Enforce a standardized classification methodology to determine data sensitivity and support Technology Assets, Applications and Services (TAAS) criticality decisions, enabling appropriate data handling, protection, retention and disposal requirements.
Organizations classify Technology Assets, Applications, Services and Data (TAASD) and implement risk-appropriate handling, protection, retention and disposal safeguards to prevent unauthorized disclosure, modification or misuse of data throughout its lifecycle.
Data protection decisions should flow from classification, not from guesswork about what's sensitive. The DCH domain establishes the classification methodology that determines how TAASD is categorized and what handling, protection, retention and disposal requirements apply to each category. Without a classification scheme, every data protection decision is made ad hoc and the result is inconsistent protections that leave some sensitive data exposed while over-protecting data that requires no special treatment.
The SCF's intent for DCH includes TAAS criticality decisions. Classification isn't just about data; it informs how important a given system is and what availability and protection requirements that system should carry. A system that processes sensitive Personal Data (sPD) or regulated information warrants different controls than an internal wiki with no external access.
DCH is the dependency for several other domains. Data Privacy (PRI), Information Assurance (IAO) and Cryptographic Protections (CRY) all require knowing what data is sensitive before they can specify controls proportionate to that sensitivity. Classification without governance enforcement tends to decay rapidly; this is why DCH includes handling requirements as part of its scope, not just categorization labels.