Data Classification & Protection Needs

The central task for a threat-risk-assessment is the classification of data which is stored/processed in a zone and transmitted between zones via conduits.
This classification is done in two steps:

Identification of the data available in your system.
Classification of the data, i.e., determination of the protection needs of the identified data classes.

Data Identification

Data class Abbrev. Description

Configuration Data CD Configuration data is located on the devices used to build automation infrastructures and systems

Log Data central LD Log data stored on a central Syslog server

Log Data onboard LO Log data available on the device, logging can be configured

Application Data AD Application data is located on the devices

Process Data PD Process data transferred between the devices and processed there

System Data SD System data (access data, keys, certificates) located on the devices

Recipe Data RD Recipes (which may also include proprietary data and trade secrets)

Parameter Data PAD Variable values (e.g., min, max)

Backup Data BD Backed-up data

Data class	Abbrev.	Description
Configuration Data	CD	Configuration data is located on the devices used to build automation infrastructures and systems
Log Data central	LD	Log data stored on a central Syslog server
Log Data onboard	LO	Log data available on the device, logging can be configured
Application Data	AD	Application data is located on the devices
Process Data	PD	Process data transferred between the devices and processed there
System Data	SD	System data (access data, keys, certificates) located on the devices
Recipe Data	RD	Recipes (which may also include proprietary data and trade secrets)
Parameter Data	PAD	Variable values (e.g., min, max)
Backup Data	BD	Backed-up data

Data Classification (Protection Needs)

Based on the identified data classes, the protection needs can be determined. This classification is made under three aspects:

A = Availability
I = Integrity
C = Confidentiality

Note
The data classification may vary from company to company. The classes listed below are examples.

Protection objective: Availability
To what extent must the information and processing functions be accessible to authorized users / resources, or what downtime is tolerable to the maximum?

Level Description

1 - Negligible The processing of the information can be postponed for up to several days or can be carried out manually for this period of time without significant damage being incurred.

2 - Moderate The processing of the information may be up to one day or may be performed manually for that period without major damage.

3 - Serious The processing of information may fail only rarely and for short periods of time (up to 4 hours). Otherwise, high damage is to be expected.

4 - Critical The processing of the information must basically be continuous and may only fail for a very short period of time, not exceeding one hour. Otherwise (in case of failure for more than one hour) very high damages are to be expected.

Level	Description
1 - Negligible	The processing of the information can be postponed for up to several days or can be carried out manually for this period of time without significant damage being incurred.
2 - Moderate	The processing of the information may be up to one day or may be performed manually for that period without major damage.
3 - Serious	The processing of information may fail only rarely and for short periods of time (up to 4 hours). Otherwise, high damage is to be expected.
4 - Critical	The processing of the information must basically be continuous and may only fail for a very short period of time, not exceeding one hour. Otherwise (in case of failure for more than one hour) very high damages are to be expected.

Protection objective: Integrity
To what extent must uncontrolled changes and deliberate manipulation be prevented, or must the (machine) processing work flawlessly and reliably? To what extent must the actions of the users or the generation of the information be traced?

Level Description

1 - Negligible Deliberate or unintentional falsification of the processed information or information loss does not result in any significant damage. If the processed information is incomprehensible, no significant damage is to be expected.

2 - Moderate Intentional or unintentional falsification of the processed information or loss of information can cause only medium damage. If the processed information is not bindingly traceable or provable to third parties, only medium damages can occur.

3 - Serious Deliberate or unintentional falsification of the processed information or loss of information can cause serious damage. If the processed information is not legally binding or provable to a third party, it can cause serious damage.

4 - Critical Intentional or unintentional falsification of the processed information or loss of information can cause very high damage. If the processed information is not legally binding or provable to third parties, it can cause very high damages.

Level	Description
1 - Negligible	Deliberate or unintentional falsification of the processed information or information loss does not result in any significant damage. If the processed information is incomprehensible, no significant damage is to be expected.
2 - Moderate	Intentional or unintentional falsification of the processed information or loss of information can cause only medium damage. If the processed information is not bindingly traceable or provable to third parties, only medium damages can occur.
3 - Serious	Deliberate or unintentional falsification of the processed information or loss of information can cause serious damage. If the processed information is not legally binding or provable to a third party, it can cause serious damage.
4 - Critical	Intentional or unintentional falsification of the processed information or loss of information can cause very high damage. If the processed information is not legally binding or provable to third parties, it can cause very high damages.

Protection objective: Confidentiality
To what extent must unauthorized access to information and unauthorized disclosure and disclosure be prevented?

Level Description

1 - Negligible The processed information can be brought to the attention of anyone without significant damage or are explicitly intended for publication.

2 - Moderate Information is processed whose access is restricted to authorized persons. If the information is disclosed to unauthorized persons, only moderate damage is to be expected.

3 - Serious Information is processed whose access is restricted to authorized persons. If the information becomes known to unauthorized persons, high damages are to be expected.

4 - Critical Information is processed whose access is restricted to authorized persons. If the information becomes known to unauthorized persons, I can expect very high damages.

Level	Description
1 - Negligible	The processed information can be brought to the attention of anyone without significant damage or are explicitly intended for publication.
2 - Moderate	Information is processed whose access is restricted to authorized persons. If the information is disclosed to unauthorized persons, only moderate damage is to be expected.
3 - Serious	Information is processed whose access is restricted to authorized persons. If the information becomes known to unauthorized persons, high damages are to be expected.
4 - Critical	Information is processed whose access is restricted to authorized persons. If the information becomes known to unauthorized persons, I can expect very high damages.