Scribd
Upload
70 views4 pages

191 Data Classification Standard

The document outlines a data classification standard for Wisconsin executive branch agencies. It defines classifications like classified, restricted, sensitive and public based on confidentiality, integrity and availability impact levels. Agencies must identify, categorize and label all information assets according to this standard.

Uploaded by

berrezeg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views4 pages

191 Data Classification Standard

The document outlines a data classification standard for Wisconsin executive branch agencies. It defines classifications like classified, restricted, sensitive and public based on confidentiality, integrity and availability impact levels. Agencies must identify, categorize and label all information assets according to this standard.

Uploaded by

berrezeg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

DocuSign Envelope ID: DFC99A55-D2EF-48B7-B9A7-F946B6DA45C1

STATE OF WISCONSIN
DEPARTMENT OF ADMINISTRATION
Tony Evers, Governor
Kathy Blumenfeld, Secretary
Trina Zanow, Division Administrator
Effective Date: 08/01/2023

191 – Data Classification Standard


Purpose
The Data Classification Standard is intended to provide standardization for identification, classification,
and labeling of information assets, to facilitate the use of appropriate security, privacy, and compliance
measures to protect the confidentiality, integrity, and availability of the information (data) and
associated Information Technology (IT) resources according to its value and/or risk(s) to the agencies.
To identify how to maintain systems, applications, and integrations in order to ensure data
confidentiality, integrity, and availability.

Data classification, in the context of information security, is the classification of data based on its
level of sensitivity and the impact on the State if that data be disclosed, altered, or destroyed
without authorization. The classification of data helps determine what baseline security controls
are appropriate to safeguard that data. Executive Branch Agencies are to develop policies,
procedures, or processes for their own State information and systems to protect State
information, where applicable.

Standard
All information assets managed by Executive Branch Agencies must be identified, categorized, and
labeled. Some examples of data labels include Classified, Restricted, Sensitive, Public, Protected, or
Confidential. These labels are determined by the impact level of high, moderate, low, or none as
determined by the Executive Branch Agencies and based on the three principles of security: 1)
confidentiality, 2) integrity, and 3) availability. Classified information assets have a high impact level,
restricted information assets have a moderate impact level, sensitive and public information assets
have low impact levels. Information assets that have data at multiple classifications must be
identified, categorized, and labeled as the highest identified classification level. Agencies are to
reflect their controls through the quarterly reporting process to DOA-DET.

See the table below for one example of the confidentiality principle of data classification.
DocuSign Envelope ID: DFC99A55-D2EF-48B7-B9A7-F946B6DA45C1

STATE OF WISCONSIN
DEPARTMENT OF ADMINISTRATION
Tony Evers, Governor
Kathy Blumenfeld, Secretary
Trina Zanow, Division Administrator
Effective Date: 08/01/2023

Adverse
Business Examples (not an exhaustive
Classification Impact Description
list)
Classified or High Any data where the unauthorized Subject to regulatory or compliance
Confidential disclosure, alteration, loss, or requirements (e.g., FTI, HIPAA, IRS,
destruction may cause personal or DMCA, PCI, PHI, PII, etc.).
organizational financial loss or the
unauthorized release of which would be Data with contractual language
a violation of a statute, act or law; requiring a confidential or high
constitute a violation of confidentiality classification level of
agreed to as a condition of possessing or information/data.
producing or transmitting data; cause
significant reputational harm to the Information assets at this level
organization; or require the organization must limit access to authorized
to self-report to the U.S. government individuals only and must employ
and/or provide a public notice if the encryption of data at rest, in use,
data is inappropriately accessed. and in transit (AC-21).
Restricted Moderate Any data, if released to unauthorized Information assets at this level can
individuals, could have a mildly adverse be shared with individuals external
impact on the organization’s mission, to the agency and do not require
safety, finances, or reputation. Data not encryption of data at rest or in use
specifically identified in another level is (AC-21).
categorized as a “Moderate Risk”.
Sensitive Low Any data where the unauthorized Information assets at this level can
disclosure, alteration, loss, or be shared with individuals external
destruction would have a low impact on to the agency and do not require
the mission, safety, finances, or encryption of data at rest, in use, or
reputation of the organization. in transit (AC-21).
Public Insignificant Data that if breached owing to Information assets at this level can
accidental or malicious activity would be shared publicly and do not
have an insignificant impact on the require encryption of data at rest,
organization’s activities and objectives. in use, or in transit (AC-21).

Definitions
Executive Branch Agency - State of Wisconsin legislatively defined Departments and all customers of
DET services, equipment, and/or technologies.
State information - Any information that is created, accessed, used, stored, or transmitted by an
Executive Branch Agency.
State information systems and system environments - All equipment or services used to input, store,
process, transmit, and output information, including, but not limited to network devices, servers,
databases, printers, Internet, email, physical, virtual, cloud, and applications accessible to and/or
managed the agency.
DocuSign Envelope ID: DFC99A55-D2EF-48B7-B9A7-F946B6DA45C1

STATE OF WISCONSIN
DEPARTMENT OF ADMINISTRATION
Tony Evers, Governor
Kathy Blumenfeld, Secretary
Trina Zanow, Division Administrator
Effective Date: 08/01/2023
Information Asset – All information and information systems and environments that have value to
an organization.

Compliance References
IRS Pub. 1075
NIST 800-53 Revision 5
NIST 800-60 Vol 1 and 2
FIPS 199

Exception Process
Exceptions to any Executive Branch Agency’s Security Policies or Standards must follow the Executive
Branch Risk Exception Procedure.

Document History/Owner
This standard was developed as required by the State of Wisconsin Information Technology Security
Policy Handbook, under the authority of Wisconsin State Statute 16.971.

This standard is effective upon approval and publication until retired. Revisions and updates continue
the effective date by documenting required changes over time.

Ownership for this standard is assigned to DOA, DET Bureau of Security. As such, the DOA, DET Bureau
of Security is responsible for the maintenance, update(s), and review of this document annually before
the anniversary of the effective date.
DocuSign Envelope ID: DFC99A55-D2EF-48B7-B9A7-F946B6DA45C1

STATE OF WISCONSIN
DEPARTMENT OF ADMINISTRATION
Tony Evers, Governor
Kathy Blumenfeld, Secretary
Trina Zanow, Division Administrator
Effective Date: 08/01/2023

Revision or
Version Review Date
# Date Description of Change(s) Reviewer/Author Approved
1.0 10/29/19 Reviewed with Agency Security Bureau of Security 10/29/19
Officers and feedback collected.
Planning for making revisions.
2.0 11/03/20 Reviewed with Agency Security Reviewer: WI ISAC/ITDC 11/11/20
Officers and IT Directors and Author: DOA/DET/BOS
changes were incorporated
3.0 06/24/22 Reviewed with Agency Security Reviewer: WI ISAC/ITDC 06/24/22
Officers and IT Directors and Author: DOA/DET/BOS
changes were incorporated
4.0 07/14/23 Reviewed with Agency Security Reviewer: WI 08/01/23
Officers and IT Directors and ISAC/Enterprise IT
changes were incorporated Author: DOA/DET/BOS
NOTE: Keep only the origination and the last 10 years of update information. Only notate prior three
revisions. Include only interim/final revision statuses.

Authorized and Approved by:

Trina Zanow, CIO


8/1/2023 | 1:49 PM CDT
Print/Type Signature Date
Title

You might also like