(Source: Microsoft SQL Server 2012 Unleashed)
For example, organization's PR materials have low sensitivity and are publicly available. For such content, you would probably want to have minimal control to prevent unauthorized modification to content. Organization's employee payroll information, on the other hand, is highly sensitive and has very limited internal access to it. For such content, you would deploy rigorous security controls: encryption on the wire and at rest data, limited read/write access, auditing, intrusion detection, etc.
Two key challenges in implementing a good risk management strategy in your organization are:
1. Identify where all organization's data reside (identify data)
2. Identify who has access to each data item
These two items sound simple, but in reality they are not. Most organizations struggle to have the full answer to them. Nevertheless, once you overcome these challenges, next critical step is to quantify the risk associated with each data item: what would be the impact if a given data item is compromised? The above matrix could be the starting point.
More on quantifying risk in a future post!