An important task for defining the needed security for a system or data is to first understand the nature of the data used in a system. Take this opportunity to discuss the sensitivity of the data, and then create a data classification to be used by the organization, and specify the class of data in the systems used by the organization. In addition, security practitioners should be aware of any legal requirements that the company might be subjected to. You will describe at least 1 law or regulation and 1 standard that would apply to the organization, and discuss how they apply. Finally, you need to be able to test and measure how well security is implemented and followed. Describe how controls can be created to enforce the requirements and how auditing can validate the effectiveness of the controls.
This will be included in the Regulations and Information Classification section of the Data Security, Quality, and Integrity document.
New content for Section 2: Regulations and Information Classification
Creation of a data classification scheme (include at least 3 levels)
A discussion about the sensitivity and mapping of the data into the data classification scheme (include at least 3 different typical systems that your organization uses)
A description of 1 regulation that the organization would need to follow
A description of 1 framework that the organization would implement
A discussion about audit controls and how to use them to test the effectiveness of the security implementation
You should provide at least 4-5 pages of discussion for this information added to your Data Security, Quality, and Integrity document.