To establish a framework for classifying state data based on its level of sensitivity, value and criticality. Classification of data will aid in determining baseline security controls for the protection of data.
Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the state should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All state data should be classified into one of three sensitivity levels, or classifications:
A.
Level 3
Data should be classified as Level 3 when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the state or its citizens. Examples of Level 3 data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Level 3 data.
B.
Level 2
Data should be classified as Level 2 when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the state or its citizens. By default, all State Data that is not explicitly classified as Level 3 or Level 1 data should be treated as Level 2 data. A reasonable level of security controls should be applied to Level 2 data.
C.
Level 1
Data should be classified as Level 1 when the unauthorized disclosure of that data would result in little or no risk to the state and its citizens. Examples of Level 1 data include press releases, information about agency services and research publications. While little or no controls are required to protect the confidentiality of Level 1 data, some level of control is required to prevent unauthorized modification or destruction of Level 1 data.
Applicability
End user training
n/a
Optional
Required
User access
No authentication required
NDGOV accounts only
NDGOV accounts only, Consider MFA
Stored in ITD Datacenter
Shared storage
Shared storage with authentication
Dedicated storage with authentication, consider encryption
Stored in the Cloud (Request CIO Approval for Specific Solution Requirements)
Authentication required, consider encryption
Authentication required, must be encrypted
Stored on Portable Electronic Devices (PDAs, Smart Phones, Tablets, USB/SD portable storage devices
Authentication required, must have remote wipe capabilities
Device must be encrypted, must use MDM solution, must have remote wipe capabilities if applicable
Stored on Laptop Computers
Authentication required
Laptop must be encrypted
Sent in Email
Include a disclaimer
Must be encrypted, consider secure FTP
Internal Network Transmission
Consider encryption
Must be encrypted
External Network Transmission (Wired and Wireless)
Access from external network
Must use VPN
Must use MFA VPN
Storage retirement/surplus
Must be securely wiped
Must be destroyed
Backup and Archival
Consider Encryption
Must be Encrypted
MFA – Multi Factor Authentication
VPN – Virtual Private Network
FTP – File Transfer Protocol
MDM – Mobile Device Management
North Dakota Attorney General’s Office open records guide - https://attorneygeneral.nd.gov/open-records-meetings/manuals-and-guides
Data Architecture
Enterprise Architecture (EA) interweaves business and IT together. It consists of the vision, principles, and standards that guide the purchases and deployment of technology within the enterprise.