Information of different types need to be secured in different ways. Therefore a classification system is needed, whereby information is classified, a policy is laid down on how to handle information according to it's class and security mechanisms are enforced on systems handling information accordingly.
In the coming sections, classes for information availability and sensitivity are proposed, requirements for systems based on these classes are proposed in chapter 5.
4.1 Availability classification
Here a classification system is proposed which has four availability classes. It is based on the author's experience, as no equivalent standards are available for reference.
To improve availability, preventative measures reduce the probability of downtime and recovery measures reduce the downtime after an incident.
| Class |  |
|
|
|
| Maximum allowed Server downtime, per event | 1 Week | 1 Day | 1 Hour | 1 Hour |
| On which Days? | Mon-Fri | Mon-Fri | Mon-Fri | 7 Days |
| During what hours? | 07:00-18:00 | 24h | ||
| Expected availability percentage | 80% | 95% | 99.5% | 99.9% |
| ==> expected max. downtime | = 1 day/week | = 2 hours/Week | = 20min./Week |
= 12min./month |
4.2 Sensitivity classification
A classification system is proposed which classes information / processes into four levels. The lowest 
is the least sensitive and the highest 
is for the most important information / processes.
4.2.1 Concepts
- All data has an owner.
- The data or process owner must classify the information into one of the security levels- depending on legal obligations, costs, corporate into policy and business needs.
- If the owner is not sure at what level data should be classified, use level
.
- The owner must declare who is allowed access to the data.
- The owner is responsible for this data and must secure it or have it secured (e.g. via a security administrator) according to it's classification.
- All documents should be classified and the classification level should be written on at least the title page.
Once the data on a system has been classified to one of the following levels, then that system should be installed to conform to all directives for that class and classes below. Each level is a superset of the previous level. For example, if a system is classified as class , then the system must follow the directives of class , 
and .
If a system contains data or more than one sensitivity class, it must be classified according that needed for the most confidential data on the system.
4.2.2 Class : Public / non classified information
Data on these systems could be made public without any implications for the company (i.e. the data is not confidential). Data integrity is not vital. Loss of service due to malicious attacks is an acceptable danger.
Examples: Test services without confidential data, certain public information services, product brochures widely distributed, data available in the public domain anyway.
4.2.3 Class : Internal information
External access to this data is to be prevented, but should this data become public, the consequences are not critical (e.g. the company may be publicly embarrassed). Internal access is selective. Data integrity is important but not vital.
Examples of this type of data are found in development groups (where no live data is present), certain production public services, certain Customer Data, "normal" working documents and project/meeting protocols, Telephone books.
4.2.4 Class : Confidential information
Data in this class is confidential within the company and protected from external access. If such data were to be accessed by unauthorised persons, it could influence the company's operational effectiveness, cause an important financial loss, provide a significant gain to a competitor or cause a major drop in customer confidence. Data integrity is vital.
Examples: Datacenters normally maintain this level of security. Salaries, Personnel data, Accounting data, passwords, information on corporate security weaknesses, very confidential customer data and confidential contracts.
4.2.5 Class : Secret information
Unauthorised external or internal access to this data would be critical to the company. Data integrity is vital. The number of people with access to this data should be very small. Very strict rules must be adhered to in the usage of this data.
Examples: Military data, secret contracts.