Data Classification

The process of assessing the value of information to the business and assigning it to different levels such as (protected, public, top secret) based on the impact to the business should the data be obtained by unauthorized individuals.

Cloud Controls Matrix (CCM) Data

Array

DG-02 | Data Governance | Classification

Control Specification +-

Data, and objects containing data, shall be assigned a classification based on data type, jurisdiction of origin, jurisdiction domiciled, context, legal constraints, contractual constraints, value, sensitivity, criticality to the organization and third party obligation for retention and prevention of unauthorized disclosure or misuse.

Architectural Relevance +-

PhysicalNetworkComputeAppData
False False True True True

Corp Gov Relevance +-

Corp Gov Relevance
True

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True True

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

PO 2.3
DS 11.6

A.7.2.1

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

RA-2
AC-4

NIST SP 800-53 R3 RA-2

NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 AC-4

9.7.1
9.10
12.3

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

D.1.3, D.2.2

1.2.3
1.2.6
4.1.2
8.2.1
8.2.5
8.2.6

Jericho ForumNERC CIP

Commandment #9

CIP-003-3 - R4 - R5

Array

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Data Governance (DG) | ID #DG-02.1

Do you provide a capability to identify virtual machines via policy tags/metadata (ex. Tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country, etc.)?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 PO 2.3, DS 11.6

A.7.2.1

NIST SP800-53 R3 RA-2
NIST SP800-53 R3 AC-4

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 RA-2
NIST SP800-53 R3 AC-4

PCI DSS v2.0 9.7.1
PCI DSS v2.0 9.10
PCI DSS v2.0 12.3

SIG v6.0: D.1.3, D.2.2

GAPP Ref 1.2.3
GAPP Ref 1.2.6
GAPP Ref 4.1.2
GAPP Ref 8.2.1
GAPP Ref 8.2.5
GAPP Ref 8.2.6

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Data Governance (DG) | ID #DG-02.2

Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 PO 2.3, DS 11.6

A.7.2.1

NIST SP800-53 R3 RA-2
NIST SP800-53 R3 AC-4

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 RA-2
NIST SP800-53 R3 AC-4

PCI DSS v2.0 9.7.1
PCI DSS v2.0 9.10
PCI DSS v2.0 12.3

SIG v6.0: D.1.3, D.2.2

GAPP Ref 1.2.3
GAPP Ref 1.2.6
GAPP Ref 4.1.2
GAPP Ref 8.2.1
GAPP Ref 8.2.5
GAPP Ref 8.2.6

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Data Governance (DG) | ID #DG-02.3

Do you have a capability to use system geographic location as an authentication factor?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 PO 2.3, DS 11.6

A.7.2.1

NIST SP800-53 R3 RA-2
NIST SP800-53 R3 AC-4

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 RA-2
NIST SP800-53 R3 AC-4

PCI DSS v2.0 9.7.1
PCI DSS v2.0 9.10
PCI DSS v2.0 12.3

SIG v6.0: D.1.3, D.2.2

GAPP Ref 1.2.3
GAPP Ref 1.2.6
GAPP Ref 4.1.2
GAPP Ref 8.2.1
GAPP Ref 8.2.5
GAPP Ref 8.2.6

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Data Governance (DG) | ID #DG-02.4

Can you provide the physical location/geography of storage of a tenant?s data upon request?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 PO 2.3, DS 11.6

A.7.2.1

NIST SP800-53 R3 RA-2
NIST SP800-53 R3 AC-4

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 RA-2
NIST SP800-53 R3 AC-4

PCI DSS v2.0 9.7.1
PCI DSS v2.0 9.10
PCI DSS v2.0 12.3

SIG v6.0: D.1.3, D.2.2

GAPP Ref 1.2.3
GAPP Ref 1.2.6
GAPP Ref 4.1.2
GAPP Ref 8.2.1
GAPP Ref 8.2.5
GAPP Ref 8.2.6

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Data Governance (DG) | ID #DG-02.5

Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 PO 2.3, DS 11.6

A.7.2.1

NIST SP800-53 R3 RA-2
NIST SP800-53 R3 AC-4

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 RA-2
NIST SP800-53 R3 AC-4

PCI DSS v2.0 9.7.1
PCI DSS v2.0 9.10
PCI DSS v2.0 12.3

SIG v6.0: D.1.3, D.2.2

GAPP Ref 1.2.3
GAPP Ref 1.2.6
GAPP Ref 4.1.2
GAPP Ref 8.2.1
GAPP Ref 8.2.5
GAPP Ref 8.2.6

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True