The SureCloud Data Mapping application includes an information security assessment which considers preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. This activity does not specifically relate to an explicit EU GDPR need but encompasses good practices around information security from ISO 27001.
A common model to assess information assets is the CIA triad which is used in a number of frameworks including ISO 27001. This focuses on the balanced protection of assets within the domains of confidentiality, availability and integrity without impacting on an organisations productivity.
The person assessing should consider if a loss were to occur within that domain (confidentiality, integrity, availability) how would that loss affect the organisation financial, operational, legal, regulatory or reputational.
SureCloud provides a five-scale rating from negligible to critical for each of the three areas of the triad. It is up to the individual organisation to define what each of the levels means. Definitions can be a single list shared across these domains or individual definition lists can be specified.
Confidentiality - is broadly equivalent to the privacy of the asset. That would be deliberate or accidental disclosure to someone unexpected. For example, accidentally emailing the wrong person a file. Controls within this domain concentrate on the restriction of access to the asset.
Integrity - is the consistency, accuracy and trustworthiness of the data. For example, an inconsistency in writing data transactions to a database can lead to issues of data integrity. Controls within this domain focus on the identification of the introduction of error, corruption or manipulation both deliberate and accidental.
Availability - ensuring the availability of information. This could be issues of scaling and maintaining services or deliberate denial of service attacks. Controls within this domain look at proper capacity and resilience both to incident and attack.
Classification - the data classification is the internal data classification applied to the document as defined by the organisation's data classification policy.