Classification levels
-
The field/metadata "Importance" contains some classification values (Personal data, Confidential, ...) and importance values (Normal, High, ...) all mixed. The need of a new field "Classification" seems to be important to separate both meaning (Importance and Classification/Dissemination). Here are the proposed values :
Diffusion Value Rules Civilian Not Classified (default) C1 - Internal Use B C2 - Restricted Distribution C3 – Secret / Confidential A Military (FR) Restricted Distribution Secret-Defense A Top Secret-Defense A The NATO and TLP (CISA - Cybersecurity & Infrastructure Security Agency) classifications will be added to these lists if necessary.
-
Data classification will be introduced in GoFAST 4.2, we added U.S.CISA TLP standard and are considering to add the EU classified information (EUCI) scheme, which is :
- TRÈS SECRET UE/EU TOP SECRET: the unauthorised disclosure of this information could cause exceptionally grave prejudice to the essential interests of the EU or one or more of the member states.
- SECRET UE/EU SECRET: the unauthorised disclosure of this information could seriously harm the essential interests of the EU or one or more of the member states.
- CONFIDENTIEL UE/EU CONFIDENTIAL: the unauthorised disclosure of this information could harm the essential interests of the EU or one or more of the member states.
- RESTREINT UE/EU RESTRICTED: the unauthorised disclosure of this information could be disadvantageous to the interests of the EU or one or more of the member states.
-
NIST classification could also be considered :
- Restricted
- Confidential
- Public
but this is more or less what we introduced in the "Civilian" section. NIST just don't have the C1 - Internal use
-
@cpotter
Indeed, we use the EUCI scheme, and for non-classified information we would apply
Public
Institutional USE (default) (well, for you that would be "CEO-Vision use")
SENSITIVEBut that would not be a classification but a Criticity in GoFAST metadata. In terms of classification it is just unclassified; or perhaps one would add a TLP as information about sharing with third parties
-
I agree, there is now an overlap in "Criticity" and "Classification"
Classification Criticity Civilian Confidential Data NC - Not Classified / Public Internal Distribution C1 - Internal Use Personal data C2 - Restricted Distribution Critical C3 – Secret / Confidential High Normal Low In our current view, "Confidential data" and "Internal Distribution" should be deleted to avoid overlap with the new "Classification" metadata.
In your usecase you could use NC for your ¨Public" documents, C1 for your Instutitional use and C2 for Sensitive (we could perhaps rename "C2 - Restricted Distribution" by "C2 - Restricted / Sensitive".
Is this makes sense ?
-
Hello,
Just to inform you that the European Union classification has been added in 4.2.0_HOTFIX_1.0 release:
Raphaël.
