Establishing data requirements and data sensitivity levels is a very important step in determining many of the technical requirements of the system and the security controls that should be implemented. The owners of the data must be identified and the data owners should determine the security needs of the data. The data owner would be the party that is liable if data is compromised.
There are three considerations that should be applied to data. Those are:
Confidentiality - How significant is the need to prevent unauthorized access to the data so third parties do not have access to the data? If there is a need to prevent unauthorized access to the data, the data is sensitive and should be categorized into a level of sensitivity with appropriate security controls according to that level of sensitivity.
Integrity - How significant is the need to prevent accidental or deliberate inaccurate changes to the data?
Availability - How significant is the need for authorized users to be able to access the data? How long can data access be lost before the business function is disrupted?
Data should be classified to one of three levels each of all three categories listed above such as low, moderate, or high. Questions to help establish data requirements include:
What type of data will the system contain?
Is any data stored by the system of a sensitive nature? Does it contain credit card numbers, social security numbers, drivers license numbers, Federal employer identification numbers or other sensitive data? Any of these should require data sensitivity requirements to be high.
What will be the sources of data that the system collects? Who enters it or does it come from other systems? Identify user groups, administrators or systems the data comes from and what data comes from various sources.
What data is sent by the system to other systems?
If data confidentiality is compromised, what is the potential damage to the business? Does it cause legal problems, liability problems, or problems with customer relations?
If data is incorrectly modified accidently or deliberately, what potential damage could happen? Could inaccurate changes to data be detected?
What are the conditions under which data can be deleted? What laws apply regarding data deletion or destruction?
What are the legal requirements for data retention?
How much storage is required by the data or database?
How fast are the data needs expected to grow? (Megabyte per month)
What types of data will be stored and at what locations? (graphic files, spacial imaging files, video, text, etc)