Data classification 1210

  • Does someone found a simple way to organize and implement data classification and life cycle management according to SOX requirement (Policies and procedures exist for the handling, distribution and retention of data and reporting output) ?
    I wonder up to which level and which method shall we use for data classification to be compliant with SOX.
    Is an application-by-application based approach is enough to work :
    More precisely, can we go following these steps:

    1. Identify key applications
    2. identify key users of these applications
    3. Define success criteria, as measured by application availability, recovery and performance
    4. consider including e-mail and databases because they support visible, critical applications (audit trail) based on same criteria availability, recovery and performance)
    5. Define security controls to implement
    6. Apply controls (migrate data, restrict access, assign appropriate retention and retrieval options…)
      Or do we have to define data classification according to the business organization and after implement security requirements according to the new data classification on both structured and unstructured data? If the answer is yes, this sounds like it is a huge IT and/or business job to identify the data class on unstructured data.
      Some examples of the way you handled that control would be precious.

Log in to reply