Non-functional Requirement - Data Classification

Category: Security

Context: Data Classification

Goals: All data must have an assigned owner or business department and be classified to protect the confidentiality and integrity of the data and to comply with applicable state and federal laws and regulations.

Rationale: Implementing security controls requires data ownership and classification so the appropriate controls can be implemented commensurate with the classification level. Data owners have primary authority and accountability for the data.

Requirement: In addition to state and federal laws, regulations, statutes and contractual agreements, applicable data must have an owner and be classified to Metric.

Metric:

Level A:

A1. Individual elements of the data managed by the system have assigned owners
A2. Each data element of the system has been classified to Scale

Level B:

This Level Intentionally Left Blank

Level C:

This Level Intentionally Left Blank

Level D:

D1. The data managed by the system has an assigned owner
D2. The data managed by the system has been classified as Low, Restricted, or Highly Restricted as defined in <existing internal data classification standard>

Scale:

Data security classification Low, Restricted, or Highly Restricted as defined in <existing internal data classification standard>

Stakeholders: ​Data owners, Data Custodians, System Managers, Operations

Implications: If this requirement is not met, the appropriate security controls may not be implemented to protect the data accordingly which could result in a loss of data integrity or unauthorized exposure.

Applicability: See Enterprise Requirements Framework

Tags: Security, Data Classification

Status: Approved, Requirement

Author: <Author>

Revision: <Revision>


Note:

This NFR covers the classification of data consistent with State and Federal regulations and the assignment of data ownership.

For more information, see NFR Summary