About this program
Do you actually classify data — and is the classification reflected in access control, encryption and retention? Quick snapshot.
Risks addressed
- High Confidential data treated like public data u2014 over-shared
- Medium No owners u2014 nobody decides who can access what
- High Restricted data exfiltrated without detection
- Medium Data kept indefinitely, increasing breach blast radius
Controls (6)
-
Classification scheme published
HighClassification scheme published
How to test + evidence
Testing procedure: A simple, agreed scheme (e.g. Public / Internal / Confidential / Restricted) is documented.
Evidence to collect: Classification policy.
-
Owners assigned per data type
HighOwners assigned per data type
How to test + evidence
Testing procedure: Each data type has a named information owner.
Evidence to collect: Data owner register.
-
Labels applied to documents at source
MediumLabels applied to documents at source
How to test + evidence
Testing procedure: Office / Google docs apply labels; spot-check sample of recent docs.
Evidence to collect: Labelling tool config + samples.
-
Access controls reflect classification
HighAccess controls reflect classification
How to test + evidence
Testing procedure: Confidential / Restricted data is access-restricted, encrypted, and audited.
Evidence to collect: ACL extracts + encryption posture.
-
Retention rules per classification
MediumRetention rules per classification
How to test + evidence
Testing procedure: Retention policy maps classification to retention period.
Evidence to collect: Retention policy.
-
DLP / outbound monitoring on Restricted data
HighDLP / outbound monitoring on Restricted data
How to test + evidence
Testing procedure: DLP rules detect/block exfil of Restricted-labelled data through email / cloud / removable media.
Evidence to collect: DLP policy export.