Our organisation is developing a new 'Information Security Classification Standard'. This Standard will define three (3) security classification levels. These are 'OFFICIAL, SENSITIVE and PROTECTED'.
That part is fine; however, I would like to develop a 'Control Matrix' that maps controls commensurate with the security classification. This will allow someone to easily ascertain which control is required for each individual classification level.
This will also assist us in undertaking risk assessments (determining which controls to include in the scope of the assessment).
Does anyone know of a security classification control matrix or mapping? - Perhaps NIST, ISM? - We operate an ISO 27001 based ISMS.
Thanks for your help.
Usually security classification is seen in the government space.
Might want to take a look at the control set used for NIST SP800-53, which is the control set used for FISMA/RMF. There are crossmappings from 800-53 to 27002.
Check out auditscripts.com mapping tools and excel spreadsheets. They have a bunch of them and they compare controls across many different standards. Here is just one of them:
It may also be worth considering classifying asset not just in terms of confidentiality, as loss of confidentiality is only part of the picture. A lot of the controls you'll find in SP800-53 and 27002 aren't specifically about protecting confidentiality. To give a practical example, most online retailers do the majority of their business from Black Friday through the Christmas and New Year period; and obviously an outage rendering their sites during that period would have a significant business impact. So you'd be looking at CDNs, elastic resources, WAF and DDoS protections as some of the controls to counter the availability risk. Similarly, come sales time you'd really hope that there was integrity in price update mechanisms and you didn't discount the wrong lines heavily.
This Standard will define three (3) security classification levels. These are 'OFFICIAL, SENSITIVE and PROTECTED'.
I've come to avoid "classification" as a stand-alone word because it has disparate meanings across disciplines. For example, our network team uses it to mean "fault tolerance", whereas our backup team uses it to mean "backup frequency" and us security types tend to mean "confidentiality". To promote a greater understanding across all of I.T. I would encourage you to find a more descriptive term for your scale, such as "Data Confidentiality".
It may also be worth considering classifying asset not just in terms of confidentiality...
I've been contemplating that classification might well be measured in the three CIA dimensions. I.E. an online store would classify "low confidentiality, normal integrity, high availability"; released Sarbanes-Oxley data would be "low c, high i, normal a"; and PII would be "high c, normal i, low a".
This makes it much easier to map classification to control. For example, A.12.1.2 - Change Control is more relevant when there are high integrity or high availability requirements but is not much impacted by confidentiality.