Risk based

• A data classification should reflect the risk that goes with it.
• Who is liable for the data classification and any reports of non-compliances.
• Principle need-to-know: single access to information if it is necessary to have a particular role which has been assigned to perform.

Classification scheme

What labels are awarded to certain information and what is the scope of the need-to-know.

By default, there are four labels:

• Secret
• Confidential
• Internal (standard)
• Audience

Scaling classification

What is the scope of the various data classification labels?

When they should be used?

Measures

The specific measures provided in this policy which the organization must comply.

What are the standard technical and organizational measures to be taken by label?

Where there are differences on this standard, it is intended to be subjected to a risk analysis. This means that the resulting risk must be accepted by the risk owner concerned.

Standards

Use case driven measures related to technology or use of classified information.

• E-mail use
• Web application
• PhoneSMS
• Paper
• verbally