by analyzing the potential impact (e.g., financial, operational, reputational, legal) on the organization if its confidentiality, integrity, or availability were to be compromised. The outcome of this impact analysis directly informs the assignment of a classification level (e.g., Confidential, Restricted), which in turn dictates the necessary security controls.

A. Input by data custodians: Data custodians are responsible for implementing and maintaining security controls, not for determining the classification level, which is the responsibility of the data owner.

B. Security policy requirements: The security policy establishes the framework and defines the available classification levels, but it does not determine the specific classification for a particular data set.

D. Current level of protection: The classification of data should dictate the required level of protection, not the other way around. Basing classification on existing controls is a reactive and flawed approach.

1. ISACA

CISA Review Manual

27th Edition. Domain 3: Information Systems Acquisition

Development

and Implementation

Section 3.4.3 Data Classification. The manual explains that data classification is based on the data's criticality and sensitivity to the organization

which are key outputs of a risk assessment process.

2. ISACA

"Data Classification: A Prerequisite for Effective Information Protection and Governance

" White Paper

2019. Page 4 states

"The classification of data is based on its level of sensitivity and the impact to the organization should that data be disclosed

altered or destroyed without authorization." This impact assessment is the core of a risk assessment.

3. National Institute of Standards and Technology (NIST)

Federal Information Processing Standards (FIPS) Publication 199

"Standards for Security Categorization of Federal Information and Information Systems

" February 2004. Section 2

"Purpose

" and Section 3.1

"Security Categorization

" specify that the categorization (classification) of information is determined by assessing the potential impact of a loss of confidentiality

integrity

or availability. This is a foundational activity within risk management.