Apply Data Classification Scheme

Maintain and apply a Data Classification Scheme. Identify and document security-sensitive data, personal information, financial information, system credentials.

Description

A Data Classification Scheme (DCS) specifies the characteristics of security-sensitive data, for example, personal information, financial information, and/or system credentials. The DCS should be developed by considering the security implications of all data used by the software. The DCS should be considered by project personnel when writing, testing, and documenting the project’s software.

Practice Implementation Questions

1. Does the software under development reference, store, or transmit any of the following data:
   • personally-identifiable information (PII)
   • financial information
   • credit card information
   • system credentials (e.g. passwords, ssh keys)
2. Are rules for recognizing all of the data types used in question 1 documented?
3. Are rules for handling all of the data types used in question 1 documented?
4. Is the DCS revised periodically?
5. Are all personnel trained in the use of the DCS?
6. Are personnel periodically re-trained in the use of the DCS?

Keywords

(street) address, credit card number, data classification, data inventory, Personally Identifiable Information (PII), user data, privacy.

Links

BSIMM Activity AM1.2