一键导入
classification-framework-enforcement
Data classification enforcement, sensitivity labeling, and handling controls per classification level for the CIA platform
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Data classification enforcement, sensitivity labeling, and handling controls per classification level for the CIA platform
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Identity and access management: RBAC, least privilege, MFA, quarterly reviews per ISO 27001 A.5.15, A.8.2, A.8.3
Business continuity and disaster recovery: 30-day retention, quarterly restore tests, RTO/RPO targets per ISO 27001 A.17
Political psychology, cognitive biases, group dynamics, leadership analysis, decision-making patterns for Swedish political intelligence
Risk-based data and asset classification framework: PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED aligned with ISO 27001 A.5.12 and CIA triad
Unified compliance verification across ISO 27001, NIST CSF, CIS Controls, NIS2, EU CRA, GDPR, SOC 2, PCI DSS, and HIPAA for cybersecurity consulting
Cryptographic controls implementation: TLS 1.3, AES-256-GCM, bcrypt, RSA-4096, key management per NIST FIPS 140-2 and ISO 27001 A.8.24
| name | classification-framework-enforcement |
| description | Data classification enforcement, sensitivity labeling, and handling controls per classification level for the CIA platform |
| license | Apache-2.0 |
This skill provides guidance for enforcing data classification across the Citizen Intelligence Agency platform. It defines classification levels, sensitivity labeling requirements, and mandatory handling controls for each level to ensure consistent data protection aligned with ISMS requirements.
Apply this skill when:
Do NOT use for:
| Level | Label | Description | Examples in CIA |
|---|---|---|---|
| Public | 🟢 PUBLIC | Freely available information | Published Riksdag votes, public politician profiles, World Bank indicators |
| Internal | 🟡 INTERNAL | For authorized users only | Aggregated analytics, risk scores, trend analysis |
| Confidential | 🟠 CONFIDENTIAL | Restricted access, business-sensitive | User accounts, email addresses, session data |
| Restricted | 🔴 RESTRICTED | Highest protection, regulatory requirements | Passwords, API keys, encryption keys, GDPR-protected PII |
New Data Element
│
├─→ Is it publicly available from source?
│ ├─→ YES → Is it aggregated/analyzed by CIA?
│ │ ├─→ YES → 🟡 INTERNAL
│ │ └─→ NO → 🟢 PUBLIC
│ └─→ NO
│
├─→ Is it user-provided personal data?
│ ├─→ YES → Is it authentication/credential data?
│ │ ├─→ YES → 🔴 RESTRICTED
│ │ └─→ NO → 🟠 CONFIDENTIAL
│ └─→ NO
│
├─→ Is it a system secret (key, token, password)?
│ ├─→ YES → 🔴 RESTRICTED
│ └─→ NO
│
└─→ Is it internal analysis or derived data?
├─→ YES → 🟡 INTERNAL
└─→ NO → 🟢 PUBLIC (default to least restrictive only if certain)
| Control | Requirement |
|---|---|
| Storage | Standard database storage |
| Transmission | HTTPS preferred but not mandatory for read-only |
| Logging | Can be logged freely |
| Caching | Can be cached without restrictions |
| Display | No restrictions on UI display |
| Export | Can be exported freely |
| Retention | Follow data source policies |
| Backup | Standard backup procedures |
| Control | Requirement |
|---|---|
| Storage | Standard database with access controls |
| Transmission | HTTPS required |
| Logging | Can be logged, no sensitive aggregation details |
| Caching | Can be cached with TTL limits |
| Display | Requires authenticated session |
| Export | Requires authentication |
| Retention | 1 year default, review annually |
| Backup | Standard backup with access controls |
| Control | Requirement |
|---|---|
| Storage | Encrypted at rest (AES-256) |
| Transmission | TLS 1.2+ required |
| Logging | Never log confidential field values |
| Caching | In-memory only, short TTL, no disk cache |
| Display | Masked by default, reveal on explicit action |
| Export | Restricted, requires authorization |
| Retention | Minimum necessary, max 3 years |
| Backup | Encrypted backup, restricted access |
| Access | Role-based, principle of least privilege |
| Control | Requirement |
|---|---|
| Storage | Encrypted at rest + application-level encryption |
| Transmission | TLS 1.2+ with certificate validation |
| Logging | Absolutely never log — not even existence |
| Caching | Never cache |
| Display | Never display in plaintext |
| Export | Prohibited without explicit authorization |
| Retention | Minimum necessary, auto-expire where possible |
| Backup | Encrypted, separate access controls |
| Access | Strict need-to-know, multi-factor authentication |
| Key Management | HSM or AWS KMS, regular rotation |
@Entity
@Table(name = "application_user")
public class ApplicationUser {
@Column(name = "username")
// Classification: CONFIDENTIAL — user-provided, non-public
private String username;
@Column(name = "email")
// Classification: CONFIDENTIAL — PII under GDPR
private String email;
@Column(name = "password_hash")
// Classification: RESTRICTED — credential data
private String passwordHash;
}
// DO: Log classification-safe data only
log.info("Processing politician data for id: {}", politicianId); // PUBLIC id
// DON'T: Log CONFIDENTIAL or RESTRICTED data
// log.info("User login: email={}, password={}", email, password);
// DO: Use placeholder for CONFIDENTIAL data
log.info("User action completed for user id: {}", userId);
// PUBLIC/INTERNAL: Standard caching allowed
@Cacheable(value = "politicians", key = "#id")
public Politician findPoliticianById(String id) { ... }
// CONFIDENTIAL: Short TTL, in-memory only
@Cacheable(value = "userProfiles", key = "#userId",
cacheManager = "shortLivedCacheManager")
public UserProfile findUserProfile(String userId) { ... }
// RESTRICTED: Never cache
// No @Cacheable annotation — always fetch from secure storage
public String getApiKey(String serviceId) { ... }
External APIs (Riksdag, World Bank) ──→ Service Layer ──→ Database
🟢 PUBLIC data Classification Labeled
enforcement storage
│
▼
User Browser ◄──── Vaadin UI ◄──── Service Layer
Display Encoding Access control
controls applied enforced
| From → To | Allowed Classifications | Controls Required |
|---|---|---|
| External API → Service | PUBLIC | Input validation |
| Service → Database | All | Encryption for CONFIDENTIAL+ |
| Database → Service | All | Access control check |
| Service → UI | PUBLIC, INTERNAL, CONFIDENTIAL | Output encoding, masking |
| Service → Logs | PUBLIC, INTERNAL only | Never log CONFIDENTIAL+ |
| Service → Cache | PUBLIC, INTERNAL, Confidential (short TTL) | Never cache RESTRICTED |
| Any → External | PUBLIC only | Data export review |
| Classification Control | ISO 27001 | NIST CSF | GDPR |
|---|---|---|---|
| Data Classification | A.5.12, A.5.13 | ID.AM-5 | Art. 5(1)(f) |
| Labeling | A.5.13 | PR.DS-3 | Art. 30 |
| Access Control | A.5.15, A.8.3 | PR.AC-4 | Art. 25 |
| Encryption | A.8.24 | PR.DS-1 | Art. 32 |
| Logging Controls | A.8.15 | DE.AE-3 | Art. 30 |
| Retention | A.5.33 | PR.IP-6 | Art. 5(1)(e) |
| Data Transfer | A.5.14 | PR.DS-2 | Art. 44-49 |