The new policy 230.75 Data Classification establishes the responsibilities for classifying data and how to meet required security control levels for each category. Each agency shall serve as a classification authority for the data or information it is the owner of. Just because BIT maintains or collects data for another State agency does not mean BIT is the owner, that State agency is still the data owner.
The policy stipulates that data must be classified by these three security objectives: Confidentiality, Integrity, and Availability. Those three objectives are then classified by three potential impacts: Low, Moderate, and High. Confidentiality may also be classified as having no impact.
The data owner must:
To read the full text of the policy, click on the ITSP icon on your desktop and navigate to policy 230.75.
The policy stipulates that data must be classified by these three security objectives: Confidentiality, Integrity, and Availability. Those three objectives are then classified by three potential impacts: Low, Moderate, and High. Confidentiality may also be classified as having no impact.
The data owner must:
- Choose a process to classify data.
- Document the classification.
- Determine what laws or regulations limit the use, disclosure, access, retention, or disposal of the data.
- Educate your staff on classification procedures, requirements, and guidelines.
- Communicate the classification results to BIT.
- Establish a classification review process.
- Assure that proper access controls are implemented, monitored, and audited in accordance with the data classification assigned by the data owner.
- Submit audit results to data owners as required by law.
- Perform regular backups.
- Validate data integrity.
- Fulfill data requirements specified by agency policies, standards, and guidelines.
- Retain records of data activity.
- Provide appropriate security controls for contractor hosted services.
To read the full text of the policy, click on the ITSP icon on your desktop and navigate to policy 230.75.