원클릭으로
data-protection
Data classification (CIA triad), GDPR privacy by design, encryption standards, data lifecycle management
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Data classification (CIA triad), GDPR privacy by design, encryption standards, data lifecycle management
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Identity and access management: RBAC, least privilege, MFA, quarterly reviews per ISO 27001 A.5.15, A.8.2, A.8.3
Business continuity and disaster recovery: 30-day retention, quarterly restore tests, RTO/RPO targets per ISO 27001 A.17
Political psychology, cognitive biases, group dynamics, leadership analysis, decision-making patterns for Swedish political intelligence
Risk-based data and asset classification framework: PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED aligned with ISO 27001 A.5.12 and CIA triad
Unified compliance verification across ISO 27001, NIST CSF, CIS Controls, NIS2, EU CRA, GDPR, SOC 2, PCI DSS, and HIPAA for cybersecurity consulting
Cryptographic controls implementation: TLS 1.3, AES-256-GCM, bcrypt, RSA-4096, key management per NIST FIPS 140-2 and ISO 27001 A.8.24
| name | data-protection |
| description | Data classification (CIA triad), GDPR privacy by design, encryption standards, data lifecycle management |
| license | Apache-2.0 |
This skill provides comprehensive data protection guidance for the CIA platform, covering data classification, GDPR privacy by design, encryption standards, and data lifecycle management. It ensures political intelligence data is handled according to Hack23 ISMS classification and data protection policies.
Apply this skill when:
Do NOT use for:
Classification Levels (Hack23 ISMS)
│
├─ PUBLIC
│ ├─ Parliamentary voting records
│ ├─ Published committee documents
│ ├─ Official election results
│ └─ World Bank economic indicators
│
├─ INTERNAL
│ ├─ Aggregated analysis results
│ ├─ Risk scoring algorithms
│ ├─ Platform usage analytics
│ └─ System configuration data
│
├─ CONFIDENTIAL
│ ├─ User account credentials
│ ├─ Session tokens and API keys
│ ├─ Audit logs with user actions
│ └─ Internal security assessments
│
└─ RESTRICTED
├─ Database credentials
├─ Encryption keys (KMS)
├─ AWS access credentials
└─ Security incident data
Data Classification Decision
│
├─→ Is it publicly available from official sources?
│ ├─ YES → PUBLIC
│ └─ NO ↓
│
├─→ Does it contain personal identifiers?
│ ├─ YES → CONFIDENTIAL (minimum)
│ └─ NO ↓
│
├─→ Is it a credential, key, or secret?
│ ├─ YES → RESTRICTED
│ └─ NO ↓
│
└─→ Is it internal analysis or configuration?
├─ YES → INTERNAL
└─ NO → Assess case-by-case
// ✅ SECURE: Minimize personal data in analysis
@Service
public class PoliticianAnalysisService {
public PoliticianSummary analyzePolitician(String personId) {
// Only retrieve fields needed for analysis
PoliticianData data = repository.findPublicDataById(personId);
// Never include unnecessary personal details
return PoliticianSummary.builder()
.personId(personId)
.votingRecord(data.getVotingRecord())
.committeeAssignments(data.getCommittees())
.partyAffiliation(data.getParty())
.build();
// Excluded: personal address, phone, private email
}
}
// ❌ INSECURE: Over-collection of personal data
public PoliticianData getAllPersonalData(String personId) {
return repository.findById(personId); // Returns ALL fields
}
| GDPR Right | CIA Platform Implementation |
|---|---|
| Right to access (Art. 15) | User data export endpoint |
| Right to rectification (Art. 16) | Profile update mechanism |
| Right to erasure (Art. 17) | Account deletion with cascade |
| Right to restrict (Art. 18) | Account deactivation option |
| Right to portability (Art. 20) | JSON/CSV data export |
| Right to object (Art. 21) | Opt-out of analytics processing |
Encryption Requirements by Classification
│
├─ PUBLIC → No encryption required
├─ INTERNAL → AES-256 recommended
├─ CONFIDENTIAL → AES-256 required (AWS KMS)
└─ RESTRICTED → AES-256 + envelope encryption (KMS CMK)
// Column-level encryption for sensitive fields
@Entity
@Table(name = "application_user")
public class ApplicationUser {
@Column(name = "username")
private String username; // PUBLIC - no encryption
@Column(name = "email")
@Convert(converter = EncryptedStringConverter.class)
private String email; // CONFIDENTIAL - encrypted
@Column(name = "password_hash")
private String passwordHash; // Already hashed (bcrypt)
}
| Data Type | Retention Period | Action at Expiry |
|---|---|---|
| Voting records | Indefinite | Archive (public record) |
| User sessions | 30 days | Automatic deletion |
| Audit logs | 2 years | Archive to cold storage |
| User accounts | Until deletion request | Anonymize + delete |
| API cache | 24 hours | Automatic expiry |
| Analytics data | 1 year | Aggregate + anonymize |
// Implement secure deletion for user data
@Service
public class DataDeletionService {
@Transactional
public void deleteUserAccount(Long userId) {
// 1. Remove personal data
userRepository.anonymizeUser(userId);
// 2. Delete session data
sessionRepository.deleteByUserId(userId);
// 3. Audit the deletion (GDPR compliance)
auditService.logDeletion(userId, "GDPR erasure request");
// 4. Remove from caches
cacheManager.evict("user:" + userId);
}
}
| Control | Requirement | Implementation |
|---|---|---|
| ISO 27001 A.5.12 | Classification of information | Data classification labels |
| ISO 27001 A.5.33 | Protection of records | Retention policy enforcement |
| ISO 27001 A.8.10 | Information deletion | Secure deletion procedures |
| ISO 27001 A.8.24 | Use of cryptography | AES-256, TLS 1.2+ |
| NIST CSF PR.DS | Data security | Encryption at rest/transit |
| GDPR Art. 25 | Data protection by design | Privacy impact assessments |