SID-ORG-08 — Information Classification and Labelling
| Property | Value |
|---|---|
| Owner | operator |
| Category | policy |
| CSF Function | identify |
| Group | Governance and Policy Controls |
Description
Classify and label all information assets handled in the wallet deployment according to a documented classification scheme.
Implementation requirements: (1) Classification scheme: establish at minimum four levels — Public, Internal, Confidential, Restricted — with definitions aligned to GDPR categories (personal data, special-category data) and eIDAS credential sensitivity. (2) Asset inventory: maintain an information asset register covering: wallet user PII (email, device keys), credential claims, tenant configuration, audit logs, cryptographic key material, biometric data (FaceTec). Each entry MUST include classification level, storage location, and protection controls. (3) Labelling: operational data stores (PostgreSQL tables, S3 buckets, backup volumes) MUST be tagged with their classification level in infrastructure inventory/IaC. (4) Handling rules: document permitted handling per classification (encryption-at-rest required for Confidential+, access restricted to named roles, retention limits per GDPR Art 5(1)(e)). (5) Annual review: asset register reviewed and updated at least annually and after significant architecture changes.
Note: The platform implements technical classification via SD-JWT selective disclosure (SID-DATA-01) and mDOC element-level disclosure (SID-DATA-02). This control covers the operator-side asset inventory and labelling process.
Review criteria: documented classification scheme, populated asset register, infrastructure tags evidenced, handling rules documented.
Components
- PostgreSQL Database
- WSCA / HSM