For example, you’ll find a statement like this in a rule-based policy, “No person shall access data that is classified at a level higher than their current role.” Whereas a risk-based policy may state something like this, “Risks associated with data availability, confidentiality and integrity shall be classified by the business process owner and mitigated by adhering to templates, forms and documents that support the security process.”
The premise of the article is to utilize a risk-based approach in which the system owner has a certification and accreditation process allowing for risk assessment, management, and cost benefit analysis.
Key to this approach is
classifying all data in the enterprise against a pre-determined standard. For example, data owners would classify the value of their data as low, medium, or high, for confidentiality, integrity, and availability.