Confidential information is identified and protected
Not all data requires the same level of protection, but confidential data requires specific, deliberate controls. Organizations cannot protect what they have not identified. This criterion requires that confidential information is defined and classified, that it can be recognized wherever it exists in the environment, and that appropriate protections are applied based on its classification.
Implementation steps
- 1
Define and document data classification levels
Create a data classification policy with defined levels: for example, Public, Internal, Confidential, and Restricted. Define what types of data fall into each level (Confidential might include: customer PII, financial data, health records, credentials, legal documents). Make the classification criteria specific enough that any employee can determine the correct classification for a given piece of data.
confluence notion google-docs - 2
Inventory and classify data stores containing confidential information
Identify all data stores that contain confidential data: databases, object storage buckets, file shares, SaaS applications, and backups. For each, note what classification of data it contains and apply appropriate access controls. Restrict access to confidential data stores to users and services that require it for their function.
notion google-sheets aws-macie confluence - 3
Implement access controls and handling requirements for confidential data
Apply the access controls appropriate to each classification level: confidential data should have restricted access (need-to-know), audit logging for access, and encryption at rest and in transit. Document handling requirements: how confidential data can be shared, transmitted, and stored. Brief employees on handling requirements for the data they work with.
aws-iam okta google-workspace confluence
Evidence required
Data classification policy
Documentation defining data classification levels and handling requirements.
- - Data classification policy with defined tiers and criteria
- - Information security policy with data handling section
- - Data handling requirements matrix by classification level
Data inventory with classification
Evidence that confidential data has been identified and classified.
- - Data inventory or data flow diagram showing classification
- - AWS Macie or data discovery scan results
- - Data store inventory with classification and access controls documented