Data Managment Solutions
Data Classification Solutions
Data classification is a fundamental process for any entity to identify, assign, and understand the sensitivity of its data. This enables the organization to effectively protect and leverage its data. It also helps to determine the risks associated with the data, allowing organizations to manage their data based on its value.
Data classification is the cornerstone for organizing the process of publishing open data, providing public information, and exchanging protected data, including personal data. In turn, this helps raise the standards of societal oversight of public entities’ performance, increase transparency, enhance integrity, and remove unnecessary secrecy from public entity activities by organizing the practice of the right to access or obtain public information.
Data Classification Principles
With careful steps toward an organized and integrated data environment, data is classified into four levels (top secret, secret, restricted, and public). This is based on the results of an impact assessment from unauthorized disclosure of the data or its content. This process helps to determine the appropriate controls for each level during the data processing stages, from collection to destruction and disposal, according to the following basic principles:
Data availability is the default
Necessity and proportionality
Timely classification
The highest level of protection
Separation of duties
Need-to-know basis
Principle of least privilege
Do you need help/advice?
Contact us now; our entire team (+110 consultants and experts) will answer all your inquiries.
How Is Data Classified?
To classify an entity’s data, the process begins by identifying all data sets and records and conducting an impact assessment for potential disclosure or unauthorized access. The assigned classification levels are then reviewed.
Data is classified based on a number of processes and procedures defined by the National Data Management Office in the National Data Management and Governance Controls and Specifications and Personal Data Protection document and in accordance with international standards in this field, as follows:
Data Identification
Impact Assessment
Low-Impact Data Assessment
Data Classification Review
Data Classification Metadata
Data Identification
In this stage, an inventory list of all owned data sets and records is identified and prepared to implement the detailed data classification process in the Data Classification Policy issued by the National Data Management Office. If the entity has created its own automated data catalog tool, it should use it to prepare a list of all its data sets and records.
Impact Assessment
This stage involves conducting an assessment of the potential impact of disclosing data or accessing it without authorization. The impact assessment process should include the following steps:
- Identify the categories that could be affected among entities, individuals, and the environment.
- Select the level of potential harm for each category from “high,” “medium,” “low,” or “none.”
- Determine the classification levels for data sets and records based on the identified impact level:
- If the impact level is “high,” the data is classified as “top secret.”
- If the impact level is “medium,” the data is classified as “secret.”
- If the impact level is “low,” the data is classified as “restricted.”
- If the impact level is “none,” the data is classified as “public.”
Low-Impact Data Assessment
At this stage, the possibility of classifying low-impact data as “public” instead of “restricted” is studied. The assessment must include the following:
- Consider whether the disclosure of this data conflicts with the laws of the Kingdom of Saudi Arabia, such as the Anti-Cyber Crime Law and the E-Commerce Law.
- Determine the potential benefits of disclosing such data and ensure that these benefits outweigh the negative effects.
If publishing the low-impact data does not violate any current law and its benefits outweigh its negative effects, the entity should classify the low-impact data as public.
Data Classification Review
In this stage, all classified data sets and records are reviewed to ensure their suitability for the assigned classification level, in accordance with the Data Classification Policy issued by the National Data Management Office.
Data Classification Metadata
In this stage, the classification levels assigned to data sets are published as they are in the comprehensive data catalog. The metadata is published according to the process defined in the Metadata and Data Catalog domain.
Do you need help/advice?
Contact us now; our entire team (+110 consultants and experts) will answer all your inquiries.
